Slashdot Mirror
Hack AT&T Voicemail With Android
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Passwords People, they are not just for Game shows.
Spoofing caller id should be illegal, but there are just enough loopholes to let you get away with it.
I don't believe this is ONLY restricted to AT&T.
Sig Battery depleted. Reverting to safe mode.
This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.
I like how you forget the first sentence by the time you move on to the second.
Allow me to repeat him:
Passwords People, they are not just for Game shows.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
and how would things like roaming work? I'm sure there are lots of cases when you are not on your own carrier's network (even if it says it on your phone's screen).....
Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.
- Dan
Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.
Sig Battery depleted. Reverting to safe mode.
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.
The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.
Please help metamoderate.
I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.
My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.
I was able to change the number my work landline displayed and was able to access my ATT voicemail after I removed my password. We use a NEC IPK II for our voicemail system and it literally takes a few seconds to change the outgoing number for a phone.
while it would suck and would still be illegal, there are two faults in your application of his logic.
First, in this analogy your wife, and yourself, would have never locked the doors on your house before. You don't even have a key, though the house is setup for you to use one if you wish.
Additionally, being hacked and burglarized are different. In this analogy someone would have broken in, looked at all your stuff, and might possibly lock the door to which you've never taken the key.
> If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?
No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.
Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.
Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.
Most people have no idea they can access their voicemail from other phones. Most people only know that when their cell phone says "you have a message" then they can push the special button and check it and that's it. They think, "The only time somebody can listen to my voicemail is if they steal my phone."
Why would they ever think to put on a password? As far as they know, there's absolutely no reason to. They probably don't even know you can have a password on it.
T-Mobile forces you to set a PIN, but leaves it up to you if you want it enabled when calling in on your own phone.