T 5.15 Abuse of features of PBX systems

Classic telecommunication systems generally have a number of features to provide users with the maximum possible convenience when communicating and to allow the system to be adapted to its working environment to the greatest extent possible. However, some features may be misused for targeted attacks, particularly regarding confidentiality or availability.

Examples:

• The functions "voice calling" and "automatic call acceptance" may be misused to wiretap rooms in combination with a hands-free function on telephones.
• If the call forwarding function is misused accidentally or deliberately, the telephone connection of a user may no longer be available.
• Using dial-in functions, mobile employees are granted access from the outside, but these functions may also be misused for attacks, for example for call charges fraud.
• The "telephone hook-up" function could be misused in order to unobtrusively establish a connection in the background.
• Functions such as "silent monitoring" or "eavesdropping" which are export features of PBX systems prohibited in Germany could be misused to unobtrusively listen in on telephone calls.

Some of the features of PBX systems could be misused by employees, since no in-depth knowledge is required. Employees could, for example, try to

• redirect calls intended for colleagues to their own telephone without permission,
• accept calls intended for others without permission,
• listen in on conversations and meetings using the "hands-free calling / speaker" function,
• read the call and last number redial buffers of other users without permission, and
• listen in on telephone calls without permission by breaking in on connections of third parties.

There is therefore a risk of employees obtaining information that is not intended for them or even confidential without permission.