We all know that any internet facing application needs to have security as a core focus. Thankfully Zero Trust Architectures are becoming more common as network and sysadmins adopt better security practices in light of news around 0 day exploits, botnets and general knowledge upskilling. Unfortunately, a lot of smaller organisations still use out of date security policies. These are generally the cases we hear about when somebody has been “hacked”. Add into the equation that most social engineering attacks still hit home easily where end users aren’t trained in checking email anomalies. This can also be the case for IP PBX systems and IP phones.


It can’t be said enough that password security is incredibly important – especially with IP PBX systems. Unlike ransomware, a compromised PBX can and will make toll fraud an expensive problem. I have seen cloud PBX providers that are relaxed with password policies, have attackers simply hammer brute force and rockyou.txt at the platform. These nightmare cases are saddening, as the cost ends in the lap of the end user as their ISP contract still stands and they are liable for calls made on their lines.


Any part of an IP PBX needs to have strong password policies whether it is the PBX itself or the endpoints registered. 3CX is excellent in this regard as its password complexity by default is impactful and creates extension IDs as strings of characters rather than simple extension numbers. Combining this password and ID complexity with 3CX’s new v16 global IP blacklist makes for a very secure phone system. It’s built on multi-layer security that allows for thresholds to be set on packets, authentication and challenge attempts before blocking the attacker’s IP from the system. The global IP blacklist consolidates and crowdsources blacklist information from other 3CX phone systems via a simple checkbox opt in button from the management console. This added functionality makes 3CX a very secure out-of-the-box install, without the security challenges of many other PBX systems.


I especially like the default password policies and centralised firmware upgrades with phone provisioning,  given recent topical news articles on SSH botnets such as Chalubo. Most IP phones have a build of Linux inside them which has SSH access. This makes them a potential target to be compromised and exploited. 3CX alleviates a lot of these problems as it blocks attacks at the PBX level before it can even reach the endpoint. Even if the network were to be compromised (looking at your risky link clickers!) the phones’ set up will have up to date firmware, with good security to resist compromise. 3CX v16 offers competitive annual licencing costs as well as a brand new Pro trial licence. Take it for a test spin for demos, customer opportunities or even security tests and see how it fits into a secure infrastructure. For more details around the new changes and additions with 3CX v16, contact our VoIP team.