Back in 2009 at an IET Conference, I warned of the potential risks of shop’s PA systems and Intercoms being vulnerable to being hacked. I also noted that a a large DIY store chain in the UK uses its phone system to access the PA system, and staff from any phone can simply dial an internal extension number to access the PA system, once it beeps, the staff member can address the entire store. The way this was setup meant that it was open to hacking, and when warned, did nothing about it. Well, it’s just happened in the US, see US superstore – Target PA System Hacked
The worst case I have seen so far of PA system hacking is a chain of DIY stores in the UK that had an external DDI (like 0207 for example) linked to the extension used to control the PA system from within the stores. If you knew the DDI, you simply call it and within 2 seconds it puts you live!! (no PIN or security or anything!). The store in question mentioned to me that in the past they have had “interference” from local taxis, when they have heard someone saying “hello is that…?? can I have a taxi to the station please….” over the intercom and could not work out where it was coming from as all of the staff denied it.
Obliviously this is someone probably dialling the DDI and getting the wrong number (as it was very close to a local taxi number), wondering what it is and hanging up, quite likely without knowing what just happened and that their voice was broadcast over the entire store!
The most common cases are from hackers who come into the store, ask one of the staff for something obscure who then ring the PA system from an internal phone (lets say this is extension number 8080) and make a note of that number, then at their leisure, ring the store and asked to be transferred to extension 8080, the unaware phone operator transferring through, live onto the PA system.
What is the cause of PA Hacking?
There is no single cause as such, PA systems for years have been vulnerable to some point, but more recently with instructions now available on the internet for many models, it is creating a greater risk. I used to fit PA systems and connect them to a phone system, so I knew the vulnerability s back then, and that was before people decided to connect them to the internet so today many public address systems may be left with vulnerabilities by design, by creators who never imagined people might have malicious intent!
How I could hack your store
If I wanted to hack your PA system, think about some research (that I did, that took me 30 mins) and think about what you could change to stop me from getting what I need, for example:
1. I found original plans for the store for the planning permission and therefore could determine the size of the store and other details about it.
2. I found a tender alert (using google) from a few years before asking companies to quote for the “installation and commissioning of a PA system” for that store, quoting the size, requirements and what they need such a PA system to do, great, that gives me a good idea the range of systems and how the PA system needed to be connected
3. I used google to find the exact keywords from the tender (store name, size of system etc) to locate companies in the area. I found a case study on the website, saying they had won the contact and bragged about the system supplied, its features and what it did for the store etc etc.
4. I called the company in question, and said I was considering a similar system to the one in the case study, and wondered if it would be connected to the phone system or internet. The overly enthusiastic salesman (who seemed to have verbal diarrhoea!) talked about how the one in the case study is connected and how good it is etc, giving me all the information I needed
5. I searched the manufacturers website and downloaded the PA systems instructions to familiarise myself with them before scanning the local area telephone network for DDI’s or IP scans of your network if accessible externally.
6. And/or I would just call, pretend I’m your system maintainer and ask the right questions or better still ask to be transferred..!
7. If I got access, I could broadcast a message into your stores, shopping centre etc telling people of an emergency evacuation due to a “radiation leak” or whatever, losing business and damaging your brand.
So…are you the owner of a PA system in any of your estate? Are you confident that it is fully protected and a hacker won’t be able to get access to it, and broadcast any message they like to your customers? Check that only systems that really need connecting to the internet really are, and that you don’t have back doors to anything unless it is absolutely required, and even then, do you have adequate security protecting this. Engage a professional company that can perform a network scan and telephone number scan of your stores. You should treat the results with a risk rating, checking them on a regular basis
By the way, I have seen a list on the internet of every UK ans US chain store and their PA systems “extension numbers” where they use one!
Solutions – How you can protect yourself
If your in-store system can be affected, here are some solutions:
1. Have your PBX (phone system) maintainer change the group settings, so the PA output cannot be accessed from a transferred call. This will mean that only staff within the store or company can access the PA system, with most systems its an easy change in the software and takes seconds (restricting calls from external CO’s )
2. Train staff not to transfer external calls, perhaps they can ask callers to dial DDI numbers directly?
3. Ensure that any external DDI (DID) numbers into the extension or line that the intercom users are disabled as this will simply give a back door to hackers. This is the same for alarm systems, modems and any other devices (hackers are now trying your DDI’s on a regular calling list to access alarm system modems, credit card merchant terminals and lift emergency alarms to get into your business via these routes instead)
4. Many phone systems have modem access for external maintainers to get in and do updates and make changes etc. Explore the vulnerabilities here that you could be the victim of. A friend of mine who runs a large business explained that he had no external number to the modem connected to his phone system for his system maintainers to access, insisting that it was only accessible by calling it within the store itself. That was true, but it never stopped me from calling up with a modem paired on the line, and asking to be transferred to the modem extension!, I was into his system, worse still, they had left the username and password on the phone system to the default setting, giving me free rain to do what I like. It s as good job he challenged me to get in and gave me permission, as the next time he might not have that privilege!
5. If its connected to an IP network, ensure you have a firewall in front of it, securing it in some sort of way, preventing people from using the PA without your permission.
6. Conduct regular audits on both the physical telephony/PA systems and cyber security