Phreaking is a term not often used these days. It was introduced to describe the technique of simulating telephone tones to fool a phone system into giving you free calls. Phreaking started in the 1960’s with the likes of Cap’n Crunch (John Draper) a man who discovered that the whistle from a packet of Captain Crunch cereal could generate a perfect 2600 Hertz signal — coincidentally the same signal used by the phone network in the US at the time.
Phreaking quickly took off and tools such as ‘Blue Boxes’ were invented to generate a variety of tones which were used to fool phone systems into doing all sort of things. Free calls (in a time when they were expensive) were always the main goal. You might be interested to know that in the mid-80s Telstra’s big grey phones were actually quite easy to phreak.
The term ‘Phreaking’ has long since passed into history. Today it mostly describes a variant of normal hacking — with a bent towards VoIP (Voice over Internet Protocol). Most VoIP systems are actually based on operating systems such as Linux, so standard hacking techniques are generally used to break into these systems.
Why?
Hacking used to be about a challenge. Sure, they’d cause a bit of a mess, but it was mostly done in the name of a challenge - once upon a time.
Like anything where there is money to be made, criminals move in. The Internet is a place where fraud is conducted across international boundaries, so virtually no repercussions are possible against those involved.
Why is VoIP Hacking Different?
VoIP is an application that runs over the Internet, just like email. The issue is that VoIP — is voice related and phones calls still cost money.
VoIP is one of the few applications where it is actually very easy to make lots of money if you have some technical ability and the inclination.
How?
VoIP is quite unlike your traditional POTS (Plain Old Telephone Service) line you have at home. That line is hardwired, and is very difficult for anyone else to use.
In a VoIP arrangement, your handset is (literally) a computer connecting to the Internet. It communicates with a VoIP server and uses a username and password. Once authenticated it can make calls over the Internet. However, if those calls exit the VoIP Server upstream to access the destination of the call — then that VoIP Server is going to be billed for the call.
So How Do They Make Money?
There are several scenarios involved in serious (high yield) VoIP hacking.
If, for example, you have an individual’s VoIP account details, you can make some calls for free, but this doesn’t make you money. It saves you money (but you’re still a thief). In the case of organised crime seeking higher returns, accounts are used to make many, many calls.
Below is a selection of real-world case studies. These are actual VoIP hacking cases which I have been involved with during the past year.
The VoIP Provider
This particular company (based in Melbourne) was a provider of VoIP and Calling-Card services targeting a few key ethic demographics who tend to make lots of calls back to their homeland and families. Business was great, but then their primary VoIP servers were hacked.
The big problem was that this company, being itself a customer of large Telcos for ‘VoIP minutes’, retained multi-hundred thousand-dollar credit limits with some of the large carriers.
Hackers penetrated the company’s systems, and ‘details’ were on-sold by criminals to unethical VoIP providers in Europe, Asia and the Middle East. In this case it seems that one unethical VoIP provider, using IP Addresses in Egypt, routed many calls via the company’s VoIP server running up bills (to the company’s carrier) of over $100,000. The carrier has to settle with the destinations no matter what, so the company was liable. They went out of business within 6 months.
The way the criminals actually made their money was from the end consumer, who paid to use ‘their network’, but was instead channelled through a ‘free path’ at no cost to the criminal. Those placing phone calls were unlikely to have any idea that their calls went through this system to their destination. You don’t know who Telstra uses to get to a destination, do you?
The Corporate
This medium-sized business wanted a VoIP solution set up so that its offices could make ‘free’ calls between locations, with some executives also having an extension at their home. All was good. As a managed service it worked effectively for over a year until the business decided it didn’t need the expense of a third-party managing its system. They decided they could do it themselves.
A year after we had ceased to manage their VoIP systems, they were hacked. This business had been adding its own extensions and setting its own passwords — without maintaining any security updates. Some cyber criminals (or an automated tool) guessed a simple extension/password combination that had been configured one of the users.
