Surveillance Possibilities on the ECS Disclaimer: Your mileage may vary. [- Seuss, 10/04/00 -] PBXs invariably offer a rich set of surveillance options to a skilled eavesdropper, from soft wiretaps to commands that allow bugging rooms through the handsets. Lucent's enterprise phone systems provide an eavesdropper with an even greater wealth of possibilities, particularly the Definity ECS. This article only touches on hostile programming of the switch. NIST has an excellent report on PBX security that discusses hardware attacks thoroughly. - Hostile Features * Bugging Attacks You can bug a room through a telephone. Surprise. Typically this will require some modification to the handset so the phone is never really on hook, i.e. shorting the hook-switch contacts with a capacitor. Attach an audio amplifier to the line, and room audio will be heard pretty clearly. On a POTS line this sort of attack can be countered by either using a handset with a push to talk button, or connecting a listen-down amplifier to the line and monitoring it for room audio. On a PBX however a few commands and a flipped switch can be used to accomplish the same. Auto answer is a feature used by many people who have their hands busy, i.e. secretaries and receptionists. After giving a ring or two the phone will automatically go off-hook. By itself auto-answer is of little consequence. However it can be coupled with an anti-disturbance feature that allows callers to mute their phone's ringing. These two features together will allow for the phone to go off-hook without any warning and allow an eavesdropper to receive clear room audio. A bit of hardware intervention will be needed here. To engage auto answer the user will have to move a slide switch on their phone from ring to auto answer. If long term surveillance is planned its possible to either replace the existing phone with one that has the answer selection switch disabled, or to have a rectifier wired into the line to suppress ringing. Lucent platforms include a feature that permits only internal calls to be auto answered, with external calls ringing audibly. Making intercom calls via remote access will create less suspicion than a station that never ever rang. * Soft wiretaps Analog station sets allow any user to pick up an extension and monitor the content of a call. Due to the more complex signaling used by digital station sets, just picking up an extension phone will yield very little in the way of usable eavesdropping data. However there are several features available on the ECS that allow multiple people to add themselves into a call to a digital set by simply picking up the receiver. Call bridging is the most obvious technique for adding oneself to an ongoing call. Call bridging allows a particular phone to answer (and incidentally monitor) calls on another extension. This method of eavesdropping is rather impractical as it allows rings sent to either phone to ring both phones. This possibility can be reduced by assigning the phone used to eavesdrop an unused number or VDN, or forwarding all calls to that number. Temporary bridged appearances, which create a roving bridged appearance are another possibility. Pickup groups are a feature provided by several manufacturers, in order to provide for a smaller but more flexible alternative to ACDs. This feature allows a call to simultaneously ring a group of phones, but allows them all to enter into the call. Any set in the pickup group can be used to monitor a call from anyone else in the group. Adding yourself to a pickup group appears to be a good way to monitor calls from on site. Creating a pickup group will become very obvious under examination during a switch audit. The Busy Verification feature allows privileged users to add themselves to ongoing calls as an additional party. Busy verification isn't as sexy as it appears, though. Usually there is an alerting tone used in conjunction with override functions to alert the caller and called parties that another person has joined the conversation; after the first long tone it will sound off again every 12 seconds. Verifying a number that's on a multi-line station will generate a priority call (and an irritating special ring) to any available line on the station. The Definity incorporates a special function that will monitor ongoing conversations without any notification at all. This is called 'service observation'. Service observation does not include an alerting tone. Service observation is the most attractive choice for ongoing soft wiretaps, because it can be easily accessed remotely. Service observation can best be dealt with via a call vector. Type: change vector x (make sure x isn't a currently assigned vector) and press return. 1. wait-time 0 secs hearing ringback 2. collect 4 digits after announcement 9876 (make sure there's an announcement that works here. Adding more requires adding a module to the switch) 3. route-to digits with coverage n 4. stop Now create a vector directory number that will route to this vector. Type: add VDN 1234 and press return You'll be presented with the Vector Directory Number screen. Assign an unused extension and an innocuous name. Make sure the associated COR allows for service observation. When the VDN is called, the vector will initiate, spout off some meaningless crap, and wait for the caller to dial an extension. The vector will then connect the user to the requested extension. Appendix A: Default ECS Logins cust rcust bcms browse NMS