Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack AT&T Voicemail With Android

Posted by kdawson on from the who-needs-social dept.

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

9 of 242 comments (clear)

  1. Placing blame by SilverHatHacker · · Score: 5, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    1. Re:Placing blame by JaZz0r · · Score: 5, Informative

      Caller ID spoofing is nothing new. It can be done from a number of different services. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

      --
      "Careful! We don't want to learn from this!" -Calvin & Hobbes
    2. Re:Placing blame by eyeota · · Score: 5, Informative

      ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

  2. So what's new? by Anonymous Coward · · Score: 4, Informative

    This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

  3. Re:Ha! by X0563511 · · Score: 3, Informative

    I like how you forget the first sentence by the time you move on to the second.

    Allow me to repeat him:

    Passwords People, they are not just for Game shows.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. Re:Any other phone? by reaper · · Score: 4, Informative

    Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

    --
    - Dan
  5. years old vulnerability by SuperBanana · · Score: 4, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.

    The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

    --
    Please help metamoderate.
  6. Not just Android by agent_vee · · Score: 3, Informative

    My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.

  7. Re:passwords.. by Anonymous Coward · · Score: 3, Informative

    > If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

    No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.

    Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.

    Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.