Security for Private Branch Exchange Systems

Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis and are available from ITL Publications, To be placed on a mailing list to receive future bulletins, send your name, organization, and business address to this office. You will be placed on this mailing list only. Hacker attacks on computer networks are well known, but Private Branch Exchange (PBX) systems are also vulnerable. In one case, a hacker penetrated the Private Branch Exchange (PBX) system operated by a hospital in Escondido, California. For nearly two years, on various occasions, he blocked calls to and from the hospital, connected hospital operators to spurious numbers (including the county jail), and placed bogus emergency calls that appeared to be coming from inside the hospital. Unfortunately, the hospital's experience is not unique. Failure to secure a PBX system can result in exposing an organization to toll fraud, theft of proprietary , personal, and confidential information, loss of revenue, or legal entanglements. Depending on how the organization's network is configured and administered, information leading to intrusions of data networks may be compromised as well. A PBX is a sophisticated computer-based switch that can be thought of as essentially a small, in-house phone company for the organization that operates it. Protection of the PBX is thus a high priority. This bulletin introduces some of the vulner-abilities of PBX switches and describes some countermeasures that can be used to increase the security of your PBX. For a more detailed treatment of these issues, see NIST Special Publication (SP) 800-24, PBX Vulnerability Analysis (see http://csrc.nist.gov).