Hacking ShoreTel!

August 5th, 2013

When you have been involved with the design, deployment and management of customer premise telephone systems for as long as we have, you think you have seen it all. Over the years as we learn from our mistakes we improve our “best practice” list to assure others gain from our experience. When I was barely a teenager, I learned how to assemble a string of MF tones using a Hammond organ keyboard.  Recording two keys at a time, you could create toll call routing instructions that could be played back after making a 1-800 toll call before the terminating end answered! That, along with the famous Captain Crunch 2600Hz cereal box whistle, kept me and my friends entertained for years, stacking toll tandem switches and meeting other hackers in far away phone booths!  Things have changed as in-band signaling has long ago been replaced with out of band signaling and whistles no longer work. Toll fraud however, continues to be a major source of unanticipated costs for business and the toll bandit syndrome is still alive and well in the Internet age.

Just like a web sever which uses well know port 8080 to serve up web pages, SIP phone systems use a common port.  Scanning ports for open port 5060, then banging away for a user login and password to create a registration was child’s play and most companies now have this locked down. The fact that most Voice Mail systems used a common password was also a source of hacking entertainment, but now most manufacturers do not create mailboxes until someone needs one, eliminating a source of illegal phone calls though remote access.  Direct Inward System Access or DISA used to be a favorite tool for making fraudulent toll calls. Users would call into the system, put in a pin and then be granted access to make phone calls.  It did not take long to figure out how to abuse that feature!

Like I said, just when you think you have seen it all, something new shows up. You have to laugh at how obvious and simple it was.  I was recently contacted by a guy who you would think has seen it all, Kevin Mitnick. If that name does not immediately “ring a bell,”  then maybe you might remember a couple of his books:  The Art of IntrusionThe Art of Deception and most recently Ghost in the Wires.  Kevin has not only seen it all, he has done it all!  Anyway, Kevin was researching a compromised ShoreTel system for a client and wanted to compare notes with DrVoIP.   Apparently someone had gained unauthorized access to the system and was making toll calls that were costing the target company a small fortune. If you have ever experienced toll fraud you know that your vulnerability is broadcast all of the Internet in just a matter of minutes.You will find yourself explaining to Homeland Security why you are making so many phone calls to Dubai!

Kevin had a sheet of CDR records that showed the date and time of the calls. Unfortunately the calls seemed to be originating from the Automated Attendant so they could not be traced to a particular extension number within the system.  We brain stormed some possibilities.  I thought for sure this had to be an inside job!   Maybe someone was using the “find me follow me” feature, but that would only send the call to a single number. These calls were all over the map! Literally all over the globe! ShoreTel does not have a DISA feature and VM boxes do not exist unless they are assigned to a user. The password must be changed as a part of the setup process.  So how was this system hacked?

Well, I could tell you but that would take all the fun out of hearing from you as to your thoughts on how this was done.  I will promise you that it takes one to know one and Kevin, genius that he is, figured this out, not I!   Even DrVoIP was taken in by this clever ruse!  Post your comments below with your thoughts on how this was accomplished and we will send you the puzzle answer Kevin uncovered.  My thinking is that all we can ever hope to do is to raise the bar, keeping out the less sophisticated mice.  There will always be someone smarter, someone more dedicated and focused, who will make it his mission to crack your safe!

Updated with Answer September 1, 2013 – Well a couple of people actually broke the code (excuse the pun)!    What Kevin learned was that one of the great flaws in VoIP is the complete lack of control when it comes to secure Caller ID!   Simply stated, there is no security or verification of Caller ID!   Using any number of readily available tools, it is possible to spoof your caller ID. You can make your phone display any number you want!   ShoreTel has a voice mail feature that enables you to listen to a voice message and then return the call by pushing a voice mail menu option key!   This is a very handy feature, especially if you are calling into your voice mail from you car, just hit the “return call” option and provided the system was able to capture the inbound Caller ID, the ShoreTel will place an outgoing call to that number and conference you in!    So lets put this simple ShoreTel hack together – the hackers gained control of a voice mail box, then called into the ShoreTel Voice Mail system with a spoofed Caller ID and the left a brief message.  Calling back into the system, this time to check their voice messages and then hit the “return call” option key, which then placed a call to an International Middle East location all billed to the the ShoreTel system owner and showing up only as a Call Detail Record owned by the Automated Attendant.    Great feature, but we would recommend that you don’t allow the VM system to place International phone calls!    Thanks to all who took time to write and special thanks to Kevin Mitnick for a really fun Service Call!


12 responses to “Hacking ShoreTel!”

  1. den says:

    interested like gary, we were hacked as well we think.

  2. gary says:

    how can i replicate this? we have been hacked via voicemail too…

  3. LOL says:

    The two two way this could be done is to HACK the local network and gain access to web communicator through a default password. Once learning the user id.Or, by hacking the server through a direct access. ShoreTel is unique because it one of the phone system that does not have direct inward system access.

    I like the the fact you name dropped, one of the most wanted hackers in US history, reached out to for assistance. That in it self should tell the smart ones this is a good story but not factual.

    Thanks for the deletion of my post in advance.

  4. guido10 says:

    Sounds like they found a back door in the AA.

  5. Mary Beth says:

    You said that the default password had to be changed at install, so access to make changes seems less likely, but maybe leaving some AA option open to entering unlimited digits for transfer, and not setting call routing restrictions out of the AA?

  6. ajones934 says:

    Spoofed the inbound caller ID and used the callback feature in the voicemail to call the fake caller id.

  7. Jamie says:

    Were the company using SIP trunks?
    That could be a way in… forge SIP messages to the SIPARATOR or other device.. I’ve seen AudioCodes SIP to ISDN boxes do some very, very odd stuff and are often unsecured with default passwords.

    I don’t think you can generate an external call from a SG switch but if you could that would be very clever.. will have to have a play in the lab tomorrow.

    Do share with us the answer!

  8. ejhat37 says:

    Utilizing weak passwords and using the call back feature of voicemail.

  9. Dan says:

    Called in and left a voice message. Set the callback to the number calling and it called. After AA called the user they now have access to dial tone to dial anywhere.

  10. the man says:

    spoof caller id to vm
    use call back feature to call back spoofed number

  11. Don Bernstein says:

    Call Return feature in users mailbox not not restricted correctly or disabled.

  12. Dux says:

    Used the default password which had never been changed to access the AA?

    Compromised a SG switch (Linux VM with a default password??) and made calls out?

    Swept the server for open ports, bad scopes on ports, and got in that way?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Ask DrVoIP

ask drvoip

Network Readiness Assessment

drvoip readiness checklist

Is your network Ready?

Complimentary free download - DrVoIP VoIP Network Readiness Assessment Checklist (pdf)

Download Now ›

Training Videos

shoretel ipbx cisco cusm
shoretel ecc audio voice prompts
cisco uccx call back option
generic call queue cc admin


web stats

© Copyright DrVoIP.com 2021
Follow DrVoIP