Hack AT&T Voicemail With Android

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Ha!

Most excellent.

Re:Ha!

[icebike]

Passwords People, they are not just for Game shows.

Spoofing caller id should be illegal, but there are just enough loopholes to let you get away with it.

I don't believe this is ONLY restricted to AT&T.

Re:Ha!

[mrsteveman1]

Really? You think the caller ID spoofing is the problem here?

Re:Ha!

[X0563511]

I like how you forget the first sentence by the time you move on to the second.

Allow me to repeat him:

Passwords People, they are not just for Game shows.

Re:Ha!

[icebike]

My first line somehow escape your attention?

Re:Ha!

[BlueBoxSW.com]

I would have been funnier if you started your comment with the word "Really?"...

Re:Ha!

[mrsteveman1]

No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

Re:Ha!

[icebike]

Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.

Re:Ha!

[f1r3f0g]

Quite correct. We had the same thing happen in NZ. In 2005...

http://www.theage.com.au/news/Breaking/NZ-hacker-targets-voicemail/2005/05/13/1115843355125.html

Re:Ha!

[mrsteveman1]

So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?

Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.

Re:Ha!

[ElKry]

And yet, they are at fault anyway. Just because a lot of people do something doesn't mean their responsibility is automatically waived.

Re:Ha!

[fuzzyfuzzyfungus]

One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?

Re:Ha!

Really? You would have been? (Not that your current funniness is a high bar...)

Re:Ha!

[e3m4n]

callerid spoofing is about to be illegal. http://www.govtrack.us/congress/bill.xpd?bill=h111-1258

Re:Ha!

[e3m4n]

callerid is not the same as the ANI number on the call. The ANI is what is used to bill.

Re:Ha!

[AK+Marc]

I think caller ID spoofing is fraud and should be prosecuted as a criminal charge, and those phone companies that allow CID spoofing should be charged as conspirators.

Re:Ha!

[zaphod777]

Why don't they just use the imei number? It is pretty hard to change those and it is illegal to do so in most countries.

Re:Ha!

[mlts]

Then it will just move offshore to sleazy sites in Elbonia offering to spoof IDs... then demanding more money or else they will text the spoofed ID about who was wanting to hack them.

What is needed is a two fold attack against this:

1: As the parent poster suggests, a law against spoofing caller ID to gain unauthorized access. This should fall under computer trespassing statutes.

2: A technological solution: ANI, checking ESN/IMEI codes, a private key stored on the SIM card. Perhaps the next generation of GSM should have the ability to have a RSA or ECC keypair on the SIM (or R/UIM) card and allow for signing on the card.

Re:Ha!

[poetmatt]

it's not even restricted to android.

Re:Ha!

[AK+Marc]

Then it will just move offshore to sleazy sites in Elbonia offering to spoof IDs...

Can you spoof CID internationally? If so, then it would be a simple check to see if it's coming in as a number that it can't be coming in as (just like all good network admins have RFC 1918 addresses blocked incoming to their network).

As the parent poster suggests, a law against spoofing caller ID to gain unauthorized access.

Defining "spoofing" with the common and non-technical use of the word spoofing, all spoofing should be illegal. If you aren't authorized to use the number, it should be illegal to use it. Even if it doesn't gain you specific unauthorized access, it can be used for other nefarious reasons, and there is no reasonable reason to use it.

Spoofing as meaning advertising one of your properly owned numbers out another phone or service (Google Voice) is not "spoofing" as understood by most people, and is not deception in that a call back on that number will reach you. I'm just clarifying because when techies talk about spoofing, they recognize that as that proper term for setting the CID to anything other than what the phone company sets, and the rest of the planet thinks "spoofing" indicates setting it to something other than authorized.

Re:Ha!

[rfuilrez]

The IMEI number changes with the phone. So, if I took my SIM card out, and put it in another phone BAM new IMEI number.

Re:Ha!

[Bert64]

But MOST systems don't use the CLI (a field which is trivially set) to determine what number you're calling from...
There are other systems used for identifying a caller, like ANI which gets routed between telcos but doesn't get shown to end users, this is used for billing of network termination charges etc.

And surely if someone is calling their own number, then the call never has to leave the operators network so they *know* where its from. I can't access my voicemail even from my own phone when i'm roaming for instance.

Re:Ha!

[Bert64]

Can you spoof CID internationally?

Yes and no, some international links dont pass CLI at all, and some operators try to be clever and stamp the country code of where your coming from in front of the number you send (because some cli systems only send the number in local format without the international code)

Re:Ha!

[Aeternitas827]

Wait...so you mean to tell me, the consumer is absolved of every bit of fault, and it lies with the carrier, by not opting to use (in this case) security options that are available to them? It's not as if they have no idea that the password to their voicemail exists, it's the second thing you have to enter when you first dial your voicemail to set it up. To put it another way, what you're insinuating is that the following is a valid chain of logic:

1: I set a password...
2: I'm never asked for my password...
3: ???
4: It's their fault my voicemail got jacked!

It's not. Consumers bear as much responsibility for using their heads, thinking a little bit, rather than having legislators and lawyers shift the blame off of them for their ignorance. 'I wasn't told' shouldn't be an excuse for this sort of thing, or any clause you didn't bother to read in a contractual agreement or on the packaging, and so on--and this broadly speaking, not just a thing with phones (of any sort). The consumer bears responsibility for their ignorance, where it is willful.

Re:Ha!

[Bert64]

This is only a problem for AT&T, other networks don't have a problem... It's an insecure implementation on the part of AT&T and they need to fix it - like everyone else has.

Attempting to gain unauthorized access is already illegal, wether you do so by spoofing CLI or by breaking down the door with an axe.

If you make spoofing CLI illegal then you won't stop people doing it, you will just decrease the instances of it being done to a small group of hardened criminals.. That way the general public will become even more blindly trusting of the CLI and more likely to fall for criminal activity.

Spoofing CLI is no different than spoofing email, it's easy to do and the real solution is educating the user not to blindly trust the originating number.

Re:Ha!

[ciscoguy01]

The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

The fault is the telcos (of which ATT is the biggest and oldest one) who years ago designed an insecure caller ID system. It's been known that the system is insecure for *years* now, and there has been no move to fix it. Not a single effort by anyone.
The solution is to make delivery of caller ID data that is not true and correct just ILLEGAL. A $1,000 fine per incident.
The telcos would have to turn off the caller ID until they could secure that whole system. Unfortunately they are the only ones who could do it. And as soon as possible please.
It's not just ATT or Android, it's the whole insecure system. It sucks terribly and needs to be fixed. I don't see the telcos doing it until they are forced to. A $1,000 fine per incident would do it.

Re:Ha!

[ciscoguy01]

You call your own voicemail from your own cellphone, the operator of your own network is *supposed* to know who you are. It's just not too much to ask.
Making you use a password to call your own voicemail from your own phone, well, if that's the only security the telcos have they are very lacking.
I am not going to give the telcos a pass on the security of your own phone and your own voicemail, calling from their own network. They need to secure all that.
If their system is so lame they don't know who is calling on their own network, well, they should be shut down. They are bozos.

Re:Ha!

[mcvos]

You want to tie it to the simcard, not to the phone.

Re:Ha!

[GameboyRMH]

I don't believe this is ONLY restricted to AT&T.

I remember once I saw a comment on Slashdot about a guy in the UK with an Asterisk system using the same technique to give employees easy access to their cell voicemail - his ITSP allowed caller ID spoofing, and the cell provider's only form of "authentication" was the caller ID.

Re:Ha!

[thechemic]

I agree. This is not restricted to just AT&T. AT&T, like ALL other providers purchase their voicemail platforms from OTHER COMPANIES, such as Avaya & Lucent, etc. AT&T has simply purchased the products on the market that were the best solution at the time, or perhaps purchased from salesment who blew the most smoke. AT&T, and ALL other providers have been aware of this since call spoofing was born. I'm sure the pickle the find themselves in, is how to you suddenly force 50 million people to password protect their voicemail box without blowing up your distributed call centers with a flood of people that dont understand the change.

Re:Ha!

[supremebob]

As an iPhone customer with visual voicemail, I was never prompted to set up a voicemail password when I set up my phone. I doubt that anyone else was, either.

Worse yet, the option to set a voicemail password is buried in the phone settings. The option doesn't even seem to work, either, as the password change option failed with an error message saying that "voicemail was unavailable" when I tried to set a password.

Sorry, but it's hard to blame the customer on this mess. Both Apple and AT&T screwed up when it came to securing this feature properly.

Re:Ha!

[tophermeyer]

The solution is to make delivery of caller ID data that is not true and correct just ILLEGAL. A $1,000 fine per incident. The telcos would have to turn off the caller ID until they could secure that whole system. Unfortunately they are the only ones who could do it. And as soon as possible please.

Except I think they can't. I think caller ID support is one of those features that Telco's are required by law to provide for all lines. Which makes sense to me why they wouldn't be too motivated to maintain the system; it's not a marketable service, they lose money by providing it.

Re:Ha!

[quenda]

Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.

I can vouch for that. Same with Three in Australia at least.
( I have a PIN on my voicemail in Australia, but if I call from mobile voicemail my VoIP line, which has CID set to my mobile number, it bypasses the PIN.
Caller-ID is accepted as proof of identity, even when it comes from another network.)

Re:Ha!

[Muad'Dave]

At least one congresscritter has proposed legislation to that effect.

Re:Ha!

[ciscoguy01]

Not at all true. On Cellphones they have thrown in CID. On landlines it's a cash cow, they charge $3-$4 for it.

Re:Ha!

[WNight]

Defining "spoofing" with the common and non-technical use of the word spoofing, all spoofing should be illegal. If you aren't authorized to use the number, it should be illegal to use it.

Oh you tax-and-spend authoritarians!

Where do you think the money comes from for the federal investigations of wire fraud every time someone calls a wrong number or manually edits a URL? What's the cost benefit to society of sentencing some punk kid to 900 years for 60K counts of hacking facebook instead of making facebook fix their problem?

How does it benefit society that we bail out companies who can't be bothered even try to be secure?

Re:Ha!

[WNight]

So now when it happens people will be convinced it's real.

It's exactly what they did with listening to cellular calls. They outlawed it early enough in adoption that most people didn't know their calls were broadcast in the clear - and it was illegal to show them proof.

As a consequence people were less safe than if eavesdropping were common, at least then they'd have known to take precautions or use a more-secure device.

Re:Ha!

[AK+Marc]

How does it benefit society that we bail out companies who can't be bothered even try to be secure?

I can't tell if you are being entirely sarcastic, of just have sarcasm intersperesed with your opinion.

Apparently, your opinion is that people shouldn't investigate fraud because lying for material gain isn't a bad thing.

Re:Ha!

[AK+Marc]

Spoofing CLI is no different than spoofing email, it's easy to do and the real solution is educating the user not to blindly trust the originating number.

It's technically trivial to do, and technically trivial to stop. The real solution is to prosecute fraud and "hacking" laws, rather than making excuses defending the criminal actions. And, since the phone companies are party to the fraud (they know for certain what numbers are authorized on which lines, and explicitly allow "unauthorized" numbers to be used), they should be held accountable in their part as well.

Re:Ha!

[WNight]

You had to stretch a lot to get there.

How does it benefit us to pass ever more restrictive and totalitarian laws solely for the benefit of companies who won't even try to be secure? Why should we foot the bill for something doomed to fail?

Why making faking some bits in a header fraud when they could just stop trusting customer data? There won't ever be an incentive to provide actual security if you can simply punish people who expose your mistakes.

Re:Ha!

[AK+Marc]

You had to stretch a lot to get there.

Your inability to critically think does not indicate that my argument was a stretch.

How does it benefit us to pass ever more restrictive and totalitarian laws solely for the benefit of companies who won't even try to be secure?

We have laws in place making it functionally illegal. We should just clarify the laws.

Why should we foot the bill for something doomed to fail?

Are you talking about the automaker bailouts? The airline bailouts? Public education funding? Prohibition? Clarify man, given that just about every government has eventually failed, everything they've ever done has failed as well, and as such, no one should ever do anything ever because at some point in the future it will fail. If you are using that as your True Test, then nothing passes, and this is so low on the list it's a waste of your time to talk about, go out there and work on our foreign policy, it's never done anything right and it costs trillions every year.

Why making faking some bits in a header fraud when they could just stop trusting customer data?

Because those lying bits *are* fraud. Why are you encouraging fraud? Why are you for legalization of fraud? I don't care about AT&T's internal policies. Someone lied in order to gain access to a system they didn't have authorization to use. Period. That's a federal crime. Why are you against enforcing the laws we have now?

There won't ever be an incentive to provide actual security if you can simply punish people who expose your mistakes.

That's a separate and unrelated issue. If someone suffers a loss, then they should sue AT&T. If AT&T has an insecure policy as a standard policy, then all their customers should get together and sue them in a class action. But whether AT&T harmed their customers from a policy is unrelated to the fraud committed by those that abused that permissive policy.

Again, you are defending the people committing fraud. Why?

Re:Ha!

[WNight]

You're trying as hard as you can to miss my point.

I'm asking why we bother footing the bill for prosecuting trivialities as crimes.

It's like drug laws. Yes, they are there, but they're wasteful, functionally useless, and overly restrictive. Why do we pay for that nonsense?

no one should ever do anything ever because at some point in the future it will fail.

