VoIP hacking is phreaking expensive

VoIP hacking is like most other forms of hacking -- if you don’t pay attention to your security, you really will get what you deserve.

Phreaking is a term not often used these days. It was introduced to describe the technique of simulating telephone tones to fool a phone system into giving you free calls. Phreaking started in the 1960’s with the likes of Cap’n Crunch (John Draper) a man who discovered that the whistle from a packet of Captain Crunch cereal could generate a perfect 2600 Hertz signal — coincidentally the same signal used by the phone network in the US at the time.

Phreaking quickly took off and tools such as ‘Blue Boxes’ were invented to generate a variety of tones which were used to fool phone systems into doing all sort of things. Free calls (in a time when they were expensive) were always the main goal. You might be interested to know that in the mid-80s Telstra’s big grey phones were actually quite easy to phreak.

The term ‘Phreaking’ has long since passed into history. Today it mostly describes a variant of normal hacking — with a bent towards VoIP (Voice over Internet Protocol). Most VoIP systems are actually based on operating systems such as Linux, so standard hacking techniques are generally used to break into these systems.


Hacking used to be about a challenge. Sure, they’d cause a bit of a mess, but it was mostly done in the name of a challenge - once upon a time.

Like anything where there is money to be made, criminals move in. The Internet is a place where fraud is conducted across international boundaries, so virtually no repercussions are possible against those involved.

Why is VoIP Hacking Different?

VoIP is an application that runs over the Internet, just like email. The issue is that VoIP — is voice related and phones calls still cost money.

VoIP is one of the few applications where it is actually very easy to make lots of money if you have some technical ability and the inclination.


VoIP is quite unlike your traditional POTS (Plain Old Telephone Service) line you have at home. That line is hardwired, and is very difficult for anyone else to use.

In a VoIP arrangement, your handset is (literally) a computer connecting to the Internet. It communicates with a VoIP server and uses a username and password. Once authenticated it can make calls over the Internet. However, if those calls exit the VoIP Server upstream to access the destination of the call — then that VoIP Server is going to be billed for the call.

So How Do They Make Money?

There are several scenarios involved in serious (high yield) VoIP hacking.

If, for example, you have an individual’s VoIP account details, you can make some calls for free, but this doesn’t make you money. It saves you money (but you’re still a thief). In the case of organised crime seeking higher returns, accounts are used to make many, many calls.

Below is a selection of real-world case studies. These are actual VoIP hacking cases which I have been involved with during the past year.

The VoIP Provider

This particular company (based in Melbourne) was a provider of VoIP and Calling-Card services targeting a few key ethic demographics who tend to make lots of calls back to their homeland and families. Business was great, but then their primary VoIP servers were hacked.

The big problem was that this company, being itself a customer of large Telcos for ‘VoIP minutes’, retained multi-hundred thousand-dollar credit limits with some of the large carriers.

Hackers penetrated the company’s systems, and ‘details’ were on-sold by criminals to unethical VoIP providers in Europe, Asia and the Middle East. In this case it seems that one unethical VoIP provider, using IP Addresses in Egypt, routed many calls via the company’s VoIP server running up bills (to the company’s carrier) of over $100,000. The carrier has to settle with the destinations no matter what, so the company was liable. They went out of business within 6 months.

The way the criminals actually made their money was from the end consumer, who paid to use ‘their network’, but was instead channelled through a ‘free path’ at no cost to the criminal. Those placing phone calls were unlikely to have any idea that their calls went through this system to their destination. You don’t know who Telstra uses to get to a destination, do you?

The Corporate

This medium-sized business wanted a VoIP solution set up so that its offices could make ‘free’ calls between locations, with some executives also having an extension at their home. All was good. As a managed service it worked effectively for over a year until the business decided it didn’t need the expense of a third-party managing its system. They decided they could do it themselves.

A year after we had ceased to manage their VoIP systems, they were hacked. This business had been adding its own extensions and setting its own passwords — without maintaining any security updates. Some cyber criminals (or an automated tool) guessed a simple extension/password combination that had been configured one of the users.

