Google Voice Fixes Security Flaw, Almost

gardel writes "Google appears to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain. Until about 7pm PDT Tuesday, an unauthorized party could use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number, giviing the spoofer access to greetings and voicemail, and the ability to make outbound calls, including expensive international calls. Though spoofing via SIP is no longer possible, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Phreakers

Hackers, meet the Phreakers, Phreakers, meet the Hackers. Have fun!!

Re:Phreakers

[sortius_nod]

Oh, we've met, we don't get along, but we've met.

Re:Typo

giviing (sic) the spoofer access to greetings and voicemail

I refer you to my signature:

And I refer you to how to properly use sic, which is to say: It should be enclosed in square brackets, not in parenthesis.

Gosh, now I can feel smugly superior, too!

Prolly shouldn't have used Trixbox

[BitZtream]

Not the google actually does, but you'll find plenty of VoIP setups that you can trick this way.

Its too simple to configure these setups to trust outside caller id info (which is trivial to fake since most of the time no one checks to make sure the info being sent is allowed from the line) and to use that info for authentication to voicemail automatically.

Its kind of like considering * a trusted host for rsh/rcp and when you turn a nice pointy/clicky gui over to a random person to admin your phone system, it ends up happening pretty often. Save money right up till you get that massive phone bill cause some guy was bouncing calls off you.

Re:"including expensive international calls"

[David+Gould]

Where expensive is an arbitrary number between the inability to use an internet chat program and proprietary price gouging?

That, or "expensive international calls" is a euphemism for "phone sex".

2600 plz

I took down google voice with my captain crunch whistle.

Re:Who cares

[ximenes]

It's the same service as Grand Central, which I've been using for 2-3 years now.

The basic idea is that you can hide all of your various phone numbers behind your Google Voice number. People call it and all of your phones (or the ones you have configured for that caller or at that time of day) will ring. Whichever one you pick up gets the call, and you will be told the person's name and given the choice to actually answer or bounce them to voicemail.

On the other side, you can use the web interface to have Google Voice call one of your phones and connect you with any phone number you give it. This is free, except for international calls. I don't use this too often, but it helps when you don't want people to find out one of your 'real' phone numbers.

The best part is that you can control incoming calls essentially with a spam filter. When people call you they have to state their name (the first time), which plays when you answer their calls. You can decide to bounce certain numbers straight to voicemail every time or give them a 'this number is not in service' message.

Google Voice added the following features that I like:

- Voicemails are transcribed, not very well but you can usually get the jist quickly without listening
- SMS is now forwarded as well, which was pretty much the major short-coming of Grand Central.

Overall, I really like it, and the service quality has been quite good. The main thing is that it is not a phone service in itself, but something you use with other phone services.

Has been true since early days

[Em+Ellel]

Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.

This has been true since early days of Grand Central. I really hope they would fix this, but I doubt they will. Basically, everyone knows you can't trust Caller ID, , but they chose to do so anyway. I bet this was a business decision to allow easier use of the voicemail in order to compete with cellphone provider voicemail.

-Em

The problem is Caller ID can't be trusted...

[sam0737]

It's just some data that can be faked. As long as you have a trunk line like T1 to the Telco, or something similar, you are responsible to generate the Caller ID instead of the Telco.

So what's so surprising here? It just doesn't work to use it for authentication.

Re:The problem is Caller ID can't be trusted...

[realperseus]

And yet, so many agencies, such as credit card companies, require that you phone in from your "home phone" to activate new cards.

Credit card companies use ANI (automatic number identification) instead of CPN (calling party number) for their "authentication". HUGE difference there as ANI cannot be spoofed.. .

Re:The problem is Caller ID can't be trusted...

[Shadow-isoHunt]

HUGE difference there as ANI cannot be spoofed..

Yes it can, just as easily as CID.

Re:Blue box?

You're an idiot trying to fish for mod points by mentioning something vaguely relevant despite the fact you have no idea what it is, if you knew what it was and what this is you would know that it wouldn't work at all since it's completely different. Using a blue box here is equivalent to using a brick to access a locked user account on Windows XP simply because a brick can break a glass window.