BELTON — For Bell County, the third time is most definitely not the charm. On Friday, an unknown number of hackers penetrated the county phone system for a third time in the past month.
Jim Chandler, director of Bell County’s technology services department, told the Commissioners Court on Monday that the attack exploited a previously unknown vulnerability to send a 12-second outgoing message and that AT&T personnel are still examining the breach.
“I don’t have enough data to know how it happened,” Chandler told the commissioners.
The latest attack comes nearly a month after an unknown number of hackers attacked the Bell County phone system from Nov. 30 to Dec. 2 and placed a series of international calls that rang up over $27,000 in fraudulent charges.
The Nov. 30 attack targeted a weak password on an extension in the Road and Bridge Department. Cracking the four-digit password gave the hackers access to the phone’s automated menu system and allowed them to route calls to the Caribbean island nation of Grenada through Bell County’s switchboard.
Hackers strike again
On Dec. 13, a second intrusion into the county phone system was made.
While it remains unclear if the attacks were related, the Nov. 30 and Dec. 13 attacks employed similar methodology. Chandler said the second attack also involved someone defeating the voicemail password on an extension.
The county also contacted Hewlett Packard — which acquired the manufacturer of the county’s phone system, 3Com, in 2010 — to discuss its phone system’s vulnerabilities and to determine if all best practices were being followed.
“The HP technical support team was unaware the ‘forward voice message’ vulnerability was even possible with our system,” Chandler said.
Unfortunately, the lack of knowledge about the capabilities of phone systems isn’t uncommon.
Chandler told the commissioners how, earlier this year, it took Hewlett Packard six weeks to find one person in the country familiar with Bell County’s phone system so routine maintenance could be performed.
Looking at the options
Chandler said the county needs to upgrade to a new phone system; however, commissioners are concerned about the price.
“Instead of buying a new phone system, what happens if we just disable all the features?” Precinct 3 Commissioner Bill Schuman asked.
Chandler said that would be a stop-gap solution at best.
“HP has said that they are ending support for 3Com products,” Chandler said. “When that happens, we are on our own.”
A new phone system could cost $1 million, Chandler said.
However, Bell County recently received a proposal from the state and local government division of Cisco Systems that put the replacement of a new phone system “in the $500,000 to $600,000 range.”
Precinct 2 Commissioner Richard Cortese asked what will prevent hackers from breaching a new system.
A new system will have “programmable constraints,” Chandler said. “We’ll be able to restrict the type of calls, the destination of calls and the length of calls.”
Cortese responded that he doesn’t “need so many features on my phone. Can we get a phone without a bunch of features no one uses?”
Chandler gently chided the commissioners by reminding them “that’s not how technology works.”
“You want a cell phone that just makes calls, you want a flip phone,” Chandler said. “But you get a smart phone because no one makes flip phones anymore.”
The commissioners will discuss the purchase of a new phone system during a meeting on the week of Jan. 13.