I know you're still trying your hardest to not get it, but there's a big difference between something that might not succeed and blindly repeating things you KNOW will fail.

Because those lying bits *are* fraud.

No, they are not. They're user-settable bits. They aren't valid ID, or data on a form you've promised to fill in correctly. It's like a nickname. That the equipment to set it is so rare you haven't heard of it isn't my problem.

How does it benefit us to pass ever more restrictive and totalitarian laws solely for the benefit of companies who won't even try to be secure?

We have laws in place making it functionally illegal. We should just clarify the laws.

But why? How does the public's balance sheet look any better at the end of the year for cracking down on caller-ID spoofing?

There won't ever be an incentive to provide actual security if you can simply punish people who expose your mistakes.

That's a separate and unrelated issue. If someone suffers a loss, then they should sue AT&T. If AT&T has an insecure policy as a standard policy, then all their customers should get together and sue them in a class action. But whether AT&T harmed their customers from a policy is unrelated to the fraud committed by those that abused that permissive policy.

But AT&T wouldn't be at fault because the action was illegal. So they'd have no incentive to fix it. They'd leave more customers at risk that way than if they had to fix this.

Again, you are defending the people committing fraud. Why?

No, I'm advocating for a state of reality where we would have encrypted cellphones because the government hadn't just mandated that listening to calls is illegal.

But now because you don't want to acknowledge the nature of caller-ID, especially versus ANI which is made for identifying the calling party for billing purposes, we're going to have more useless laws that penalize the law-abiding and do nothing but dumb down the population.

How do we benefit from this?

Re:Ha!

[AK+Marc]

You're trying as hard as you can to miss my point.

My point is that CID spoofing is fraud. If it isn't being prosecuted as such, then the laws should be updated to include the current technological equivalent of calling up, claiming to be someone you aren't, and using those lies for your own benefit.

You either think it is or isn't fraud. You either think fraud should or shouldn't be illegal. You aren't addressing any of those questions. I understand your point, but you aren't addressing my questions about your point.

But AT&T wouldn't be at fault because the action was illegal.

Never mind. You are so ignorant that I can't convince you of anything. I guess ignorant is wrong. Ignorant and questioning is a virtue. Ignorant and sure of it is called stupidity.

Negligence is actionable, even if the person taking advantage of the negligence broke the law. A locksmith that "secures" your house by putting in locks that don't work is liable when someone breaks the law to burgle. One is criminally liable. The other is civilly liable.

No, they are not [fraud]. It's like a nickname.

Yup, incurably stupid. Next, you'll tell me that if I claim to be President George H W Bush on the phone with someone and request a donation to a fake charity, that it's not fraud because purposefully lying with the intent to deceive for profit isn't "fraud" it's just creative use of a nickname. After all, you should have demanded that I show you my ID over the phone. Go ahead, define fraud in a manner that doesn't include lying over CID to appear to be someone else in order to deceive for profit. You haven't. At best, you've just said that the government shouldn't protect people defrauded. But in that case, you entire point is irrelevant because your preferences as to whether fraud should be prosecuted is irrelevant to the question of given that fraud is illegal, should CID spoofing for fraudulent purposes be illegal.

I'm asking why we bother footing the bill for prosecuting trivialities as crimes.

Because you live in a democracy, and most people would like the government help enforce laws against fraud. You are the first person I've ever spoken to that thinks fraud should be legal. Why not assault too? After all, just hitting someone doesn't leave any lasting harm. And burglary is more honorable than fraud, because you don't have to lie and cheat to take someone's money, you just take it and if they didn't secure their house well enough, it's their own fault anyway, right? And rape, she was asking for it. And murder, after all most are committed by someone you know, and if you hung around with people like that you got what you deserved. All those petty crimes are silly, we shouldn't worry about them.

Re:Ha!

[WNight]

You are the first person I've ever spoken to that thinks fraud should be legal.

You are so fucking dumb. You're the first person I've met who's thinks I want the tautologically impossible, that fraud not be illegal.

You quoted it yourself, prosecuting trivialities as crimes.

Trivialities. Spoofing CID is a triviality because it's not meant to be a secure system.

You either think it is or isn't fraud.

I think we're wasting time and money making things fraud.

Next, you'll tell me that if I claim to be President George H W Bush on the phone with someone and request a donation to a fake charity, that it's not fraud because purposefully lying with the intent to deceive for profit isn't "fraud" it's just creative use of a nickname.

It's the defrauding of the charity that's the problem, not the phrase "my name is George Bush".

most people would like the government help enforce laws against fraud.

Most people also want the government not to throw money away on band-aid solutions to made-up problems.

It's our law. If we don't decide to make it fraud then it doesn't have to be illegal.

Negligence is actionable, even if the person taking advantage of the negligence broke the law. A locksmith that "secures" your house by putting in locks that don't work is liable when someone breaks the law to burgle.

Not when the government decrees set the acceptable standards. If cellphones can't be monitored (by fiat) why would a company bother providing extra protection? How could they be shown to be negligent? Demonstrating the problem, or even having equipment to do so, was illegal.

Similarly, a locksmith can only be sued if they failed to install a lock of normal quality, not if all locks of normal quality are easily defeated. If you ban lock-picks you can keep most people ignorant, but not safe.

And rape, she was asking for it.

You forgot to compare me to Hitler.

Ignorant and sure of it is called stupidity.

You mean like how you don't understand what I'm saying but are attacking it anyways?

Re:Ha!

[jep305]

So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using?

Wow, you seriously have no idea how this stuff works, do you?

Re:Ha!

[AK+Marc]

You're the first person I've met who's thinks I want the tautologically impossible, that fraud not be illegal.

That's not tautologically impossible. It's as simple as repealing a law against the "triviality" of lying for gain. Then fraud will be legal. Do you not understand how laws work? Or do you not understand what fraud is? And you complain when I say your stance is to legalize fraud, yet you want to legalize CID spoofing, which is lying for gain. So you are either for the legalization of the triviality that is fraud, or you are for the illegality of CID spoofing. You can't redefine "fraud" to mean lying for personal gain, unless that lying is via use of the CID system.

It's our law. If we don't decide to make it fraud then it doesn't have to be illegal.

