Jim Murphy, President of Phone Power has a nicely written article on TMCNet titled Toll Fraud Challenges and Prevention in a VoIP Environment
He discusses the fact that there are always new targets to attack and that many PBXs use default or easy to crack passwords (1234).
But to me the most worrying thing he mentions is how much this can cost a company:
The risks of toll fraud within a VoIP network are severe. Some hackers are able to hijack systems and push through charges that can total $2,000 an hour or more.Now we have seen companies hit in a few days with $25,000 - $50,000 in fraud, or even 1 case for $400,000 over 2 days, so this number of $2,000 per hour sounds quite plausible to me.
This is why I moved to Greenfield Technologies and am specializing in doing Security Audits for Asterisk based VoIP PBXs.
After performing auditing on more than 35 PBXs
We have found that the most common Policy issues are:
—
Many had identical default SIP passwords for all phones that were never changed
Many had identical default voice-mail passwords for all extensions that were never changed
Incomplete, non-existent, unenforced Password policies:
Many had identical default SIP passwords for all phones that were never changed
Many had identical default voice-mail passwords for all extensions that were never changed
Server / PBX Passwords
Multiple PBXs using the same password
Root access and web client interface using the same password (if any)
No update policy
Server OS
PBX software
Phone firmware
No mailbox polices
Who get voice-mail
When to close them
No policy to monitor phone usage / activity