For a couple of weeks calls were routed through this business’ phone network, quickly accumulating over $25,000 worth of calls, which they inevitably had to settle with their VoIP carrier. The criminals in this situation probably used the same conversion method as the previous example — routing calls though the free path but still charging their own customers.

The Small VoIP Provider

This morning, minutes before writing this article, I completed an audit of a small VoIP provider that had been hacked. it was using Open Source VoIP solutions — one known to have security issues. This VoIP provider actually had pretty reasonable security on its server but neglected just one aspect — and was hacked.

But this was no ordinary hack. Hackers uploaded a 10-minute audio file to the VoIP server that contained bad quality grunge-rock music. They then had the server automatically dial satellite phones for 10 minutes, playing them the song — that’s all.

Of the VoIP calling zones, satellite is one of the most expensive (around $10 per minute). Seventy calls generated a bill of more than $7000 in less than two hours. Detection systems then kicked into life at their supplier, cutting them off before they went any further.

But, how does the hacker make money? My assumptions are that either the satellite provider, satellite phone provider, or one of their reseller is getting a big cut from phones ‘receiving calls’.

Nevertheless, the small VoIP provider has to pay for these calls, as does their supplier, their supplier’s supplier, and so on. The bill still has to be paid.

The examples here are just a couple of common methods, there are many others known and new ones coming along regularly. VoIP hacking is undoubtedly an innovative industry!

What Can I Do If I am Hacked?

Honestly, very little. Unless you have your own private army and wish to invade countries like Russia or Egypt, then you are out of luck. Your VoIP provider will require you to pay your bill. They, in turn, will receive no relief from their suppliers, nor will those suppliers receive any relief from anyone else.

You can negotiate towards paying the wholesale rate that your supplier receives, but its unlikely to be much of a discount, VoIP is all about volume (known as minutes) not high margins.

Your nine-cent local call might cost the supplier 8.5 cents. Money is made by having thousands of calls from many customers, all for just half a cent per call. It leaves very little they can do for you.

Do I Have to Worry? Am I Vulnerable?

The main problem is that the users of VoIP systems do not generally understand the technology they are using. Users see a phone on their desk, or occasionally a ‘soft phone’ on their computer. As a user, you know what to do, but you are unlikely to really know how the whole solution works.

The question of how vulnerable you are is something this author cannot answer. This article is intended to raise awareness of the risks. While VoIP servers are an amazing technology, they’re also exposed to hackers from around the world. How vulnerable your VoIP system is depends on many factors (I could fill a book). Have a conversation with your IT staff and your VoIP providers about the examples described here. Demand accountability.

Final Advice

Ask a lot questions from those who install your servers and solutions — and the VoIP providers that you use. They should have anomaly detection systems in place to notice if your spend goes up dramatically in a short period of time. They should also block expensive destinations unless you ask for them to be unblocked (like Satellite phones).

In the end, VoIP hacking is like most other forms of hacking — if you don’t pay attention to your security, you really will get what you deserve. The Internet is still the Wild West, and only those who protect themselves properly will be safe.

It is estimated that the worldwide cost of telecommunications fraud over the last year is in the billions of dollars. VoIP fraud is bringing that number up significantly, and it’s still growing. Interestingly, it’s probably the cleanest form of money laundering possible — the telcos are a key part of it.

Remember, VoIP hacking isn’t like having your web page defaced, or having a server hacked that you need to rebuild. This hack will bleed real money straight from your organisation — it could quickly get phreaking expensive.

For a demonstration of how easily VoIP systems can be hacked, please check out a demonstration of a couple of VoIP hacking tools. 1. Sipautohack and 2. SIPVicious.

Skeeve Stevens is the CEO of eintellego, a network integration specialist who has built many Service Provider and corporate networks. He specialises in providing advice on how to navigate the wild west of the Internet and is an international speaker on topics such as networking, social media, security and risk management.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementsecurityvoipphreakinghacking

More about etworkLinuxTelephone ServiceTelstra CorporationWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Skeeve Stevens

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts