Mitel exploit - heads up

RedTen · 24 Jan 2012 at 10:55

Thought I'd post this up as it may be a useful reminder.

We've recently discovered that someone has dialed into our Mitel system via the voicemail line and then dialed out to premium rate numbers.

We believe they created a personal number from within a users mailbox. Once they'd created it they'd hang up re dial ("e.g press 9 to dial my mobile no.") and call the prem rate number.

We've had to block all users from dialing prem rate numbers whilst we investigate. Thankfully I'm not in charge of phones as this has cost us quite a bit!

Strong passwords people.

RedTen · 24 Jan 2012 at 14:01

KIA said:
Weak password, not an exploit?

Perhaps the wrong choice of word - vulnerability?

I'm not sure if what they did could be done by anyone or if they used an 'exploit' as such.

Just a reminder to keep safe.

RedTen · 24 Jan 2012 at 14:59

Venares said:
Had exactly this happen at the company I work for a few years back which resulted in quite a hefty phone bill
I'm quite supprised they havent plugged this particular exploit/vulnerability whatever you want to call it by now.

Yeah it's a bit of a worry.

I feel for any small firms that get stung - a lot of money to lose.

RedTen · 25 Jan 2012 at 15:25

gavsim said:
What controller would this be on? and software version? We run a 3300 Mitel controller with I believe the latest software

It's a 3300 but i'm not sure on the software version, sorry.

bigredshark said:
It's not a software thing, it's people setting bad voicemail PINs and then having them guessed, then you go in, set a forward to premium rate number and then call it repeatedly. If it cost you less than £10k you should count yourself lucky. It really isn't an exploit, just poor config and security...

I know what you're saying and I guess it is having poor passwords but imo I'm not sure Mitel should have designed the system assuming a user wouldn't have a password of 1111 etc?

We all know users give little thought to security.

I assume you have some knowledge on this - is the password the only thing that could have saved the attack or should it have been configured in a way to prevent it?