How to Protect Your Virtual PBX Against a Virus Like WannaCry?

The WannaCry virus has been on alert for more than 150 countries around the world. After the first attack, governments and companies focused their efforts on preventing cyber attack from spreading. Since May 12^th, WannaCry is estimated to have infected more than 230,000 computers in 179 countries. But the situation does not end here. Over the last few days new malicious viruses like Adylkuzz, Doomsday or EternalRocks have again put thousands of computers on the global level.

How a Malicious Attack Could Affect a Virtual PBX

Let us briefly put ourselves in position. WannaCry is a computer virus that affected several large companies (including Telefónica) and deprived them of their information systems for hours. It could be said that what the virus did was disable the infected computer, demanding, then, an economic reward in exchange for releasing it, as if it were a virtual abduction.

We know how these viruses can act on computers of institutions and organizations, but how could they affect a telephone communication system in the cloud of a company? What would be their goal? What operational and economic effects could they produce?

Well, nothing that is connected to the Internet is safe from malicious hackers who seek to profit economically at the expense of users, so that a Virtual PBX located in the cloud could also be sensitive to hacking attempts. What the hackers would pursue, in this case, would be to intervene the telephone device to make special tariff calls. This type of numbering is the one we usually find in the classified pages of newspapers such as tarot or contacts. Its main feature is that the cost of calls to these phones has a price per minute rather higher than usual and also part of this amount goes directly into the coffers of the “service” owner.

Imagine now that we are a hacker and want to enrich ourselves at the expense of a user of a Virtual PBX. What we would do would be to hire a telephone number with the features mentioned above and would force the user to call for an economic benefit. To do this, we would “abduct” some of its telephone terminals, as WannaCry did with computers, and we would manipulate it to generate calls to our special pricing number.

The easiest way to do this is to divert the device to the profitable number. Once this is done, we would only need to make calls to our victim’s Virtual PBX and this would divert the call to the hacker’s number. Obviously, the cost of this call would be borne by the owner of the Virtual PBX, generating an unpleasant surprise and bewilderment when receiving the invoice.

Best Practices to Protect Your Virtual PBX Against Hackers

A hacker in many ways can attack a PC because computers have many types of access: web browsing, email, document execution, USB’s, etc. Instead, a telephone is very difficult to intervene because its only function is to make and receive calls: neither execute files, nor receive emails, nor can be connected to remote devices, etc. That is why it is not necessary to take as many precautions when it comes to protecting our Virtual PBX as with a PC. Even so, from here we make some recommendations:

• For call diversion to occur, the attacker must first know which number to call for the terminal to automatically call the special rate number. For this they usually make anonymous calls, usually with a foreign accent, asking: “I think I was wrong, what number did I call?” Before this question we should answer: “What number did you dial?” Or something similar to make sure that it really is a lawful call. The important thing here is not to provide information to strangers.

• In order to activate the diversion, attackers must access the phone via the web. This web access to the terminals of the Virtual PBX, in the case of masvoz, is protected with a secure password that causes the immediate surrender of the hackers. Even so we must take into account that we should never give web access to the terminal through the router. If the router has never been manipulated to provide such access, we should not suffer. Access is impossible.

• One of the advantages of IP telephony is mobility. We can take our telephone to any place with Internet connection and have our extension as if we were in the office. What we should never do is connect the phone to public networks where unknown people may have connected.

• Although not essential, as far as possible it is convenient to separate the telephones of PCs in different networks. In this way, if the computer network is compromised, the phones will be left out and cannot be located from the compromised machines.

The Virtual PBX, a Secure Telephone Device For Your Company

The recommendations in the previous chapter are general and valid for any user of a Virtual PBX. But depending on the provider offering the service, the PBX and communications can be more or less safe, and customers run more or less risks.

In masvoz we are pioneers and specialists in cloud communication. With more than 15 years of experience and thousands of deployments behind us, we are experts in these practices and all our services incorporate the latest advances in protection, and pass the most demanding security and privacy tests in communications. Our telephony systems detect, alert, and block possible attacks through sophisticated algorithms and firewalls.

The prudence of the clients along with the robustness of an expert operator is the perfect combination to have an impregnable cloud communications system.