Homeland Security Phone System Hacked
A recent report by the
Associated Press caught my attention.
The story is about how the phones at FEMA, part of Homeland Security were hacked because a contractor had left what open a "hole" when the voice mail system was upgraded.
I did a Google search and found an explanation of how a voice mail system works. At more than 900 words, an entry in one section of Wikipedia explained how the system works
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Voicemail systems contain several elements:
- A central processor (CPU) which runs the operating system and a program (software) that gives the system the look-and-feel of a voicemail system. This software includes thousands of pre-recorded prompts that "speak" to the users as they interact with the system;
- Disk controller and multiple disk drives for message storage;
- System disks which not only include the software above, but also contain a complete directory of all users with pertinent data about each (name, extension number, voicemail preferences, and pointers to each of the messages stored on the message disk that belong to them);
- Telephone interface system that enables many phone lines to be connected to it.
The voice mail system interacts with the PBX. Suppose an outside caller is calling Bob's extension 123. The incoming call comes in from the public network and comes into the PBX. The call is routed to Bob's extension, but he doesn't answer. After a certain number of rings, the PBX stops ringing Fred's extension and forwards the call to an extension connected to the voicemail system. It does this because the PBX is programmed to forward busy or unanswered calls to another extension. Simultaneously the PBX tells the voicemail system that the call it is forwarding to voicemail is for Bob at extension 123. The voicemail system then answers the call with Bob's pleasant greeting.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Microprocessors throughout the system must handle large amounts of data and it's unacceptable to have any wait times (for example, when the system is recording or playing your message, it's unacceptable if the system stops recording momentarily like computers often do while accessing large files).
When Bob's extension forwards the call to the voicemail system, the telephone interface detects ringing. It signals to the Central Processor (CPU) that a call is coming in. The CPU simultaneously receives a signal on the PBX-Voicemail Data Link telling it that extension 123 is being forwarded on ring-no-answer to the specific extension that is now ringing. The CPU directs the Telephone Interface (which controls the line interface cards) to answer the call. The CPU's program realizes that it's a call for Bob so it looks up Bob's greeting immediately and directs the disk controller to start playing it to the caller. It also plays some system prompts instructing the caller what comes next (for example, "When you have finished your message, you may hang up or press 0 for more options"). All "talking" to the caller is done through prompts that are selected by the CPU according to the program stored in the voicemail system. The CPU selects the prompts in response to the keys the caller presses.
The caller's message is digitized by the Telephone Interface system and transmitted to the disk controller for storage onto the message disks. Some voicemail systems will scramble the message for further security. The CPU then stores the location of that message in the System Disk inside Bob's mailbox directory entry. After the caller hangs up and the message has been stored, the CPU sends a signal to the PBX through a link instructing the PBX to turn on the message waiting light on Bob's phone.
When Bob returns and sees the light on his phone, he calls a designated extension number for the voicemail system (an actual extension number assigned). Again the Telephone Interface alerts the CPU that a call is coming in on a particular line, but this time the signaling from the PBX-Voicemail Data Link indicates that Bob is calling directly, not being forwarded. The CPU directs the Telephone Interface to answer the call.
Since the CPU "knows" it is Bob (from the signaling on the Data Link), it looks up Bob's information on the system disk, specifically his password. The CPU then directs Disk Controller to play a log-on prompt to the user: "Please enter your password." Once the password is entered (via Touch-tones), the CPU compares it to the correct one and, if entered correctly, allows Bob to continue.
The CPU then determines (from Bob's directory entry) that Bob has a new message. The CPU then presents Bob his options (e.g., "You have a new message. To listen to your new message, press 2; to record a message, press 3" etc.) The options are presented by the CPU directing the Disk Controller to play prompts, and the CPU listens for Touch-tones from Bob. This interaction of playing prompts and responding with Touch-tones enables Bob to interact with the voicemail system easily.
If Bob presses 2 to listen to his message, the CPU looks up the location of Bob's new message in his mailbox directory (on the System Disk), and directs the Disk Controller to play that message. The Disk Controller finds the message on the Message Disks, and sends the data stream directly to the Telephone Interface. The Telephone Interface then converts the data stream to sound and plays the message to Bob through the Line Interface Card. And, Bob hears his message.
Seems likely from this accounting that during the system upgrade a "hole" could have very easily been left opened exposing FEMA/Homeland Security to such a hack. With more than 900 words just in a description about how the systems work, it's surprising that a "hole" hadn't been left open sooner.