Hijacking Online Accounts Via Hacked Voicemail Systems

[The AchieVer]

Proof-of-concept hack of a voicemail systems shows how it can lead to account takeovers multiple online services.

 

LEIPZIG, GERMANY – Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers (PINs) that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like WhatsApp, PayPal, LinkedIn and Netflix.

 

Martin Vigo, a mobile security expert who presented his research here on Thursday at 35C3, warns that PINs that protect voicemail systems are far easier to crack than traditional passwords are a weak link that can lead to hacked-account results.

 

“Automated phone calls are a common solution for password resets, account verification and other services,” Vigo said. “These can be compromised by leveraging old weaknesses and current technology to exploit this weakest link – voicemail systems.”

 

Inspired by early pioneers of phone phreaking, Vigo applied some of the same techniques to modern day voicemail hacking. Once compromised, the researcher said, a motivated attacker can simply listen to automated password reset messages sent by online services. Compromised voicemail systems can also be set up to play dual-tone multi frequency (DTMF) tones if password-reset systems require users to input a PIN.

 

To help assist Vigo in the voicemail account compromise, Vigo wrote an automated script that can brute-force crack most four-digit PINs used by voicemail systems without the phone’s owner ever knowing. He released code (minus the brute-force PIN cracking feature) to GitHub called Voicemailcracker.py, to help further research in this area.

 

In the demo on stage at the conference, Vigo showed how the system can work with the brute-force feature turned on and demonstrated how he was able to gain access to WhatsApp, PayPal and LinkedIn. Each of the services have since updated their PIN verification system to prevent similar attacks, he said.

 

“Voicemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. Voicemailcracker then launches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN – all without the target’s knowledge of the attack,” he said.

 

The researcher discussed other means of launching attacks without the user’s knowledge such as carrying out the assault when the user is on a plane or using backdoor access to a users voicemail system that doesn’t require calling the target directly.

 

The researcher said he has contacted vulnerable online services and telecom providers and made them aware of the weakness.

 

He advises consumers not to use easy-to-guess PIN numbers, such as birth year or simple number patterns. For online services, he recommends them not use automated calls for security purposes. And he recommends carriers not allow users to use DTMF tones for greetings and to ban users from using easy-to-guess PINs.

 

source

[straycat19]

I never activate voicemail on any of my phone lines.  I get along fine without it.  You need to talk to me then send me an email and if I want to talk to you I will call you whenever I remove my phone from its faraday case.  Voicemail was always a waste of time and a lot of people just let it become full, never cleaning it out.   When it became possible to leave voicemails without alerting the user that they were receiving a call, a function known as 'silent voicemail' and 'direct to voicemail', then the voicemail systems became very user unfriendly.  Anyone could leave a silent voicemail without the user's phone ringing and there were even companies that developed systems to assist in this , such as Slydial.  The FCC, in 2008, even warned users (https://www.fcc.gov/consumers/guides/voicemail-system-hacking  updated in 2016) about the use of their voicemail for hackers to gain free international calls using the same techniques that are described in the article above.  It isn't anything new.