You have the cause and effect of definitions mixed up. CID spoofing *is* fraud. Whether you want fraud legal or illegal is what we can change. Fraud is not immutably illegal. That is, if we repeal all laws, fraud will become legal (along with everything else). It's illegal because there exists a law saying "fraud is illegal." When you strip away whether it's fake IDs or spoofed CID or such, your argument becomes "I want lying for gain to be illegal, but not lying for gain to be illegal." Your argument is contradictory and impossible. That's why it took me so long to understand what you were saying. You weren't arguing fraud should be legal, but that lying for gain shouldn't be fraud, when every dictionary on the planet lists lying for gain as the definition of fraud. However, even through force of law, you can't change the meaning of a word. You can only change what's legal or illegal. You want CID spoofing excluded from the definition of fraud. You might be able to pass a law making CID spoofing an exception to the laws against fraud, but you can't change the definition of the word. But then, I think you are so interested in proving me wrong that you don't even have any idea what you are talking about, other than you get to mutter "you are wrong" repeatedly.

Re:Ha!

[Bert64]

What numbers are technically "authorised" is actually very hard to determine.. It might be relatively simple in a case like this where the destination number and voicemail system belong to the same telco, but consider for a moment.

Roaming - your number which belongs to one telco, now exists at a roaming partner in a different country.

Interconnects - if i use one telco and call a customer of a completely different telco, how is that call routed? it might be through third parties, how do you keep track of who owns what number?

Companies with multiple lines - at work we have lines from 3 different providers for resiliency, however when making an outbound call we always present our main switchboard number as the cli - the switchboard number only belongs to one of the 3 suppliers but we can announce it through all 3.

When i make calls from home via my voip phone (because its cheaper) i always present the cli of my mobile, so that people know who's calling and can call back even if i'm not at home.

Re:Ha!

[AK+Marc]

What numbers are technically "authorised" is actually very hard to determine.

They are trivial.

Roaming - your number which belongs to one telco, now exists at a roaming partner in a different country.

Compare the billing number to the CID. If they match, send it. If they don't, send the billing number. What's the issue?

Interconnects - if i use one telco and call a customer of a completely different telco, how is that call routed? it might be through third parties, how do you keep track of who owns what number?

At best, you are claiming that one telco can lie to another. Agreed. The last number sold from a telco to a non-telco is where it's done. It's not hard. It's not rocket science. If they are a telco, they will be registered with the state and the feds (not some guy with a T1 in his garage and a bank of modems that thinks he's a telco, but a real one). If the state regulatory agency doesn't register them, then you don't let them pass CID through your network without verification. Again, blindingly simple.

Companies with multiple lines - at work we have lines from 3 different providers for resiliency, however when making an outbound call we always present our main switchboard number as the cli - the switchboard number only belongs to one of the 3 suppliers but we can announce it through all 3.

You register the number with the telco. Again, not rocket science.

When i make calls from home via my voip phone (because its cheaper) i always present the cli of my mobile, so that people know who's calling and can call back even if i'm not at home.

There is no such thing as a VoIP phone that connects to the PSTN. You are using some provider for the PSTN line. Who owns that line? Get them authorized to pass your mobile number out, and poof, all is good.

Yes, it will make for more paperwork. But there's nothing in anything you said that would be technically challenging at all. It's just a matter of whether we want to lock down CID to where it's as secure as people already think it is, or whether we should just give up on CID being useful because any teen with a Droid and an ap (or any number of ways of doing it from a home phone, if the telco doesn't already block CID) can call from 1600 Pennsylvania Ave.

Re:Ha!

[WNight]

I'm talking about things that shouldn't be made into crimes. Your posts are nothing but a semantic game about the meaning of lie vs fraud. Fuck off with your pedantic bullshit.

You know what I was talking about and are totally unwilling to address the point.

CID changing is PART OF THE PROTOCOL, where clients can call themselves whatever they want, because the real information is lower in another untouchable field. It's like how ICQ gives you a user number but lets you change your nickname. To someone from another system it might seem like everyone can spoof each other until they know to use the number to identify people, not the name.

I understand your fears. To you this is as scary as if your bank started offering services on IRC to people by their nickname. You'd be panicked someone else could use the name AK_Marc and clear out your account. But instead of doing the reasonable thing and demanding your bank fix its system, require passwords, etc, you're demanding laws to fix it by making a federal nickname registry.

Wouldn't you rather the voicemail provider in this situation was required to read the REAL data, or ask for a password when it's not available, than be allowed to keep being insecure? As long as they demand laws to band-aid over their flaws and authoritarians like yourself rise to the call they'll never tackle their own problems. When it's illegal they'll pretend nobody can do it and when your voicemail gets listened to or goes missing they'll just say "that's impossible".

Re:Ha!

[AK+Marc]

I'm talking about things that shouldn't be made into crimes. Your posts are nothing but a semantic game about the meaning of lie vs fraud. Fuck off with your pedantic bullshit.

Language is a semantic game. Either we use the words to communicate, or we don't. I'm trying to make sure we understand each other. You are using words in the opposite of their dictionary definitions, and it's confusing. You are the one playing semantic games. Lying for gain is fraud. Using CID spoofing is a lie. Using CID spoofing in the process of gaining something is fraud. That's how it works now. CID spoofing is fraud (as long as there's a gain). The only thing making CID spoofing illegal directly would do is to remove the proof of gain in order to prosecute the currently illegal practice of CID spoofing for gain.

You know what I was talking about and are totally unwilling to address the point.

No, I have no idea what you are talking about. I've repeatedly stated that I'm talking about "spoofing" being the common usage, not the technical usage, and you've apparently ignored all my clarifications and are arguing about something I've specifically said on multiple occasions I'm not talking about. And if that is the case, then I missed it because I figured that multiple explicit clarifications would clear that up.

CID changing is PART OF THE PROTOCOL, where clients can call themselves whatever they want, because the real information is lower in another untouchable field. It's like how ICQ gives you a user number but lets you change your nickname. To someone from another system it might seem like everyone can spoof each other until they know to use the number to identify people, not the name.

That's inaccurate. There's nothing that lets a home user on a generic residential line to know the ANI. It can't be known, so the *only* thing they see is the nickname and the "real information" is *not* on a lower level delivered to the residential line. It isn't there. There aren't two pieces of information delivered, as you assert. You are 100% wrong about that, and everything else. You *can't* know the ANI as a residential home user. That you assert so indicates you have no knowledge of how things work.

I understand your fears. To you this is as scary as if your bank started offering services on IRC to people by their nickname. You'd be panicked someone else could use the name AK_Marc and clear out your account. But instead of doing the reasonable thing and demanding your bank fix its system, require passwords, etc, you're demanding laws to fix it by making a federal nickname registry.

I have no fear. But I have the realistic knowledge that lying to cheat people is illegal, and spoofing CID is used as a lie to cheat people. That's currently illegal. Making CID spoofing illegal will have just a tiny little change in proof of gain for those committing fraud with CID. Why do you think fraud should be legal?

Wouldn't you rather the voicemail provider in this situation was required to read the REAL data, or ask for a password when it's not available, than be allowed to keep being insecure?

