With the merging of voice, data and video, with technologies such as Voice over IP (VoIP), verifying voice communication is related to network security. When voice communications take place within a network infrastructure, issues of confidentiality, integrity, and authentication are critical.
Private Branch Exchange (PBX) or Plain Old Telephone Service (POTS) voice communications have inherent vulnerability to interception, eavesdropping, and tapping. Physical security is required to retain security over voice communications within the physical areas of the organization. External security of voice communications is primarily a responsibility of the telephone company.
PBX systems can be violated by attackers, known as “phreakers”, to evade toll charges and conceal their identity. Phreakers can potentially gain access to personal voicemail and reroute or delete messages, as well as redirect inbound and outbound calls. Security measures to block phreaking include logical or technical controls, administrative controls, and physical controls:
- Replace remote access or long-distance calling through the PBX with a credit card or calling card system.
- Restrict dial-in and dial-out features to only authorized users. Use unpublished phone numbers that are outside of the prefix block range of your voice numbers for your dial-in modems.
- Block or disable any unassigned access codes or accounts.
- Define an acceptable use policy.
- Log and audit all activities on the PBX and review the audit trails regularly.
- Disable maintenance modems and accounts.
- Change all default configurations, especially passwords and capabilities related to administrative or privileged features.
- Block remote calling.
- Deploy Direct Inward System Access (DISA) technologies to reduce PBX fraud by external parties.
Tools used by phreakers are known as colored boxes which include:
- Black boxes, which are used to manipulate line voltages to steal long-distance services. They are usually custom-built circuit boards with a battery and wire clips.
- Red boxes, which are used to simulate tons of coins being deposited into a pay phone. They are usually small tape recorders.
- Blue boxes, which are used to simulate 2600 Hz tones to interact directly with telephone network trunk systems. This could be a whistle, a tape recorder, or a digital tone generator.
- White boxes, which are used to control the phone system. A white box is a DTMF or dual-tone multifrequency generator. It can be a custom-built device or one of the pieces of equipment that most telephone repair personnel use.
