Why Your PBX Is a Goldmine for Toll Fraud

TLDR: Modern telephony networks are riddled with legacy architectural flaws that allow attackers to bypass STIR/SHAKEN protections and commit massive toll fraud. By becoming a Competitive Local Exchange Carrier (CLEC), researchers can gain direct access to numbering resources and exploit TDM-to-IP conversion gaps. Defenders must prioritize monitoring SIP logs for anomalous international traffic and enforce strict caller ID validation to mitigate these risks.

Telephony security is often treated as a solved problem, relegated to the dusty corners of network administration. Most security teams assume that if they have implemented basic SIP authentication or a firewall, their PBX is secure. This is a dangerous misconception. The Publicly Switched Telephone Network (PSTN) is not a single, unified digital entity. It is a fragile, fragmented patchwork of legacy TDM (Time Division Multiplexing) infrastructure and modern IP-based signaling. This architectural mismatch creates a massive attack surface for anyone willing to navigate the regulatory landscape.

The Mechanics of Regulatory Arbitrage

The core of the issue lies in how phone numbers are assigned and routed. When a company registers as a CLEC, they gain the ability to own numbering resources and manage their own routing. This is not just a bureaucratic exercise; it is a technical pivot point. By controlling the routing, an attacker can force traffic through specific, insecure pathways.

The most effective technique involves "access stimulation." Because the calling party pays for the call, and many enterprise plans include unlimited minutes, attackers can generate massive volumes of inbound traffic to their own numbers. If those numbers are hosted on a carrier that pays out a portion of the termination fees, the attacker effectively turns the phone network into a revenue-generating machine. This is not a theoretical exploit. It is a well-documented abuse of the FCC's regulatory framework that has persisted for years.

Bypassing STIR/SHAKEN with the TDM Shuffle

STIR/SHAKEN was designed to stop caller ID spoofing by adding a cryptographic signature to SIP headers. However, this security measure is only as strong as the weakest link in the call chain. When a call transitions from an IP network to a legacy TDM network, the SIP headers—and the associated security tokens—are stripped away.

This is where the "TDM Shuffle" comes into play. An attacker can route a spoofed call through an IP-based provider that supports STIR/SHAKEN, then hand it off to a legacy TDM carrier. Once the call enters the TDM network, the cryptographic proof of identity vanishes. When the call eventually re-enters an IP network at the destination, the receiving gateway sees a call without a valid signature. If the gateway is misconfigured, it may simply apply a default "C-level" attestation, which essentially says, "I don't know who this is, but I'll let it through anyway."

For a pentester, this means that your target's PBX is likely vulnerable if it accepts calls from legacy TDM trunks without strict validation. You can test this by attempting to originate calls with spoofed Caller IDs through various providers. If you can reach a destination without the call being flagged or blocked, you have successfully bypassed the primary defense against spoofing.

Practical Exploitation and Defense

During a red team engagement, the goal is to identify where the PBX handles incoming traffic. If you find an exposed SIP interface, you are already halfway there. Attackers frequently use tools like SIPP or Asterisk to brute-force extensions or test for open relays.

The impact of a successful compromise is immediate and expensive. Toll fraud can rack up thousands of dollars in charges in a matter of hours. To defend against this, your blue team needs to move beyond simple perimeter security.

First, implement strict rate limiting on all inbound SIP traffic. If your PBX is receiving 50 calls a second from a single source, that is not a customer; it is an attack. Second, monitor your SIP logs for "impossible travel" patterns. If an extension is registered in New York and suddenly starts making calls to a high-cost destination in a different continent, trigger an immediate lockout. Finally, ensure that your gateway is configured to reject any call that lacks a valid STIR/SHAKEN signature, or at the very least, tag those calls as "unverified" so your users know to treat them with extreme suspicion.

The PSTN is a relic of a more trusting era, and its transition to IP has been messy and incomplete. As long as there are gaps between legacy TDM and modern signaling, there will be opportunities for those who understand the underlying plumbing. Stop assuming your voice infrastructure is secure by default and start auditing it with the same rigor you apply to your web applications. The next time you see a massive spike in your telephony bill, don't just blame the provider; look at your routing tables and ask who is really in control of your traffic.