And you accuse me of rhetorical games. You invent a false dichotomy and then assault some strawman. I didn't say anything that contradicts your statement, and your statement is unrelated to whether lying for gain is or isn't illegal.

As long as they demand laws to band-aid over their flaws and authoritarians like yourself rise to the call they'll never tackle their own problems.

Fraud is illegal. Do you think that lying for gain (fraud) should or shouldn't be illegal?

When it's illegal they'll pretend nobody can do it and when your voicemail gets listened to or goes missing they'll just say "that's impossible".

Again, non sequitur. I'm not speaking as to what's good security policy. I'm speaking as to what is illegal. Fraud is illegal. Lying about what number you are calling from fo

Re:Ha!

[WNight]

That's inaccurate. There's nothing that lets a home user on a generic residential line to know the ANI. You are 100% wrong about that, and everything else.

I didn't say there was. I said:

CID changing is PART OF THE PROTOCOL
That the equipment to set it is so rare you haven't heard of it isn't my problem.

You're a fucking imbecile. Learn to read.

the *only* thing they see is the nickname and the "real information" is *not* on a lower level delivered to the residential line.

No, it's not there on the service you use for a residential line. That's one of the reasons it's obsolete.

I've repeatedly stated that I'm talking about "spoofing" being the common usage, not the technical usage, and you've apparently ignored all my clarifications

You want to make the simple action of a user setting the CID information a criminal act regardless of the circumstances.

Fraud already is against the law, even if it includes setting false CID information.

No, I have no idea what you are talking about.

Bullshit. You answered it above. I'm saying this is a technical issue and is working as intended.

You know full well what I'm trying to discuss and you play definition games.

Language is a semantic game.

Fuck off. You're the one trying to hammer what I say into your tiny little holes. If you didn't insist so hard about your one definition of fraud being the only one and actually tried to discuss the issue I was raising you could have skipped the last few moves in your little semantic game.

I have no fear. But I have the realistic knowledge that lying to cheat people is illegal, and spoofing CID is used as a lie to cheat people. That's currently illegal.

You're running to ban something that you already admit is banned.

Making CID spoofing illegal will have just a tiny little change in proof of gain for those committing fraud with CID.

You recognize it'll cause at absolute best a tiny little change for the bad guys, and yet you're still demanding it be forbidden.

And you accuse me of rhetorical games. You invent a false dichotomy and then assault some strawman.

Why do you think fraud should be legal?

You're the one trying to put words in my mouth. And blaming me for it while doing it.

You're either delusional or a liar.

and your statement is unrelated to whether lying for gain is or isn't illegal.

Did you ever stop to consider why?

It wasn't the conversation I was having. You keep trying to force me to answer crazy McCarthy-esqe questions as if it could have any influence on the technical conversation at hand.

But you are arguing that because they have locks on doors, trespassing should be legal, right?

The law against trespassing is what keeps people from trespassing. We don't need a law against touching door-knobs.

To use your doorknob analogy, you want to forbid opening doors without authorization. A noble, but imbecilic, goal. The only effect it could have would be to decrease security by encouraging people to trust the law to keep them safe. Sure, a criminal who pursued them through an unlocked door could face a higher penalty for doing so but the victim would be dead/etc by then.

Again, non sequitur. I'm not speaking as to what's good security policy.

No, again with you trying to ignore my point in this thread, which is that political band-aids for technological problems are failures.

I am speaking as to what's a good security policy. To the degree that you are not, stop.

All I'll say about that is trespass is illegal and they have locks anyway.

Yes, because they aren't as stupid are you are. Locks keep people out, laws punish them later.

Re:Ha!

[AK+Marc]

You want to make the simple action of a user setting the CID information a criminal act regardless of the circumstances.

I have never said that. That assertion, unrelated to my claims, would be the issue of why you objecting.

It's simple. Do you think fraud should be illegal? Is lying for personal gain at someone else's expense fraud? Is passing untrue CID with the intent of deceiving someone a lie?

Answer those, and leave the insane assertions of what you think I really mean that's in direct contradiction to what I actually say. Go on, I dare you, actually answer the questions I ask regarding fraud. But no, you won't. You think lying for gain is ok, as long as the lie is deceitful CID. Or so you've said, as you said fraud should be illegal, but that no use of CID should ever be illegal, right? Correct me if I'm wrong. It's so hard to get you to say anything other than your rambling rants about how I'm wrong that it's hard to figure out what you actually think so I can address that.

To use your doorknob analogy, you want to forbid opening doors without authorization.

That's already the case. Breaking and Entering is illegal. "Breaking" is opening an unlocked door. In some places, just breaking is illegal. The laws you assert are absurd are already on the books. That just indicates to me that you have no connection to reality.

Re:Ha!

[WNight]

To use your doorknob analogy, you want to forbid opening doors without authorization.

That's already the case.

No, it isn't. Opening an unlocked door to go through it can be against some laws in some cases. Simply turning a knob or swinging a piece of wood is not. For instance, opening an "employees only" door to call for help would not be trespassing.

The laws you assert are absurd are already on the books. That just indicates to me that you have no connection to reality.

Yes, for instance it is illegal to own a device capable of listening to cellular calls, despite that this makes it harder for the victims and easier for the attackers. It's fucking absurd.

Is passing untrue CID with the intent of deceiving someone a lie?

Wearing a fake name-tag as part of a crime is a lie but you don't see the criminalization of name-tag vendors.

If your concern is that people are committing a crime, relax. It's probably a crime without the CID spoofing, and the spoofing is probably evidence of intent. It doesn't need to be illegal, itself, for criminals to not be able to exploit it.

Re:Ha!

[AK+Marc]

Wearing a fake name-tag as part of a crime is a lie but you don't see the criminalization of name-tag vendors.

So you will never answer any yes/no question with a yes or a no. Instead, you ramble on about some tangent or such. Got it. The sky is blue. See, that proves your assertions all wrong. I like that game.

Re:Ha!

[WNight]

You're obviously incapable of asking an unloaded yes/no question, McCarthy.

Re:Ha!

[AK+Marc]

You can't even define fraud. And yes, the questions are loaded, they make you look like an idiot who supports criminals. If I asked them to someone on the street, they'd answer them and move on, thinking that lying for profit is a bad thing. However, you obviously don't have that opinion. You are so interested in protecting your pet idea of lying for profit being a good thing that you won't listen to what anyone else has to say.

Re:Ha!

[WNight]

You are so interested in protecting your pet idea of lying for profit being a good thing that you won't listen to what anyone else has to say.

Are you on your meds? Because if not you must be a fucking imbecile.

Much Earlier:

Again, you are defending the people committing fraud. Why?

No, I'm advocating for a state of reality where we would have encrypted cellphones because the government hadn't just mandated that listening to calls is illegal.

