PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does   [open pdf - 224KB]

The Private Branch Exchange (PBX) is an essential element that supports the critical infrastructure of both government agencies and U.S. industry. A PBX is a sophisticated computer-based switch that can be thought of as essentially a small, in-house phone company for the organization that operates it. Protection of the PBX is thus a high priority. Failure to secure a PBX can result in exposing the organization to toll fraud, theft of proprietary or confidential information, and loss of revenue or legal entanglements. This report presents a generic methodology for conducting an analysis of a Private Branch Exchange (PBX) in order to identify security vulnerabilities. The report focuses on digital based PBXs and addresses: System Architecture, Hardware, Maintenance, Administrative Database/Software, and User Features. This report is not intended to provide a step-by-step process, but rather a guideline for what specific areas should be studied for the existence of possible vulnerabilities.