Security Strategies for UC: Historical Perspective

By Billy Chia
Share this:Share on Facebook0Tweet about this on TwitterShare on LinkedIn0Pin on Pinterest0

This week, we are featuring a series of posts on Unified Communications (UC) security. We will examine why security is important in the SMB (small and medium-sized business) space and offer some practical tips on the how to mitigate threats. Come back each day for a new post or subscribe so you don’t miss out on the discussion. In today’s post we’ll look at some of the history of security threats in telecommunications.

In the days of legacy phone systems, voice information was transmitted over the dedicated PSTN (Public Switched Telephone Network). In many ways the PSTN is the largest, most robust communications infrastructure on the planet and it is still in use today. With the advent of VoIP (Voice over IP), telecommunications is moving away from this legacy platform onto the internet. The SMB business phone system, rather than being separate equipment, in now simply another network device able to interoperate with many new and emerging technologies. This shift is allowing for the advent of Unified Communications. A UC business phone system is one which combines communications such as voice with video, chat, email and presence together into one unified messaging system. As the technology has become more complex, and more accessible from the public internet, the security threat has increased. In many ways it is easier than ever to attack business communications. Companies must be diligent to protect their communications as they are vital to business operations.

Security has long been a problem for telecommunications networks. Even in the legacy days of the PSTN, threats existed. Attackers who were able to compromise phone systems were known as “phreaks.” Not all phone phreakers were malicious. Many simply sought to study the technology. A few were able to manipulate the system for financial gain.

Early telephone networks used in-band frequencies to transmit call level signaling. For example, AT&T used a single 2600hz tone on the line to signal that the line was ready to dial long distance calls. A famous phone phreaker, John Draper, discovered that the toy whistle found in a Cap’n Crunch cereal box could be used to emit a 2600hz tone. By blowing the whistle into the phone, he was able to make free long distance calls.

This vulnerability helped usher in greater use of DTMF (Dual Tone Multi-Frequency) signaling. By using two tones instead of one, the call control signaling was more difficult to reproduce, but not for long. Phreaks soon built devices called the “Blue Box.” This device was able to produce DTMF tones necessary to gain control over the telecommunications system. Steve Wozniak, who later went on to help found Apple Inc., is known for being a phreaker using blue boxes.

To avoid this vulnerability, the telecom network moved to out-of-band signaling; however, DTMF still exists today. The tones you hear when you press the keys on a touch tone phone are DTMF tones. Many mobile and VoIP phones still use these tones simply because they are familiar to us, even though they are not needed for signaling.

The historical lesson to learn is that technology must evolve to stay ahead of those who seek to exploit it. Although historical phreaks like John Draper and Steve Wozniak are a type of folk hero, modern attackers can do real damage to your system and cost your business large amounts of money.  As technologies evolve, so do the malicious attackers. It is imperative to stay up-to-date on information security in order to protect your businesses assets.

In tomorrow’s post, we’ll take a look at some common threats and the damage they can do. For today, feel free to post your own story in the comments of how a system was compromised. It can be a historical story or a modern one. These stories can be fun and entertaining, as well as informative, so please share!

No Comments Yet

Get the conversation started!

Add to the Discussion

Your email address will not be published. Required fields are marked *