• PBX Programming Commands
  • Hardware Modification

  •  

     

    Office phone systems are fraught with oportunities for violating user privacy. The system itself contains commands for listening in on calls, monitoring rooms, and features for analyzing traffic patterns. Unlike telephone company offices, the switching equipment is readily available for physical modification or reprogramming.

    Analog sets connected to lines (especially analog multi-line sets) pose an eavesdropping threat. There is no control over call privacy on analog multiline telephones, allowing receptionists and secretaries to listen-in on any calls passing through that phone.

    Station Message Detail Recording (SMDR) is a nearly universal option on private phone systems. SMDR records details of all calls. Whether a call was incoming or outgoing, phone number, call duration, date and time. SMDR provides an obvious tool for tracking a user's telephone activity.

    Sample SMDR output
     
     

    PBX Programming

    Every phone systems provides built-in features to compromise user privacy. Fortunately there are simple steps that can be taken to reduce the possibility of eavesdropping simply by altering system and station programming. Unfortunately programming techniques vary from one manufacturer to another and even between models, so providing complete instructions for every PBX is impractical. Below are certain features that to look out for in a copy of the administration manual.
     
  • Auto answer

  • Auto answering is a feature available to many station users that allows them to have all their calls get answered automatically, and put onto speakerphone. If a phone was set to ring silently and auto answer, it would allow callers to monitor room audio from anywhere.

    For Admins:

    Disable auto answer on a system wide level if practical/possible.

    For Users:

    Auto answer is usually engaged by a button or switch on the phone. Don't use it, and check routinely to make sure it's disengaged.

    Known Effected Platforms:

    Lucent

    Definity
    Merlin 2+
    Partner
    System 75/85

    Panasonic

    KXTA
     

    Barge-in/Executive Override/Verification:
     

    The Barge-in/Executive Override/Busy Verification feature allows privileged users to add themselves to ongoing calls as an additional party. Usually there is an alerting tone used in conjunction with override functions to alert the caller and called parties that another person has joined the conversation; however this feature can be suppressed on certain PBXs.

    For Admins:

    If feasible, disable executive override at the system level. Should this prove to be impossible make sure that the alerting tone is clearly heard, and sounded regularly.

    Busy verification should never be a permitted for outside users.

    Lucent administrators should define barrier codes with a built-in COR/COS that restricts the use of verification by outside callers, and confirm that verification is not called by any call vectors. Consult the administration manual for the specific platform, and the call vectoring guide for details.

    Audit the system regularly to confirm that no unauthorized users are privileged for busy override.

    For Users:

    Most phone systems have an option to stop users from overriding calls, usually by dialing a string of digits. Should this option not be available a feature baring call waiting or interruption of data calls would serve just as well.

    Known Effected Platforms:

    Lucent

    Merlin
    Partner
    Definity

    Panasonic

    KXTA Series
     
     

  • Call Bridging

  •  

     

    Call bridging is a feature that allows a telephone to act as an extension on another line. Should the line be in use, the person on the bridging extension will be placed into the call. When a call comes in on either bridged extension number, both phones will ring. Because of this a clever eavesdropper would assign the monitoring phone an unused extension.

    For Admins:

    Disable call bridging (standard and temporary) if possible. Should call bridging be required assign it an access code.

    For Users:

    Pay attention to your phone.

    Known Effected Platforms:

    Lucent

    Definity
    X5
     
     

  • Call privacy (including call waiting suspension)

  •  

     

    Call privacy is a feature that forbids privileged users from 'barging in' on ongoing conversations. Call privacy also manifests itself as a feature that suppresses call-waiting because the beep that signalls either a waiting call or a barge-in.

    For Admins:

    Make sure that call privacy is activated and that all users are aware of how to operate it.

    For Users:

    Use call privacy whenever possible. Programming it into speed-dial might be a wise idea.

    Known Effected Platforms:

    Lucent

    Merlin
    Partner
    Definity

    Panasonic

    KXTA
     
     

  • Intercom

  •  

     

    Intercom functions allow for calls between phone system users. Used in conjunction with silent ring and auto-answer intercom calls can be used to monitor room audio. Some phone systems with an intercom feature will differentiate between external and internal intercom calls.

    For Admins:

    Confirm that intercom calls always ring audibly, and that phones don't auto answer.

    For Users:

    Make sure your phone rings audibly and don't auto-answer.

    Known Effected Platforms:

    Lucent

    Merlin
    Partner

    Panasonic

    KXTA
     
     

  • Call Monitor/Service Observation

  •  

     

    Certain phone systems incorporate a function that will seemlessly monitor ongoing conversations. The threat posed by this feature is obvious.

    For Admins:

    If feasible, disable call monitoring at the system level. Should this prove to be impossible, make sure that the alerting tone is clearly heard.

    Lucent administrators can set up a COR/COS to speciffically restrict the use of service observation.

    Lucent administrators should define barrier codes with a built-in COR/COS that restricts the use of verification by outside callers, and confirm that verification is not called by any call vectors. Consult the administration manual for the specific platform, and the Call Vectoring Guide for details.

    Audit the system regularly to confirm that no unauthorized users are privileged for call monitor.

    For Users:

    Call privacy will usually override service observation.

    Known Effected Platforms:

    Lucent

    X5
    G1
    G3 (Attendant Intrusion/Service Observation)
    ECS
     

  • Room Monitor

  •  

     

    As a 'security' feature, certain phone systems allow a caller to monitor room audio through the phone system. A speakerphone connected to a listen-down amplifier will serve a similar purpose. The privacy threat posed by room monitor is obvious.

    For Admins:

    Disable room monitor if possible.

    For Users:

    A handset cutout (if room monitor uses the handset) will prevent the use of room monitor, and a cutout for speakerphone mics would also be a prudent measure.

    Known Effected Platforms:

    Panasonic

    KXTA

    Siemens

    Gigaset
     
     

  • Silent ring

  •  

     

    Many phone system station sets allow phone ringing to be muted completely. When coupled with an automatic answer feature (or device that put the phone off hook), silent ring would allow for a potent surveillance tool. Certain phone systems will auto-answer internal calls but ring audibly for calls from outside the system, allowing a clever eavesdropper to set internal calls to ring silently and auto-answer while external calls were handled normally and then use remote access into the system from outside.

    For Admins:

    Phones should always have the option to ring audibly. Should users require a no-disturbance call alert, set the ring down low.
     

    For Users:

    Always keep your ringer turned on, and at an audible level.

    Known Effected Platforms:

    Lucent

    Merlin
    Partner

    Panasonic

    KXTA
     
     

    Definity
     
     

    PBX Hardware Modification


    PBX hardware can be modified to present any number of surveillance opportunities. Adding or removing parts from a telephone set on a PBX can allow for a continuously hot microphone or a nearly undetectable wiretap, or facillitate the use of hostile programming or other attacks on a PBX.

    Bridging the hookswitch of a PBX telephone will allow for a permenantly hot mic, just like on a POTS line. However a more clever eavesdropper might repaint the traces inside the phone so that the answer switch was always set to auto-answer, allowing for a silent ring hot mic (which wouldn't interfere with the user getting a dialtone).

    If a PBX incorporated its conferencing features in hardware, an eavesdropper might permenantly connect a telephone to the conferencing circuit, allowing them to perpetually monitor all conference traffic.
     

    Index