For a couple of weeks calls were routed through this business’ phone network, quickly accumulating over $25,000 worth of calls, which they inevitably had to settle with their VoIP carrier. The criminals in this situation probably used the same conversion method as the previous example — routing calls though the free path but still charging their own customers.
The Small VoIP Provider
This morning, minutes before writing this article, I completed an audit of a small VoIP provider that had been hacked. it was using Open Source VoIP solutions — one known to have security issues. This VoIP provider actually had pretty reasonable security on its server but neglected just one aspect — and was hacked.
But this was no ordinary hack. Hackers uploaded a 10-minute audio file to the VoIP server that contained bad quality grunge-rock music. They then had the server automatically dial satellite phones for 10 minutes, playing them the song — that’s all.
Of the VoIP calling zones, satellite is one of the most expensive (around $10 per minute). Seventy calls generated a bill of more than $7000 in less than two hours. Detection systems then kicked into life at their supplier, cutting them off before they went any further.
But, how does the hacker make money? My assumptions are that either the satellite provider, satellite phone provider, or one of their reseller is getting a big cut from phones ‘receiving calls’.
Nevertheless, the small VoIP provider has to pay for these calls, as does their supplier, their supplier’s supplier, and so on. The bill still has to be paid.
The examples here are just a couple of common methods, there are many others known and new ones coming along regularly. VoIP hacking is undoubtedly an innovative industry!
What Can I Do If I am Hacked?
Honestly, very little. Unless you have your own private army and wish to invade countries like Russia or Egypt, then you are out of luck. Your VoIP provider will require you to pay your bill. They, in turn, will receive no relief from their suppliers, nor will those suppliers receive any relief from anyone else.
You can negotiate towards paying the wholesale rate that your supplier receives, but its unlikely to be much of a discount, VoIP is all about volume (known as minutes) not high margins.
Your nine-cent local call might cost the supplier 8.5 cents. Money is made by having thousands of calls from many customers, all for just half a cent per call. It leaves very little they can do for you.
Do I Have to Worry? Am I Vulnerable?
The main problem is that the users of VoIP systems do not generally understand the technology they are using. Users see a phone on their desk, or occasionally a ‘soft phone’ on their computer. As a user, you know what to do, but you are unlikely to really know how the whole solution works.
The question of how vulnerable you are is something this author cannot answer. This article is intended to raise awareness of the risks. While VoIP servers are an amazing technology, they’re also exposed to hackers from around the world. How vulnerable your VoIP system is depends on many factors (I could fill a book). Have a conversation with your IT staff and your VoIP providers about the examples described here. Demand accountability.
Final Advice
Ask a lot questions from those who install your servers and solutions — and the VoIP providers that you use. They should have anomaly detection systems in place to notice if your spend goes up dramatically in a short period of time. They should also block expensive destinations unless you ask for them to be unblocked (like Satellite phones).
In the end, VoIP hacking is like most other forms of hacking — if you don’t pay attention to your security, you really will get what you deserve. The Internet is still the Wild West, and only those who protect themselves properly will be safe.
It is estimated that the worldwide cost of telecommunications fraud over the last year is in the billions of dollars. VoIP fraud is bringing that number up significantly, and it’s still growing. Interestingly, it’s probably the cleanest form of money laundering possible — the telcos are a key part of it.
Remember, VoIP hacking isn’t like having your web page defaced, or having a server hacked that you need to rebuild. This hack will bleed real money straight from your organisation — it could quickly get phreaking expensive.
For a demonstration of how easily VoIP systems can be hacked, please check out a demonstration of a couple of VoIP hacking tools. 1. Sipautohack and 2. SIPVicious.
Skeeve Stevens is the CEO of eintellego, a network integration specialist who has built many Service Provider and corporate networks. He specialises in providing advice on how to navigate the wild west of the Internet and is an international speaker on topics such as networking, social media, security and risk management.
Follow @CSO_Australia and sign up to the CSO Australia newsletter.