Hacker breaks into firms' phones

By PETER GRIFFIN

Auckland technology companies Performance Solutions and GDC Communications are hurrying to alert customers of a loophole that has allowed a hacker to break into the phone systems of a dozen New Zealand companies.

An Auckland "white hacker", who spoke to the Herald on condition of anonymity, has been able to exploit a simple menu command in a popular brand of a locally developed voicemail system that then allows him to take control of mailboxes and make calls through them at the companies' expense.

Guessing passwords, the hacker was also able to divert calls and access users' voicemail, a privacy nightmare for companies wary of giving away information to competitors.

In a short time the hacker was able to uncover around 12 organisations whose phone systems were insecure. He demonstrated his methods to the Herald.

Some of those with open phone messaging systems include technology companies, publishers and a number of schools.

Hacking has come to be associated with computers and the internet, but thousands of companies have central phone systems and the hacker claims security is gravely overlooked.

Performance Solutions' director Kevin Plumpton defended his company's software and said such hacking was possible only with "inside knowledge" of the phone system.

"It's not accidental. Nearly every system on the market has the same potential," he said. "It's the equivalent of sitting on the internet and hacking virtual private networks."

The vulnerability affects organisations that have "blank" mailboxes sitting unused in their phone system and phone mailboxes that have easily cracked passwords.

By punching a series of keys while trying to access an unused mailbox, the caller is then able to set up a new mailbox and assign his own password.

The hacker claims he stumbled on the loophole by mistake and randomly called companies, seeking out the voice of the same automatic attendant - a giveaway that Performance Solutions' system is in use.

Performance Solutions claims on its website to have 1000 systems installed across Australasia, serving "over 100,000 end-users".

With that many customers, other organisations may be vulnerable, too. GDC and Performance Solutions are advising their customers to clean up unused mailboxes and choose better passwords.

The companies claim the hacker has exploited a narrow window of opportunity between a mailbox being set up and then being configured for a new employee.

"In big companies people are coming and going every week," the hacker argues.

One IT company was contacted about the vulnerability several months ago but is yet to close it off.

The head of another technology company was using "1234" as the password on his voicemail box, said the hacker.

GDC, a major reseller of NEC and Alcatel phone systems and Performance Solutions' software, also down-played the seriousness of the exploit.

"It's purely about tightening administrative processes and reminding customers about their responsibilities," said Paul Ryan, the head of GDC's phone system division.

Other phone systems also have remote access features.

"But it's not as simple on other systems as it is with this," said the hacker, who claims to have simple knowledge of phone systems and has never worked in the industry.

"Ninety per cent of extensions have simple passwords," he said.

Plumpton said the vulnerability was the result of poor security policies among his customers.

Ross Williams, general manager of services at competitor Agile, a distributor of Avaya telephone equipment, agreed the exploit was not necessarily a glitch in the messaging system but the result of poor security around the "remote access features of a phone system which allow mailboxes to be accessed away" from the building.

The hacker said he had no interest in running up large bills or accessing private information. His interest was in working out the flaws in technology.

A call to arms

* Unconfigured mailboxes should be removed from the phone system.

* Phone users should choose complicated passwords and change them regularly.

* Companies should invest in regular audits of their phone system usage.