Page 43 - Cyber Warnings
P. 43
It may be worrying if we realize that at the ‘front-end’ even more is possible. At the telephony
front-end we see something strange. While it is for computers and laptops considered to be a
minimum level of security to use usernames and passwords, this is certainly not common
practice in enterprise telephony. Many people have a phone on their desk which is configured
with their settings, gives access to their contact data and allows to listen to their voicemails. And
which is not protected at all.
This even is the case when advanced features liked extension mobility or hot desking are used,
allowing people to log into any phone in the office. For these services typically a username and
pin code are required. However, typing in your user credentials on a numeric keypad of a
telephone is very inconvenient. So, quite often people only log in once and don’t log out
anymore as long as they use that same desk.
Day and night, their phone is logged in with their personal setting. And - tired of all questions,
complaints and forgotten pin codes - there are even systems managers who simply recommend
the users not to log out. Or make life easy by providing simple user names and short default pin
codes.
As a consequence, there are many situations thinkable where telephones are logged in day and
night, loaded with someone’s personal settings and accessible for anyone. From colleagues to
the cleaning staff. If you replace the word 'telephone' in the sentence above by 'laptop' or
'computer', we would find this a serious security blunder. But for telephones, it is common
practice, I’m afraid.
What’s the problem? It is just a telephone, not a computer, one could argue. That’s true, but still
the damage from unauthorized access to an unobserved telephone could be serious. I will give
three examples.
Security threat 1: Unauthorized access to voicemail
In business environments voicemail isn’t used for chit-chat. Of course, people can ask someone
to return their call. But very often they also take the opportunity to explain already what the
subject of their call is. So, the voicemail is used to exchange information. Information which
could be very confidential. It could be the financial details of a contract. It could be a scenario for
a restructuring. Or it could be the opinion of a medical expert on a patient. They are all
examples of information which is highly confidential, but accessible for anyone with access to
that telephone. Did anyone forget the News of the World scandal some years ago?
Security threat 2: Unauthorized access to contact information
Contact information can be extremely valuable. It is not that difficult to find out who are the
executives or other key players in an organization. But it can be a challenge to find their direct
contact details. Or to find out with whom they are in contact. So, the corporate directory and
other personal contact lists can indeed be high-value company information. And this valuable
and sensitive piece of information can be retrieved by an unobserved visitor or staff member
with unauthorized access to an open telephone in the office.
43 Cyber Warnings E-Magazine – July 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
