War Dialing: The Forgotten Security Threat

The absolute root of hacking tools, techniques, and software is something called War Dialing: that is, dialing a phone number and trying to exploit the service on the other end. In the early 90’s, a small community of people developed software that would automatically scan phone numbers and categorize the answering system types. These programs run unattended and dial phone numbers and look for recognized devices to attach to. When the program is finished, all the attacker has to do is look at the results and dial the appropriate numbers again, and attempt to gain access to the system or its services.

The goal of those initial dialing efforts was usually to get long distance phone calls for free. At this point of time over 15 years later, War Dialing is still an attractive exploit but for a different reason. Now, it is often used as one of the most successful ways to break into a network. Why? There are lots of sophisticated systems and services that live at the end of a phone line such as network printers, routers, gateways, firewalls, power systems, and desktop systems. In addition, at most companies there are no devices to detect, monitor, or log that a War Dialing effort is occurring and modem-based services are frequently not using any type of encryption, they often do not require any authentication other than dialing the number, and the actions are almost never logged. From a hackers’ point of view, the beautiful thing about War Dialing is that it usually completely bypasses every single security measure that has been put in place for the wired or wireless network.

Your own administrators and vendor support staff often use modems to remotely manage or monitor important services and this type of remote servicing has become increasingly prevalent in this era of outsourcing of IT services.

The bottom line is that most organizations do not perform telephony assessments as part of the security or auditing programs and they should since there are usually many important systems and services that are available at the end of a phone line.