When "I Hear You Knocking" was written in 1955 discussion of a password for your phone system would have got you sent to the looney bin. Or branded a Commie. As you'll see in a future post, business phones back then consisted of a instrument, maybe some buttons to pick more than one line, and an operator (or secretary) who took messages for you. Today, any business phone system has voicemail. Most of them let you access your messages remotely by dialing in and entering your extension and a password.

Since the mid-1990's more and more business phone systems have been designed as computer based vs monolithic (like your old Merlin or TIE system). This trend to Computer Telephony has resulted in smart phone systems like TeleVantage, Asterisk, SwitchVox, Fonality, AllWorx, Zultys, PBXact, and ShoreTel, and, more recently, similar products from the Legacy Players, that can make routing decisions for your calls based on user-defined criteria. The power that comes with this can, like any power, be used for good or for evil (see "Captain Call Control" Issue 1 "Revenge of the Voicemail Zombies"). Some nefarious individuals know this and, when they're not writing malware or convincing you to buy "this luxurious used Yugo, owned by one old lady", they are looking for ways to get in.

It Happened To Dr. Telecom
My business phone system is Vertical TeleVantage. I started noticing a lot of calls from the same area code 209 phone number that would just hang up. At first I thought it was telemarketers. Then I looked at the log. Yes, one of the nice things about a CTI (aka Computer Telephony Integration or Smart-PBX) system is that it keeps a log of all calls and you can manipulate it in Excel. I found that these calls, and those from 3 other numbers, were dialing the code to log in to my account.It’s fairly easy for a hacker to identify a TeleVantage or other CTI phone system because of the out-of-box default method of logging in from a phone. For example, if you were blind, you could probably tell you were eating at PickUp Stix as opposed to another restaurant because if you asked for “Stix House Salad” you’d get food. At any other restaurant, you’d get nothing.

Some hackers have computers that spend their lives, 24/7 dialing around in numerical sequence, just like the people who dial around probing for fax machines so they can add you to their junk fax lists. Bastards! Once the hacking computer stumbles upon a voice, it dials the TeleVantage-typical tone sequence. If it gets the expected response, it knows it's "at Pickup Stix" and it goes to Stage 2 and starts looking for valid extensions (and wonton soup). ZERO, i.e. Operator, is a good place to start. Once found, it goes to Stage 3 and tries passwords. Once it stumbles upon one that works (probably because it was the factory default or the extension or 1111) it's logged in so it tells that extension to forward all calls to the hacker’s friend’s house in Timbuktu. The hacker hangs up and calls back, dials the extension he’s already forwarded, and gets connected to his friend and talks for hours– on your dime.

Passwords and VoiceMail
It's simple. If you just have voice mail and you leave your password as the factory default or change it to your extension or 1111, a nasty person can find your account and listen to, even delete, your voicemail. If you value your privacy, and maybe even company secrets, use a decent password. You could be held responsible by your employer if a mailbox in your charge was accessed and important information was leaked.

Smart Phone Systems
As I've shown, if compromised, a hacker can use your phone system to make long distance calls and you'll get billed for them. If you aren't paying attention, this can go on for a long time. Example: if someone leaves the company, had a weak password, and nobody disabled their account on the phone system, a hacker finding their account could do this for weeks - until you peruse your next phone bill and hit the floor in a coma. YOU DO REVIEW YOUR LONG DISTANCE BILLS, DON'T YOU?

This happened to a customer of mine. We contacted the San Diego CATCH Team who were so overloaded that they said they couldn't handle the case unless the damage was over $5,000. We even had the CallerID. The customer worked out something with the long distance carrier but still had to pay a lot of money.

Some Smart PBXs have a security check option. The system will look thru all passwords and report on which are not strong. And, like most servers, the admin can set a minimum password length so that users can't get lazy and use "11" as their password.

If you don't know how to reset your password from the default, see your system administrator, the product manual, or call the manufacturer's tech support.