Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Voice Fixes Security Flaw, Almost

Posted by samzenpus on from the almost-got-it-that-time dept.

gardel writes "Google appears to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain. Until about 7pm PDT Tuesday, an unauthorized party could use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number, giviing the spoofer access to greetings and voicemail, and the ability to make outbound calls, including expensive international calls. Though spoofing via SIP is no longer possible, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access."

4 of 55 comments (clear)

  1. Comment removed by account_deleted · · Score: 2, Interesting

    Comment removed based on user account deletion

  2. The problem is Caller ID can't be trusted... by sam0737 · · Score: 4, Interesting

    It's just some data that can be faked. As long as you have a trunk line like T1 to the Telco, or something similar, you are responsible to generate the Caller ID instead of the Telco.

    So what's so surprising here? It just doesn't work to use it for authentication.

    1. Re:The problem is Caller ID can't be trusted... by Anonymous Coward · · Score: 1, Interesting

      And yet, so many agencies, such as credit card companies, require that you phone in from your "home phone" to activate new cards.

      Just because you seem to have figured out that it "doesn't work to use it for authentication", does not mean that it is commonly accepted of how unreliable it truly is and continues to be. Public attention (at least by "security professionals") needs to have more and updated education on best practices. Maybe you might consider being a trainer?

  3. Re:Prolly shouldn't have used Trixbox by Anonymous Coward · · Score: 1, Interesting

    Well, it is not only a "VoIP" problem. You still can access Metro PCS cellphones voicemail boxes that way. I used to check all my girlfriends' voicemails and be able to delete the ones I wanted, simply by setting the caller ID on my Asterisk as theirs.
    Now, Metro PCS tells the users to create a password to secure their mailboxes. But, still, if your dtmf is working right, you can enter their passwords and keep looking into their voicemail boxes. Usually girls' passwords are really easy to guess: their body measures, birth dates, BF's birth date, so that is no big deal.

    And used to work with all other carriers as well, besides old Nextels, as Nextel accounts used to get another number to call for their voicemail boxes. I don't know if Sprint changed it though.