I'm still just saying we shouldn't waste our money passing redundant and pointless laws that only leave us with a huge bill and a false sense of security. I don't know what kind of retard you'd have to be to think that protects criminals.

I know you're only acting from fear, but it's really your actions that help criminals. Prohibition was big business. Laws against cell-phone scanners just funded the smugglers who brought in foreign radios. Enforcement cost a fortune, having to buy crippled radios for more money really stunk, and nobody was any safer.

To stop fraud you have to prevent and punish fraud, the whole affair, not wearing a fake name tag. I know it's not the quick band-aid fix you wanted but at least it's not delusional.

And yes, the questions are loaded, they make you look like an idiot who supports criminals.

No, they make you look illiterate, and like a real asshole.

If I asked them to someone on the street, they'd answer them and move on, thinking that lying for profit is a bad thing.

If you asked your question to someone on the street they'd notice your awkward wording and the forced yes/no nature of it and they'd realize you're a kook pushing his special interest. I imagine they'd look for the camera.

Re:Ha!

[AK+Marc]

I'm still just saying we shouldn't waste our money passing redundant and pointless laws that only leave us with a huge bill and a false sense of security.

Just because you bring up cell phones doesn't equate the two. With the cell phones, there is no way to know who is listening. With CID, it's obvious. With cell phones, you assert that the law prevents people from protecting themselves, but you assert nothing of the kind with CID.

So go ahead and explain, how does making CID spoofing illegal harm anyone? What's the "bill" associated with it? I understand your argument about a false sense of security, but that's the only kind we have. So whining about that is stupid. It would be so low down on the list, with most every law enforcement the government does now (terrorism, the war on drugs, three-strike laws, etc.) that one that makes it easier to prosecute those committing fraud is stupid. Not to mention, I believe you to be 100% wrong. People currently assume CID to be 100% secure. So working to make it more secure doesn't promote a false sense of security. People already have it, so making it more secure provides a net increase in security, not a decrease as you assert.

Placing blame

[SilverHatHacker]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

Re:Placing blame

[JaZz0r]

Caller ID spoofing is nothing new. It can be done from a number of different services. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Re:Placing blame

This, I've messed with friends voicemail accounts years ago by dialing in and entering 0000 as a password..

I of course didn't feel the need to brag on blogs about how clever I was because I was 13 at the time, so I was old enough to realise I wasn't "hacking" their voicemail.

Jesus Christ people, this kind of stuff makes me ashamed to be a Computer Science student, I've honestly thought of dropping out and doing Maths so I wouldn't have to be associated with these people.

Re:Placing blame

+1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before Android even existed. Some call spoof sites / applications prohibit you from entering the same number as both your number and the number you are calling (i'd assume to avoid their services being involved with things like this).

Bottom line, don't like it? Put a password on your voicemail. Upset that this is your option? Then complain to the developers / people behind services that allow call spoofing. Don't put the blame on an open source platform, let alone of one of many corporation behind that platform.

Re:Placing blame

[pushing-robot]

Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).

Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

Re:Placing blame

[eyeota]

ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

Re:Placing blame

[ytaews]

As AT&T told us with the whole iPad email thing, it's not their fault for not having a password by default, nor is it Android's fault for allowing Caller ID spoofing, it's the fault of the people who let the public know their voicemail wasn't safe.

Re:Placing blame

It's not quite the same thing as not having a password on your computer. If you don't have a password on your computer, anyone can use it, but typically only if they have physical access to it. Similarly, if you leave the default password on your home router, anyone can mess with it, but the default is to only allow logins from the local network, so close proximity to the device is required, and even more so if wifi is disabled or has a strong WAP2 password. This is quite different as anyone anywhere in the world can access your voicemail.

What is really needed is for a change in the way voicemail is handled. Voicemail should be an IP service, with an app installed on phones to access it (and uses the SIM and other information on the phone as ID), and also have a POTS interface which is disabled by default and requires a password to be set before enabling it. This way, even if someone declines to set a password, their voicemail is safe as long as they maintain custody of their phone and SIM card.

Re:Placing blame

[Stupendoussteve]

Who is blaming Android? Tone of the article is negative towards AT&T, not towards Android. It just happens that apps to do this are easy to come by for Android.

Re:Placing blame

[rjch]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

The article isn't blaming Android for this - the finger is pointed at AT&T for such lax security. The only reason Android is referenced is that there happen to be apps available to spoof caller ID from them.

In Australia, we don't have this problem because caller ID spoofing of any kind is not allowed and is actively blocked from any landline or mobile service - if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset to a default.

Where caller ID spoofing of any kind is allowed, carriers should not activate a service without a random pin number being assigned first.

Re:Placing blame

I am happier and happier to be a Sprint customer every day.

Seriously, what is AT&T thinking?

Re:Placing blame

[MichaelSmith]

if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset to a default.

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

Re:Placing blame

This, I've messed with friends voicemail accounts years ago by dialing in and entering 0000 as a password..

I of course didn't feel the need to brag on blogs about how clever I was because I was 13 at the time, so I was old enough to realise I wasn't "hacking" their voicemail.

Jesus Christ people, this kind of stuff makes me ashamed to be a Computer Science student, I've honestly thought of dropping out and doing Maths so I wouldn't have to be associated with these people.

You might brush up on your Engrish too while you change studies.
I am the same age as you and even I REALIZE that this is a whistle blowing article, not a blog entry. Your post makes no sense. Why would being a CS student associate you with script kiddies or the like?

You are a fucking idiot.

Re:Placing blame

[PopeRatzo]

You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Yes, but if the story were to mention that, it wouldn't work as FUD.

Re:Placing blame

[QuantumRiff]

does it have to be on ATT's network? What if I spoof the Caller ID of my home phone using asterisk? (or something else?)

Re:Placing blame

[sjames]

It is absolutely positively NOT how voicemail is supposed to work but Android isn't the blame.

AT&T knows very well that caller-id is worthless for authentication AND it has access to the much more authoritative ANI (which cannot be spoofed so easily).

I wouldn't blame the customers either. If you mistakenly believe that AT&T has a single grain of common sense, you might imagine they DO use ANI (I'll bet the manual reads "from your phone only" rather than "from any phone that sends your number in it's faked caller ID") even if you don't know what it's called. After all, they're the phone company, surely they know which phone you're calling from, they DO know who to bill the minutes to after all.

Re:Placing blame

Verizon has the same problem so it's not all AT&T fault they all use that method of auto.

Re:Placing blame

[Kirijini]

No Bell in the right mind accepts ANI from their customer

Bell? what is this "Bell" stuff you're talking about? All the baby bells have been gobbled up. AT&T and Verizon are all that's left...

