Beyond the Dial Tone
Understanding the World of PBX Phreaking
Aaron Kelly
Whoami?
A: 21
S: Male
L: North West
What is this talk?
I’ll spend most of the time talking about PBX systems, how they work, the attacks and what you can do after successfully taking control of one.
Then I’ll look at how the landscape has changed when it comes to phones in the office.
Why is this still important?
This is a past track, surely this isn’t an issue anymore?
In 2019, IP PBX Hacking was voted No. 5 biggest and No. 2 emerging fraud threat by CFCA
£31.7 million pounds was lost in Telecoms Fraud last year from Uni of Portsmouth
Over $3.5 Billion in 2019.
Still an issue, and its fun.
Pre-Req’s
We need to understand what VoIP is.
We need to know a little bit of networking.
VoIP
Voice over Internet Protocol
Who remembers these?
In a land before MS Teams, offices would have physical phones, some still do.
It works by converting the analogue audio into digital and then sending it down the DSL/Fibre connection.
The RFC for VoIP is 6405 if you’re interested. (I think)
Networking
You haven’t explained PBX
Well before we look at this, we need to address VoIP phones.
With that in mind, VoIP phones are quite dumb.
To prevent said slightly insane screaming, we use PBX or Private Branch Exchange.
How does PBX work?
They work as the medium for multiple users to access singular phone lines.
Performs the same function as telephone exchange operators by routing the calls to the right people.
Can be IP based, which allows the phones to use the DSL instead of phone lines.
So how do we phreak them out
Before IP PBX came along, playing a tune at specific frequencies, would enable analogue PBX machines to be bypassed.
Now, more traditional methods of hacking are used to gain access to an IP PBX.
You phreaked a phone, now what?
Well many things:
- Make long distance, premium phone calls
- Listen in on conversations
- Free phone calls at pay phones (remember them?)
Case Study - Captain Crunch
For those of the group that remember payphones and terrible American cereal.
Captain Crunch is another other sugary cereal from the US, that would often come with a small whistle in the box.
This whistle would emit a sound at around 2600MHz, tricking a phone into thinking it had been paid, and then allowing you to make calls.
How to secure this
According to the NCSC:
- Strong passwords (&9sVauRMTW&@9AjeR86ef4CwQ*Zjd7, not Password1)
- Enforce MFA, possibly with hardware keys
- Examine existing policies
- Use separate networks for your VoIP system
BYOD
I did say I would talk about how this can be changed by BYOD policies.
If the phones are only being used like regular mobiles then that reduces the risk.
Centrally Managing Mobile Phones
Most MDM’s now allow for the integration of iOS (Apple) and Android devices.
This provides more functionality than VoIP but still allows for managed phones.
Phreaking in the wild
There is a workshop going on about phone phreaking so, if you are interested go and have a play.
More of me
For more of me if I’m interesting enough to you:
GitHub: github.com/aaronkellyuk
LinkedIn: linkedin.com/in/aaronkellyuk
Website: aaronkelly.uk