“Calls may be monitored for quality assurance…” but also for other reasons such as legal documentation or emergency services and 911 calls. Call recordings can exist for a number of legitimate purposes, using a variety of means and equipment. Not many use actual tape anymore, it usually stored on digital media. This can range from usb memory, to local PC hard drives, to more elaborate servers and cloud services. The larger systems will be managed by software which could have multiple levels of access.
One system I am familiar with can be set up to record calls and save them as if they were voicemail messages in the user’s mailbox. These recordings are then automatically emailed to the user. Whoever has admin access to the phone system will be able to adjust the destination email addresses, adding multiple different addresses for copies of the recordings to be sent to.
Another cloud based VOIP system I have worked on will save recordings of all phone calls onto Amazon’s storage servers (which would need an account set up by your IT department). It is good that the VOIP provider does not save your recordings on their own servers where their staff could have access to them, but still, your IT department would have full access to and know how to copy the recordings. As with so much cyber information, whoever can get the access credentials has access to the information.
Eavesdropping on such conversations does not require sneaking around after dark to tap into a dirty phone box in a basement or on the side of a building. Instead it requires knowledge of the storage mechanisms used, and a bit of hacking, perhaps, to obtain the right software permissions to get to the recordings.
In Brian Krebs’ recent blog he discusses such vulnerabilities and mentions a company that works to expose them.
…it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped.
Few companies excel at showcasing such failures as SEC Consult Vulnerability Lab, a software testing firm based in Vienna, Austria. In a post last year called Security Vendors: Do No Harm, Heal Thyself, I wrote about Symantec quietly fixing serious vulnerabilities that SEC Consult found in its Symantec Web Gateway, a popular line of security appliances designed to help “protect organizations against multiple types of Web-borne malware.” Prior to that, this blog showcased the company’s research on backdoors it discovered in security hardware and software sold by Barracuda Networks.
Today’s post looks at backdoors and other serious vulnerabilities SEC Consult found in products made by NICE Systems, an Israeli software firm that sells a variety of call recording solutions for law enforcement, public safety organizations and small businesses. According to SEC Consult, NICE’s Recording eXpress — a call recording suite designed for small and medium-sized public safety organizations (PDF) – contains an undocumented backdoor account that provides administrator-level access to the product.
“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” wrote Johannes Griel and Stefan Viehböck of SEC Consult. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.”
According to the security firm’s advisory, these and a slew of other security security holes likely also exist in Cybertec eXpress and Cybertech Myracle, older NICE products aimed at corporations seeking call recording software for customer service, training and verification.
NICE did not immediately respond to requests for comment. SEC Consult says the company has fixed the backdoor and a few other issues via a recent security update, but that serious other flaws remain unaddressed…
A key step for protecting all phone conversations is to understand what systems are in use in your facility and who has access to them. All PBX systems today including VOIP systems can have some type of call monitoring feature available. Whether such a feature is activated and accessible is something you need to determine in order to know your systems are secure.