Re:Placing blame

[rjch]

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

On all Australian services I've worked with (and as a former Asterisk engineer, I've worked with a few) if you try to present a number that does not belong to the service (or within the number range assigned to that service - provided you've paid for the privilege) then the default number will be presented.

Re:Placing blame

[AHuxley]

Encryption is expensive per chip or via backhaul or bites into some business plan.
Rust belt hardware been allowed to rest in place until they are at a price point to replace it?
Or the admins need or want some easy billing/helping/connecting system that can be worked with to get a solution rather than 'trust me with your password to fix this" dead end
Other ideas are third party outsourced billing or phone taps?

Re:Placing blame

[MichaelSmith]

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

On all Australian services I've worked with (and as a former Asterisk engineer, I've worked with a few) if you try to present a number that does not belong to the service (or within the number range assigned to that service - provided you've paid for the privilege) then the default number will be presented.

Thats what I mean. You can still pretend to be another number on the same service.

Re:Placing blame

[Bert64]

Don't complain to the developers or the spoofing services...

Complain to the telco that uses something as insecure as CLI to authenticate you.

The spoofing services are doing you a favor by educating people about how easy it is to spoof CLI. Would you rather be totally naive and completely trusting when you get a call from your banks number and a guy with a nigerian accent cheerfully takes down your account details?

Re:Placing blame

[mjwx]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerised system. The fact that you're spoofing it using an Android app is irrelevant.

You see this is how AT&T is trying to discredit android. Locking down the handsets is bad enough but now they're trying to say "OMG, they're out of the walled garden, it's terrible and look at all the damage they are doing !!110NE11!Ponies. Teh Android must be stopped."

The fact you could do this on WinMo, Symbian, Maemo or even a jailbroken Iphone is irrelevant to this aim. Under no circumstances must this be made to look like an AT&T insecurity issue. However there is a prize for the first person to spoof the number of the AT&T CEO and replace the voicemail message with "Hello, you've reached the number of Butthole Felcher esq. Can you hear me now". Also spoofing the number of Steve Job's Iphone and replacing his voicemail message with one expressing his deep and undying love for Google Android will earn significant street cred, I am content to leave the exact wording of this to the users imagination.

Re:Placing blame

[sridharo]

Also the reason for having the "remote app killing" clause ? Most go with the default anyway!

Re:Placing blame

[mjwx]

Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

I dont see why Google should do anything about the applications. Nothing has violated Google's TOS here. They are violating AT&T's TOS so let AT&T be the bad guys and ban the violators from their networks.

Re:Placing blame

ANI can be spoofed too...

Re:Placing blame

[ArsenneLupin]

if you don't put a password on it, you're just as much to blame

Do you lock the door to each room in your house?
No, you don't need to, you just lock the front door (and other exterior doors).

Same thing here: customers (and apparently the telco too) believed that caller-id was protection enough, so no password is needed.

The real scandal here is why isn't caller-id unspoofable? If this hack would only be possible from professional equipment or from PABX'es connected via a trunk line, I might understand.

But accessible from every handset? The designers of such system must be crazy!

Re:Placing blame

[ArsenneLupin]

Caller ID spoofing is nothing new.

If this is such old news, then why o hell hasn't it been fixed yet? Why is it still so easy to pull off these shenanigans?

Re:Placing blame

[agrif]

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame.

To me, that's the point.

Google collected freely available, unencrypted messages being broadcast over the electromagnetic spectrum. This is exactly the same as accessing a computer system with no password. Actually, I would say what Google was doing was better: they were data omnivores, taking in whatever floated their way. To take advantage of the voicemail system, you would have to target individuals.

This has nothing to do with Android, specifically. However, many people are quick to hate Google for collecting unsecured wifi data (though I still believe this was accidental), but equally quick to blame people with no passwords. There are people who would say both "unsecured wifi data I send should be private" and "people without passwords deserve whatever they get".

Re:Placing blame

Actually the new iPhone has defensive mechanisms to prevent this kind of fraud. If it detects you're making a fraudulent call, it drops the signal down to nothing and disconnects you. Also if you're making a legitimate call, but the point is that in Apple's world a little inconvenience is worth it for added security.

Re:Placing blame

[delinear]

You REALISE that "REALISE" is the correct ENGLISH spelling and "REALIZE" is an Americanism, meaning both are equally valid on a forum with an international user base with a significant number of users from both the UK and the US, right? There were plenty of other issues with GP's post, but to specifically pick up on this one demonstrates a pretty high degree of ignorance on your own part.

Re:Placing blame

Actually, I can see some passing similarities between not password protecting your voicemail and someone accessing it and not protecting your WiFi traffic and someone accessing it, but you're right, the mention of Android and Google are only in there because they're additional talking points (even if the consensus is "these are irrelevant to the story", that's still a response, which is all the blogger really cares about). The blame here lies with both the users who don't use passwords and with the telephone company that rely on something so easily spoofed to grant access - we all know there are lazy users, so for the company to not mitigate some of this on their behalf is pretty unforgivable.

Re:Placing blame

[delinear]

The spoofing services are doing you a favor by educating people about how easy it is to spoof CLI. Would you rather be totally naive and completely trusting when you get a call from your banks number and a guy with a nigerian accent cheerfully takes down your account details?

And the guy who steals a car that's been left idling in the drive is doing the owner a favour by highlighting how lax their security is, but that doesn't make his actions right. The people behind spoofing services know that they're going to be used for no good, and they're complicit in this. Of course, that doesn't negate your main point, that a more secure form of authentication would render the issue moot in this instance - my guess is that there's some cost overhead associated with this that AT&T are just trying to avoid.

Re:Placing blame

[delinear]

Google shouldn't have to do anything about the applications - not only are they not in violation of the TOS, but they enabled what is currently a perfectly legal (albeit incredibly shady) practice. The problem is when articles come along that make some tenuous connection and the bad press might not be something they want when they can just nuke the apps. Of course, we all know that's just brushing the issue under the carpet anyway, since people who are "hacking" other people's voicemail aren't likely to be bothered that they have to download the requisite apps from outside the market place. The correct response is to stop relying on caller ID and to enforce a password for new users by default.

Re:Placing blame

[delinear]

No, it is all their fault. Similarly, if Verizon are doing the same thing, then it's all their fault, too. Just because someone else is doing the same idiotic thing, that doesn't reduce their blame quotient. Even if it was industry wide, it would still be the fault of every company that didn't fix it (I could understand if it was an unknown or not-widely known issue, but seriously, this has been going on for years), the only thing that would make this "not all [their] fault" is if there was some overriding reason that they couldn't do things a different way (some law inhibiting the use of better authentication, for instance, but even there they could negate a lot of their responsibility by just insisting customers have to have a password).

Re:Placing blame

[delinear]

ANI can be spoofed too...

