Hacking ShoreTel!
August 5th, 2013

I though  I had seen it all!

When you have been involved with the design, deployment and management of customer premise telephone systems for as long as we have, you think you have seen it all. Over the years as we learn from our mistakes we improve our “best practice” list to assure others gain from our experience. When I was barely a teenager, I learned how to assemble a string of MF tones using a Hammond organ keyboard.  Recording two keys at a time, you could create toll call routing instructions that could be played back after making a 1-800 toll call before the terminating end answered! That, along with the famous Captain Crunch 2600Hz cereal box whistle, kept me and my friends entertained for years, stacking toll tandem switches and meeting other hackers in far away phone booths!  Things have changed as in-band signaling has long ago been replaced with out of band signaling and whistles no longer work. Toll fraud however, continues to be a major source of unanticipated costs for business and the toll bandit syndrome is still alive and well in the Internet age. Just like a web sever which uses well know port 8080 to serve up web pages, SIP phone systems use a common port.  Scanning ports for open port 5060, then banging away for a user login and password to create a registration was child’s play and most companies now have this locked down. The fact that most Voice Mail systems used a common password was also a source of hacking entertainment, but now most manufacturers do not create mailboxes until someone needs one, eliminating a source of illegal phone calls though remote access.  Direct Inward System Access or DISA used to be a favorite tool for making fraudulent toll calls. Users would call into the system, put in a pin and then be granted access to make phone calls.  It did not take long to figure out how to abuse that feature!

Kevin Mitnick needs my help?

Like I said, just when you think you have seen it all, something new shows up. You have to laugh at how obvious and simple it was.  I was recently contacted by a guy who you would think has seen it all, Kevin Mitnick. If that name does not immediately “ring a bell,”  then maybe you might remember a couple of his books:  The Art of IntrusionThe Art of Deception and most recently Ghost in the Wires.  Kevin has not only seen it all, he has done it all!  Anyway, Kevin was researching a compromised ShoreTel system for a client and wanted to compare notes with DrVoIP.   Apparently someone had gained unauthorized access to the system and was making toll calls that were costing the target company a small fortune. If you have ever experienced toll fraud you know that your vulnerability is broadcast all of the Internet in just a matter of minutes.You will find yourself explaining to Homeland Security why you are making so many phone calls to Dubai! Kevin had a sheet of CDR records that showed the date and time of the calls. Unfortunately the calls seemed to be originating from the Automated Attendant so they could not be traced to a particular extension number within the system.  We brain stormed some possibilities.  I thought for sure this had to be an inside job!   Maybe someone was using the “find me follow me” feature, but that would only send the call to a single number. These calls were all over the map! Literally all over the globe! ShoreTel does not have a DISA feature and VM boxes do not exist unless they are assigned to a user. The password must be changed as a part of the setup process.  So how was this system hacked? Well, I could tell you but that would take all the fun out of hearing from you as to your thoughts on how this was done.  I will promise you that it takes one to know one and Kevin, genius that he is, figured this out, not I!   Even DrVoIP was taken in by this clever ruse!  Post your comments below with your thoughts on how this was accomplished and we will send you the puzzle answer Kevin uncovered.  My thinking is that all we can ever hope to do is to raise the bar, keeping out the less sophisticated mice.  There will always be someone smarter, someone more dedicated and focused, who will make it his mission to crack your safe!

Updated with Answer September 1, 2013

- Well a couple of people actually broke the code (excuse the pun)!    What Kevin learned was that one of the great flaws in VoIP is the complete lack of control when it comes to secure Caller ID!   Simply stated, there is no security or verification of Caller ID!   Using any number of readily available tools, it is possible to spoof your caller ID. You can make your phone display any number you want!   ShoreTel has a voice mail feature that enables you to listen to a voice message and then return the call by pushing a voice mail menu option key!   This is a very handy feature, especially if you are calling into your voice mail from you car, just hit the "return call" option and provided the system was able to capture the inbound Caller ID, the ShoreTel will place an outgoing call to that number and conference you in!    So lets put this simple ShoreTel hack together - the hackers gained control of a voice mail box, then called into the ShoreTel Voice Mail system with a spoofed Caller ID and the left a brief message.  Calling back into the system, this time to check their voice messages and then hit the "return call" option key, which then placed a call to an International Middle East location all billed to the the ShoreTel system owner and showing up only as a Call Detail Record owned by the Automated Attendant.    Great feature, but we would recommend that you don't allow the VM system to place International phone calls!    Thanks to all who took time to write and special thanks to Kevin Mitnick for a really fun Service Call!