The recording of conversations on Scotland Yard’s anti-terror hotline by hacktivist group Team Poison highlights the importance of security for telecommunications, say security experts.
The group claimed to have carried out the attack in response to the alleged detention of innocent people on terrorism charges, the recent ruling to deport a number of terror suspects to the US, and government plans to allow the authorities greater access to personal communications.
The group used readily available software to bombard the Scotland Yard phone line, but routed the activity through a computer server based in Malaysia in order to cover their tracks, according to the Telegraph.
The hackers then claim to have exploited a “weakness” in the Scotland Yard’s phone system to eavesdrop and record a conversation between officials discussing the incident. The recordings were later posted on the internet.
Two boys aged 16 and 17 were arrested last week as part of the investigation into the Team Poison attack. They are being held in the West Midlands by officers from the Police Central e-Crime Unit on suspicion of offences under the Malicious Communications Act and the Computer Misuse Act.
The Metropolitan Police said in a statement: “We are confident the MPS communication systems have not been breached and remain, as they always have been, secure.
"We are satisfied that any recording would have been made via the receiving handset only and not from an attack on internal systems."
However, Peter Cox, CEO of internet telephony security firm UM Labs said the Team Poison hack highlights the need for strong security across telecommunications.
"It is astounding to see that while no organisation would leave its data network vulnerable, that so many treat their telecommunications so differently," he said.
The issue is not confined to national security, he said, because hackers will find any poorly protected voice-over-internet-protocol (VoIP) system using vulnerability-seeking scanning tools.
These systems are then targeted with call fraud attacks, said Cox, in which criminals set up a premium rate number in a country with a poorly regulated telecoms service, and then force a compromised VoIP system to make multiple calls to that number, pocketing the profit.
Organisations can improve the security of their mobile and internal phone systems, he said, using in a VoIP application for mobile devices and a Session Initiation Protocol (SIP) security controller to encrypt calls, and using a SIP Trunk service for internal calls from an Internet Telephony Service Provider (ITSP) rather than an ISDN provider.