Hackers target switchboards sold by BT

Click to follow
The Independent Online
British Telecom has sold thousands of business telephone systems which have serious security flaws that let phone hackers make hundreds of thousands of pounds worth of free calls.

The total cost to British businesses of such hacking, which is used to make calls across the world, is now thought to run to millions of pounds annually.

One phone hacker has told the Independent that the Meridian switchboard, sold by BT since 1991 to more than 5,000 businesses throughout the UK, is riddled with security loopholes in its voicemail and call diversion facilities. "It's like a car manufacturer selling a model which has no locks and just a switch for the ignition," he said.

BT has been aware since at least January of the growing danger of switchboard hacking. According to an internal document issued to managers within BT and seen by the Independent, Geoff Gutridge, who heads an internal BT team, notes that these types of phone hacking have "already reached epidemic proportions in the USA".

He adds that they "have very serious implications for our customers", but adds: "Do not discuss the various means by which fraud can be made - this will only serve to alarm the customer further."

The Meridian switchboard offers voicemail boxes, which are computerised message systems that act like electronic answering machines, and "dial- through" facilities, which let the user of an extension set the phone to transfer unanswered calls to an external number.

Both only work when a four-digit code is entered. But until last year, Meridian systems were sold with the code set to a default which could be guessed easily. Until six months ago, the models sold gave anyone who worked out the code unlimited access to outside numbers.

Phone hackers call businesses after work hours so that extensions will not be answered. They often call on freephone lines and use a combination of guesswork and determination to crack the codes of unused extensions.

They then enter the four digit code to set the extension to redirect calls, often to friends in other countries or computer bulletin boards in the United States.

The company unwittingly ends up paying for both the hacker's incoming and outgoing calls, which can last for hours.

Phone hackers often contact each other on voicemail and spread information about companies whose systems can easily be broken into.

As a result, some switchboards are host to hackers operating in parallel to the legitimate business, leaving each other messages and dialling in and out with impunity.

BT says that earlier this year it sent out warnings by registered post explaining the risks of telephone hacking to all the owners of such systems. "We are working extremely hard to ensure that all our customers who are vulnerable have taken action against it," said BT.

The document issued by Mr Gutridge says: "It is essential that no commitment is given to any customer with respect to cost reimbursement and no admission of BT liability is made until we have established the full facts of individual cases."

One phone hacker told the Independent: "In many cases the owners of these systems have no idea that these flaws exist - otherwise they would do something about it."

Michael Persky, marketing director of the voicemail company Octel, estimates that the level of fraud through phone hacking is now "a multi-million pound problem" and adds: "The level of publicity associated with the Internet and hacking has raised the level of awareness of people that systems can be hacked, so more people are trying it."

The Meridian system is made by Northern Telecom of Canada. Peter Fintel, the UK product manager, said: "We only know of four cases of hacking in the UK." He said it was up to BT to explain to customers.