Do you think your company secrets are secure because you have firewalls, encryption and all the bells and whistles? Do you think that nobody can hear your employees discussing confidential matters because you have VPN and your experts tell you that your IP phones are un-hackable (they’re not, but that’s for another article)? Think again. |
Here’s an often-overlooked attack vector that is innocuous, ubiquitous, essential to your organization’s communication, yet from a security standpoint minimally managed if not ignored). Plus, the vulnerabilities are not technical but human factor, hackable with a bit of smarts, guessing and social engineering. What is this weak spot in your critical communication?
The lowly conference bridge.
We all use them. Dial the toll-free number, put in your participant code (and host code if needed) and you’re on the call with your colleagues. The bridge is essential for today’s mobile, virtual and Work-From-Home workforce. They’re standard fare for executive briefings, team meetings, Incident Management, Crisis Communications, Business Continuity/Disaster Recovery events and other situations.
“But wait!” you say. “Conference bridges are confidential! People need to know the number! They also need to know the participant code! Plus, bridges are spun up and then ended. It would be like jumping on a randomly-moving train and picking the locked door from the outside!”
Actually, no. If you know the train schedule, get on at the station and the key is left in the lock (or you have the key since you were a former conductor), it’s easier than the vendors (or your security people) would have you believe.
Think of it. You need the time of the call, the phone number and the participant code or PIN. That information is easy to come by:
Time of call: Many calls are periodic or can be easily guessed. The status calls are typically Monday 9:00, or noon Wednesdays, or some other convenient time. The management calls might be the first weekday of the month. Emergency calls for Incident Management, Crisis Communications or other outage situations start at the onset of the situation then get scheduled for regular intervals (daily at 9:00, noon and 5:00) or they’re left open until the situation is resolved.
Phone number: Most bridge vendors have standard call-in numbers. If you know your target’s vendor you likely know the number to dial. Some vendors provide bespoke or customized numbers. If you know your target employee’s office extension you might know their call-in number. Some organizations use mnemonics for call-in numbers, such as 1-888-BCP-HELP.
Participant code: Same situation as numbers. People want these to be easily remembered, so they’ll use mnemonics, the owner’s phone number or other easily-remembered or easily-guessed sequence. Sometimes it’s even easier – you’ve undoubtedly seen the no-code call-in, set up for executives who can’t be bothered with remembering things.
The human issue is the final crack in the wall. Most people who manage bridge calls are lax in tracking attendance, do not monitor join announcements and do not utilize the tools for roll-call.
This vulnerability is further complicated by management inattention to it. Rotation of numbers or codes is very uncommon. Out-boarding employees often leave them stored as Contacts on their phones. The aspects that make conference bridges convenient make them vulnerable.
The bad actors who can exploit these loopholes include former employees either disgruntled or now competitors, hackers/hacktivists, or, if your company is a defense or critical infrastructure firm, state actors.
Next week, we will examine a few scenarios of how this vulnerability might be exploited.
The lowly conference bridge.
We all use them. Dial the toll-free number, put in your participant code (and host code if needed) and you’re on the call with your colleagues. The bridge is essential for today’s mobile, virtual and Work-From-Home workforce. They’re standard fare for executive briefings, team meetings, Incident Management, Crisis Communications, Business Continuity/Disaster Recovery events and other situations.
“But wait!” you say. “Conference bridges are confidential! People need to know the number! They also need to know the participant code! Plus, bridges are spun up and then ended. It would be like jumping on a randomly-moving train and picking the locked door from the outside!”
Actually, no. If you know the train schedule, get on at the station and the key is left in the lock (or you have the key since you were a former conductor), it’s easier than the vendors (or your security people) would have you believe.
Think of it. You need the time of the call, the phone number and the participant code or PIN. That information is easy to come by:
Time of call: Many calls are periodic or can be easily guessed. The status calls are typically Monday 9:00, or noon Wednesdays, or some other convenient time. The management calls might be the first weekday of the month. Emergency calls for Incident Management, Crisis Communications or other outage situations start at the onset of the situation then get scheduled for regular intervals (daily at 9:00, noon and 5:00) or they’re left open until the situation is resolved.
Phone number: Most bridge vendors have standard call-in numbers. If you know your target’s vendor you likely know the number to dial. Some vendors provide bespoke or customized numbers. If you know your target employee’s office extension you might know their call-in number. Some organizations use mnemonics for call-in numbers, such as 1-888-BCP-HELP.
Participant code: Same situation as numbers. People want these to be easily remembered, so they’ll use mnemonics, the owner’s phone number or other easily-remembered or easily-guessed sequence. Sometimes it’s even easier – you’ve undoubtedly seen the no-code call-in, set up for executives who can’t be bothered with remembering things.
The human issue is the final crack in the wall. Most people who manage bridge calls are lax in tracking attendance, do not monitor join announcements and do not utilize the tools for roll-call.
This vulnerability is further complicated by management inattention to it. Rotation of numbers or codes is very uncommon. Out-boarding employees often leave them stored as Contacts on their phones. The aspects that make conference bridges convenient make them vulnerable.
The bad actors who can exploit these loopholes include former employees either disgruntled or now competitors, hackers/hacktivists, or, if your company is a defense or critical infrastructure firm, state actors.
Next week, we will examine a few scenarios of how this vulnerability might be exploited.