Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack AT&T Voicemail With Android

Posted by kdawson on from the who-needs-social dept.

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

6 of 242 comments (clear)

  1. Placing blame by SilverHatHacker · · Score: 5, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    1. Re:Placing blame by JaZz0r · · Score: 5, Informative

      Caller ID spoofing is nothing new. It can be done from a number of different services. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

      --
      "Careful! We don't want to learn from this!" -Calvin & Hobbes
    2. Re:Placing blame by eyeota · · Score: 5, Informative

      ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

  2. So what's new? by Anonymous Coward · · Score: 4, Informative

    This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

  3. Re:Any other phone? by reaper · · Score: 4, Informative

    Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

    --
    - Dan
  4. years old vulnerability by SuperBanana · · Score: 4, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.

    The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

    --
    Please help metamoderate.