Advisory Notice 27 -- Information Security Resource Center

DEPARTMENT OF ENERGY
INFORMATION SECURITY RESOURCE CENTER
PACIFIC NORTHWEST NATIONAL LABORATORY

ADVISORY NOTICE No. 27

August 20,1998

VOICE-MAIL ACCOUNTS - HOW SECURE ARE YOURS?

SUMMARY

Voice-mail accounts, like computers, are vulnerable to hacking and compromise. In fact, intelligence sources indicate that voice-mail systems are becoming a prime target of telephone hackers around the world. While user awareness of vulnerabilities, and the importance of protecting computer systems and electronic mail, is increasing (e.g., through the use of awareness tools and effective password administration), the vulnerability awareness and protection of voice-mail systems continues to be overlooked.

Vulnerabilities inherent to voice-mail systems, such as inadequate voice-mail system administration or poor voice-mail account password selection, can allow hackers and competitors to penetrate voice-mail systems. The damage associated with the compromise of voice-mail messages can be significant in terms of compromise to sensitive information, personal or financial information, or even the detriment to the organization's reputation.

Voice-mail systems are only as secure as the people who administer them, and voice-mail accounts are only as secure as those who use them. With the proliferation of voice-mail services throughout the DOE Complex, this advisory addresses the need to educate DOE and DOE-contractor personnel on the potential weaknesses of voice-mail.

BACKGROUND

Today's voice-mail consists of a computer and a series of large hard drives used to administer and store all voice recordings. Voice-mail systems are sophisticated electronic answering machines, designed to be user friendly, and can be added to almost every telephone system. The basic premise of voice-mail is to allow a caller to leave a message for an unanswered telephone.

The typical voice-mail compromise involves guessing a users account password or using default passwords associated with the voice-mail system. Once access is gained to a voice-mail account, a hacker may listen to, copy, delete, or change messages, and potentially use the voice-mail system as an entry point into the telephone system, and from there, attack a network.

In May 1998, the voice-mail system of Chiquita Brands International was hacked. Allegedly, 2,000 voice-mail messages of company executives were listened to and provided the hacker with sensitive corporate information revealing proprietary business practices. A subsequent series of newspaper articles revealed damaging information obtained from the voice-mail messages.

Voice-mail systems can be specifically identified by the unique automated messages given by the system to a caller when a connection is made. Once a hacker knows the specific voice-mail system, finding detailed information or published vulnerabilities of that system is easy. User guides for most voice-mail systems can be found quickly on the Internet. Universities, large corporations, and even hotel chains post explicit directions for the use of their voice-mail systems on the Internet for access by travelers and off-site personnel. Underground Internet news groups provide detailed instructions on how to take advantage of system vulnerabilities.

The threat is not only the compromise of voice-mail messages, but unauthorized access to the telephone system. Often a hacker may use the system for toll fraud to make unauthorized long distance calls by dialing into a telephone system through a voice mail account or even direct remote access. Hackers can then sell this information, setting up illegal long distance networks.

In July 1998, the FBI arrested a San Diego man for allegedly creating unauthorized voice-mail boxes on a Paging Network Inc. system, costing that company more than $1 million over a nine month period. The company did not become aware of the incidents until irregularities in calling patterns were identified by an automated call audit software package.

Administrators of large voice-mail systems are responsible for many daily changes, additions, or deletions to voice-mail accounts. At some sites, the coordination between out-processing personnel from a site and voice-mail administrators is weak or even non-existent, leaving voice-mail accounts active long after a person has terminated from a site. Some sites have no restrictions on password length or quality and never require a password change.

As identified above, vulnerabilities inherent to voice-mail systems allow hackers and competitors to penetrate these systems. A multitude of resources are available to the hacker to exploit vulnerabilities associated with voice-mail. The damage associated with the resultant compromise can be significant. Prudence dictates a review of existing policy and enhanced awareness.

RECOMMENDED ACTION

Unfortunately, voice-mail is often overlooked as an information asset requiring special protection. Policies protecting voice-mail systems and voice-mail accounts should be readdressed, and where appropriate, be enhanced and enforced.

Some suggestions to prevent the exploitation of a voice-mail system include a review for proper configuration, evaluation of password policies, including password change frequency and password quality, and the dissemination of awareness information regarding the vulnerabilities associated with voice-mail.

Return to Advisory Table of Contents

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001