In-Depth

Best Practices: Minimizing the Risk of Forgotten Modems

Nearly one-fourth of all organizations have unauthorized modems connected to their network, providing easy network access for computer attackers that firewalls won't stop.

• By Mathew Schwartz
• 10/08/2003

Of course dial-up modems are built-in to most personal computers, and connected to a number of other devices and servers. Unfortunately, according to Internet security testing firm NTA Monitor, they’re also a security risk. One-quarter of all organizations have unauthorized modems connected to their network. They provide an easy way for computer attackers to try and gain network access; firewalls won’t stop attacks.

The concept is called war dialing (its Wi-Fi-seeking equivalent is known as war driving), and it stems from the days when modems were the only method of connecting to the Internet (or, before that, just to other networks) or computers. NTA estimates that less than one percent of all phone numbers in an organization still connect to a modem.

That spells security risk. "Imagine … a company with 5,000 extensions over 20 sites; how can they ever be sure that no rogue modems are attached to any of those lines without testing them?" asks Roy Hills, NTA Monitor’s technical director. “This should cause major concern, as it only takes one insecure modem to permit a hacker to gain access to an organization’s systems.”

Yet when NTA conducted a recent survey of IT and security managers, it found 22 percent didn’t even know about the issue. One-third reported finding unauthorized modems in the past, yet over two-thirds have no controls in place to detect modem-scanning attempts on their systems.

Though few remember the days of war dialing, “in reality it is a technique that hackers are revisiting as a reaction to increased security in corporate networks,” says Hills. As the old security axiom goes, the easiest way to break in is usually the best. “They are looking to bypass firewall restrictions and logging or use protocols such as IPX to access systems not directly accessible over IP.”

How easy is it to attack a modem? When NTA tested one government network (pretending to be an outside attacker), it found a modem controlling access to the uninterrupted power supply connected to an authentication server. A simple “handshake” session—dialing the modem from another, random modem—divulged the government modem’s banner (“welcome, please enter your password,” etc.). Based on the banner text, a quick Internet search revealed which kind of modem it was, as well as the default username and password settings for that brand of modem. They remained unchanged, and NTA gained a higher level of access than the client might have otherwise anticipated. It ascertained internal network IP information, contact information for support staff, and the log file.

Organizations, however, can protect themselves. An old, but still applicable, security rule of thumb is to rewrite modem banners and of course alter any modem default log-on settings.

Hills recommends companies use a PBX firewall, PBX log, or similar controls to monitor for any attempted war dialing. In addition, companies should educate employees about the risks of network-attached computers with modems, and factor modem security into a company’s security policy—then tie that policy to security employees’ performance reviews.

For more information about the NTA survey, including a complete list of tips for preventing war dialing, see http://www.nta-monitor.com/war-dialling.