Cti Communications Ltd
Call us now for IT support and free advice
01242621621    01242621666  

sales@cticom.ms   support@cticom.ms

Stopping Phone System Hacking

In the past most telephone hackers have been based abroad, registered a device on your phone system and overnight / over the weekend made thousands of calls, many simultaneously to premium rate international numbers. Come Monday morning your call provider alerts you to this and presents you with a bill for thousands of pounds.

Looking at the pattern of calls it is easy to see you have been hacked, and if they really wanted to, the big boys in the UK telecoms industry could stop this overnight, by saying. "It’s clearly a hack, we aren’t going to bill you and we aren’t paying our bill for those calls." But they don’t. I suspect is because they all make some money out of these calls, and they don’t want to stop the income.

Recently we have found that hackers are now exploiting premium UK numbers as well.

What can your call provider do?

Our providers use a few tricks to help keep you safe, one puts a cap on your bill and warns you / blocks any more calls when that amount is reached. They also let you set a maximum cost for the first minute of the call, as this protects you from high connection as well as per second charges. The other looks for repetitive International calls, and then blocks the line for a given time.

What can be done to secure your phone system?

Get us to Call Bar International numbers starting 00 – we can then allow specific countries / numbers that you need to call

Get us to Call Bar expensive UK numbers i.e. 070, 087, 09

If your system supports dial 9 for an outside line, then Call Bar 9070, 9087, 909

Hacks predominantly happen out of hours, so we can load some call cost data and put a limit of say £10 worth of calls then the SpliceCom SV1000 will Call Bar the lines when that amount is exceeded out of hours say between 7pm and 7 am

Sometimes they just make long expencive calls, with the cost not being calculated until the end of the call, when the damage has been done. Another feature of Vision is that if a call is more than say 2 hours it can drop the call, if it was an expensive one at this point the £10 block will stop it being dialled again.

Securing the Splicecom SV1000

Splicecom have designed in some security features:

When Yealink phones are auto-provisioned by your SpliceCom SV1000 it issues them with a certificate that is unique to that system, then the phone can register using secure SIP on port 5061 and the system knows it's a trusted device. Without the certificate SIP phones can't register.

If you have a fixed IP address then the SpliceCom SV1000 will only let the phone connect, if as well as the user name and password the IP address is correct.

The SpliceCom Navigate Pro or PCS60 softphone on your PC or MAC uses the non-standard port 5000 as well as SpliceCom specific code so only SpliceCom devices will work. Being a non-standard port phone system hackers aren't looking for port 5000 and SIP hack tools can't connect to the system via this port.

Each computer that wants to connect as a softphone has to have its MAC address accepted by the system before it can make calls, again stopping a computer from forcing its way in using the SpliceCom specific port.

The iPCS app on your smartphone also uses the non-standard port 5000, limiting your remote staff to just Navigate Pro or iPCS means only one port is open to remote attacks.

Block more with your firewall

Normally the phone system ports are locked to just the exchange and support team, once you have people working remotely they need access. If they don’t have a fixed public IP address then those ports should be restricted to just UK IP addresses and the countries needed for those working away while on holiday / International staff. There is however a catch, some ISPs are running out of IP addresses so they have bought in blocks of IP address from other countries, so your staff could be blocked - be careful.

In a Draytek, set the following up as individual Object Settings -> Service Type Objects
Config Upload80TCP
HTTPS443TCP
STUN3478TCP/UDP
Secure LDAP4100TCP/UDP
Secure Centralised Partner4018TCP/UDP
SSL / TLS Gateway5000TCP/UDP
SIP and Secure SIP5060 to 5061TCP/UDP
RTP6900 to 10899TCP/UDP.
Add all the individual Service Type Objects into a single "SpliceCom Ports" Service Type Group, then set the following Firewall filters:

Block all IP addresses

Next Rule

Allow just UK and friendly countries


All prices exclude VAT, and were correct on 21/08/2024 11:23:59 , but should only be used as a guide.