In a previous blog, we showed the potential risk of Caller ID Spoofing. The Caller ID (Calling Line Identification is the official term) is for many people a proof of someone’s identity. When they receive a call from a number they recognize, they tend to trust the calling party.
Free Trial: Auto-Login for Desk Phones
But what is then the next step? What can a hacker do with this trust? It is just a telephone call, isn’t it? Well, being trusted allows him to leverage his social engineering skills. He can manipulate the called party at the other side of the line. He can ask for information he normally wouldn’t receive. And he can make the called party do things they normally wouldn’t do.
Let’s look at the example given in the CNN item below. Here it is shown how a hacker is calling from a known company Caller ID to the company’s helpdesk. They recognize his call as an internal company call and are therefore less cautious. On the contrary, they are very willing to help him. After all, customer satisfaction is the most important metric for many helpdesks. Using his social engineering skills, he manipulates the helpdesk agent to click on a link with malware which – just an example – gives the hacker immediate access to the company’s IT network.
The helpdesk agent wouldn’t have done this if some stranger was calling from an outside line. But this was an internal call from a colleague, so why not trust him? One telephone call with a fake CallerID is all the social engineer needs to get access.
A second example is perhaps even more frightening, at least from a consumer point-of-view. Find out how a caller can take over someone’s cell phone account by a combination of her excellent social skills and her crying baby in the background.
Not always. Specifically, in inter-company or intra-company scenarios, Caller ID spoofing often won’t do the job. Internal calls have specific call characteristics (quality, echo, delay etc.) which differ from external calls. And in fraud-sensitive environments like banks, insurance companies or public services, advanced techniques (so-called audio fingerprinting or phone fingerprinting) are available to verify whether a call indeed originates from the network and location which the Caller ID suggests.
So, in these situations, it may be critical for the hacker that the call really can be made from an internal business telephone, not from some Caller ID spoofer.
In such cases, the flex-office is the best friend of any hacker. In general, these offices are not the most challenging objects to enter without permission. Once you are in, you can pick a desk, grab the phone and start making internal phone calls. To the help desk for changing a password. To the finance department for some budget details. Or to the HR department to ask for some staff information.
But how can a hacker have direct access to a company telephone? This requires that all VoIP telephones have open access and are not protected via usernames and PIN codes. A situation we often see in business environments for the simple reason that using usernames and PIN codes for desktop phones is far from easy. So, people don’t use it at all, use standard credentials or stay logged in forever. Very user-friendly for the end-user. But also very user-friendly for any hacker who has access to a desktop phone.
Therefore, more and more our software assists companies in their attempts to minimize the risks of hackers accessing their VoIP networks. Our Active Login Manager only provides access to IP Telephones in case a user also logged into the computer network via his computer or laptop. Since that access is highly secure, the telephone access is secure as well. And every secured telephone is one telephone less that can be abused for social engineering tricks.