This article will focus mainly on the Mitel embedded voice mail system but the security principles can be applied to most voice mail and auto attendant system.  

Why Hack a Voice Mail System

There are a few reasons that people want to hack a voice mail system.  This of course, is not limited to Mitel voice mail system but to any system that can be reached from outside your telephone network.  ~Especially if you can get there from toll free numbers.~

• The challenge.   Some people find it interesting or perhaps even fun to hack a system even if they have no intent to commit toll fraud or damage the system.  Unfortunately the hacker will want to prove he did it by doing 'something' to the system such as change your greetings, reset your passwords or even delete your entire system.
• Malicious damage.   Some hacker will break into your system with the intent to do damage.  This damage isn't limited to simply deleting mailboxes, changing passwords or even deleting your system.   How much damage could be done to your company image if a hacker changed your auto attendant greeting to something obscene or simply a message that said "We have gone out of business".  It would be difficult to calculate the monitory losses to your company.
• Toll Fraud.   Many system are hacked so that the hacker can use your system for toll fraud purposes.  (see related article: Mitel ARS Security)  Once your system has been compromised, it is possible to set up a mailbox with the ability to out dial from your system.   Usually the intent is for the hacker to be able to dial a toll free number and then dial an international call from there.   You pay the incoming toll free charges as well as the international calling fees.

How To Protect Your Voice Mail

• Change the default admin passwords for the administrator mailbox.   There are 3 of them.  One for  "manager" one for "administrator' and one for "technician".  They all belong to the same admin mailbox.  Different levels of authorization are applied based on which password you use.   Version 5.0 of the Mitel 3300 MCD gives you the ability to change the passwords via the web interface (see screenshot below).  Prior to version 5.0 you need to change the password via the TUI.  We won't tell you what the default password is or which mailbox it is here because we don't want to make it too easy for hackers to gain access to your system so if you don't have all 3 passwords contact your dealer and request them.
• Restrict your voice mail ports from having the ability to dial outbound.  Each port of your voice mail system has a Class of Restriction (COR) that allows or restricts it from dialing out.   There are features that you may be using where you do what the ability of the voice mail to out dial, such as transferring to cell phones, but it's unlikely that you should ever have a requirement to allow it to outbound internationally.  Even if that was a requirement you may want to allow only one international number instead of leaving your system wide open.  You can do this by forwarding to a speed dial that allows the call but leaves COR restricted for the ports.
• Enable longer passwords.    The default password length is 4.  Consider a longer password.   5 or 6 or even 7 digits can better secure your mailboxes.
• Enable voice mailbox lock out.   The latest version of software allows mailboxes to be locked out in case of multiple failed passwords.  This may add more of an administrative burden but could easily pay for itself with one blocked toll fraud attempt.
• Delete unused mailboxes.  If you are no longer using mailboxes because individuals have left your company, then delete the mailbox.   An unused mailbox is an invitation to a hack attempt.

If you have more questions please feel free to join the discussion forum. Click Here For the Mitel Forum

Version 5.0 gives you the ability to set the administration passwords from the web interface.

Please join our forum and follow our newsletter.  Your participation may help others.

If you've found this article useful please Tweet