S 4.369 Secure operation of an answering machine

Initiation responsibility: IT Security Officer, PBX System Manager, Head of IT

Implementation responsibility: User

In addition to the telephone, answering machines may be connected to the internal telephone network and may record incoming calls or voice messages if the person called is not available. Another option is to only play a message regarding the absence of the person called, but not to permit the caller to leave a message. Answering machines may be connected to the internal telephone network either as external device (stand-alone) in addition to the telephone or are already contained in the telephone (integrated answering machine) or in the PBX system. If VoIP is used, the voice messages can be sent to the recipient via email (voice mail) for many VoIP systems.

From a technical point of view, answering machines can be divided into two classes: analogue or digital storage options. On analogue devices, the messages are recorded to audio cassettes (often mini and/or micro cassettes). However, such devices are no longer manufactured. On digital answering machines, frequently directly integrated into the telephone or in the telephone system, the messages are recorded on a storage module in the device or on a bulk memory, e.g. a hard disk. For some older digital answering machines with storage modules, the stored information (recorded messages and messages) may be lost during power failures. Therefore, the existing (buffer) batteries of these devices should be replaced regularly.

In general, no information requiring protection should be left on the answering machine. Regarding the recorded message, it should be ensured that the callers are not provided with any information relevant for social engineering (see T 5.42 Social engineering). This includes the current location or the (longer-term) duration of the absence of the person called. The recorded message should point out that no confidential information should be left on the answering machine.

Telephones with built-in answering machines often have additional features such as remote retrieval of messages, call forwarding, room monitoring, or remote effect on connected electrical devices, along with the functions for recording messages and retrieving the messages left. These functions can be controlled remotely for some telephones during a call accepted by the answering machine. Since the remote retrieval and control options constitute a significant threat potential, it should be possible to disable these options and to protect them by a security code (code, PIN) if they are used. This code should be at least three to four digits long and freely selectable. All codes set ex factory should be changed before commissioning. The security code must be stored like a password (see also S 2.22 Escrow of passwords) and must be changed regularly.

It should be ensured that there no third parties nearby who may see or hear the code when the codes are entered. A lock-out circuit making the answering machine interrupt the connection after three unsuccessful attempts provides additional protection against the interception of messages by unauthorised persons or the misuse of other features. Devices that completely block the remote retrieval functions after three unsuccessful attempts and only allow these functions to be enabled from the device itself are even better. Blocking periods that get longer with every unsuccessful attempt also make sense. Along with the remote retrieval initiated by the user, some devices are capable of informing the user about newly received messages via a call to a previously specified telephone number or via SMS to a mobile phone.

Regardless of how the received messages are retrieved, the recorded calls should be retrieved regularly. Recordings which are no longer required should be deleted at regular intervals so that the storage medium (digital memory or audio cassette) of the answering machine is not exhausted, making the recording of calls impossible or meaning old messages are overwritten. For this reason, the maximum call duration should be limited per call, since an attacker may fill the limited memory of the answering machine with pointless information, preventing any further messages. If analogue devices do not provide for the deletion of messages, the magnetic tape should be rewound to the start so that newly recorded calls overwrite old stored messages.

Every user using an answering machine in his/her area should familiarise him/herself with the operation and thus with the possibilities and limits of the devices. For this, corresponding operating instructions or user manuals should be provided.

Review questions:

• Is remote retrieval of the answering machines admissible and protected by a PIN in this case?
• Does the recorded message of the answering machine make the caller aware of the fact that no confidential information should be left on the answering machine?
• Are the newly recorded messages on the answering machine retrieved regularly and are messages that are no longer required deleted?
• Was a limit set for the duration of the messages on the answering machine?