And people can pick the locks on your doors, it doesn't mean you shouldn't fit locks. If one method is slightly more secure (and it appears ANI is) then it pays to use that method even though it's still not 100% bullet proof.

Re:Placing blame

[mjwx]

The correct response is to stop relying on caller ID and to enforce a password for new users by default.

Relying on callerID is fine but a password must be enforced. The password is key, you already know my /. username but you dont have my password.

Of course, as you pointed out it's much easier for AT&T to blame Google then fix their own shoddy systems.

Re:Placing blame

[drinkypoo]

Bell? what is this "Bell" stuff you're talking about? All the baby bells have been gobbled up. AT&T and Verizon are all that's left...

MA BELL got the ill communication

They say that ma bell actually moved to Canada, but I think it's safe to say she's returning to the USA.

Re:Placing blame

[nametaken]

I was never really worried about anyone doing this to my voicemail (both unlikely, and nothing interesting to hear), so I used to have my asterisk system at home use my cellphone number for caller id when calling the att vm number. Presto, straight to cell vm from living room phone. Handy, but totally insecure. You can set a pin if you like though.

Re:Placing blame

[Bert64]

Well, when i leave my car idling on the drive (in winter to warm the engine up)...
I leave the key in the ignition, leave the vehicle and then use the remote to lock the doors (the remote is a separate fob not attached to the key used for starting the engine).

But stealing a car has no legitimate purpose, setting your own CLI has legitimate reasons, for instance when i make a work related call i want the CLI to show up as the main switchboard - i don't want customers calling me back at home or on my mobile, and i want those customers to see who's calling them.

Also when using voip services to make cheaper personal calls, i want the CLI to show my mobile number, so that the person being called knows who's calling and can call back if they miss my call. If it showed my landline or voip number then i may not be able to receive their return call.

Re:Placing blame

AT&T and Verizon are all that's left...

Your own link shows Quest and a few others contain parts of Ma Bell.

Comment removed

[account_deleted]

Comment removed based on user account deletion

passwords..

[random_ID]

Any politician dumb enough not to password protect EVERYTHING deserves the results. As for average joe customer, I could see some being surprised by this - ATT should probably change the system to require passcode/PIN.

Re:passwords..

[Lehk228]

without a password voicemail should only accept connections from the owners phone.

Re:passwords..

[random_ID]

Did you read the bit about caller ID spoofing?

Re:passwords..

[X0563511]

It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

Re:passwords..

[markov_chain]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

Re:passwords..

without a password voicemail should only accept connections from the owners phone.

Swoosh!!!!
(that's the sound of the ID spoofing part going over your head)

Re:passwords..

[quetwo]

and how would things like roaming work? I'm sure there are lots of cases when you are not on your own carrier's network (even if it says it on your phone's screen).....

Re:passwords..

[tomhudson]

1-2-3-4-5

Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.

Arrested, charged, convicted, probation ... does it again!

The cops never changed the password.

Re:passwords..

[mcrbids]

without a password voicemail should only accept connections from the owners phone.

Uh, Whoosh?

You missed something here! See, the voicemail IS only accepting connections "from the owner's phone" - and that's determined by the caller ID. However, because Caller ID is easily spoofed in the right environments, this isn't a very secure solution...

Re:passwords..

[omnichad]

The same way that the roaming tower knows whom to bill for carrying the call. They can easily use ANI or SIM details to verify the identity - caller ID is just an info service, not a security mechanism.

Re:passwords..

[shutdown+-p+now]

and how would things like roaming work?

I would imagine in roughly the same way they use to determine whom to charge for roaming?

I mean, funny how they don't get these kinds of things wrong when it comes to billing, eh?

Re:passwords..

> If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.

Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.

Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.

Re:passwords..

[MichaelSmith]

Similar problem with default wifi router passwords. If the default password was set to the serial number of the device, hacking would be more difficult. Not perfect, but better. For a mobile phone the voicemail password could be part of the IMEI. Then you can set what you want. Not sure about land lines. Maybe something from the subscribers personal information? Their date of birth for example.

Re:passwords..

[greerga]

Back when I worked at an ISP, the dial-up PRI (http://en.wikipedia.org/wiki/Primary_rate_interface) could see caller ID even if it was blocked. The PRI was through Sprint IIRC and the local telco was Cincinnati Bell, so it wasn't the same system.

Re:passwords..

[macguys]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

Doesn't that defeat the whole "GSM; move your SIM from one phone to another" thing?

Re:passwords..

[LBt1st]

You'd think the phone company could use better methods to determine this. As other people have pointed out, they don't use Call ID to handle billing. Why should voicemail be any different?

Re:passwords..

[mlts]

Even that isn't really secure. If someone can spoof ANI requests, they can just keep calling until they go through all 4 digits, perhaps more digits if they feel like it. I don't think voice mail systems have a lockout/time delay if someone is trying to guess the PIN.

In reality, the best way a cellular provider could handle this would be to have the protocol (GSM, etc) have a private key on the SIM card, and when the VM system is called, do a challenge/response (signing a timestamp + nonce value for example) then allow or deny voicemail access on that. Since 4G systems are VoIP anyway, why not use SSL and client certificates and treat the SIM card as a smart card/cryptographic token, do the key exchange, then finish up with the voice based system. The authentication process would be transparent to the phone owner, but completely deny spoofing unless the attacker can factor RSA keys in real time.

Re:passwords..

[sjames]

But in this case, it's an AT&T voicemail on the AT&T network being called from an AT&T customer account. If they can figure out who to bill for minutes, they can figure out what phone is calling. If they CAN'T, it's time to just shut the network off and call it a day.

Re:passwords..

no, your auth token is in SIM ... not in dumb device you put the SIM in.
Next question?

Re:passwords..

[Khyber]

"Did you read the bit about caller ID spoofing?"

Totally fucking irrelevant. You know what identifies you on a cellular system more than any other fucking thing? The MAC of the phone you registered to the damned service. Unless they got some new boneheaded system in place I'm not aware of, the MAC of every damned phone it printed right behind the fucking battery.

Re:passwords..

[delinear]

If that's true, how can I drop my SIM into an unlocked but unregistered phone and still get billed? There must be some other way the phone company is identifying me for billing purposes, it's not by my number and it's definitely not by MAC or I'd get a prompt to register whenever I got a new handset. If there is money involved then there will be a reliable, secure system at the root of this, and if they have it for billing there's no reason they can't leverage it for voicemail.

Re:passwords..

[Bert64]

The CLI just has a flag on it that says "this is meant to be blocked", the telco usually sees that flag and doesnt forward the cli to the end customer but the telco obviously has the cli still...

Re:passwords..

[ctchristmas]

Those cops must have been fans of spaceballs.

Re:passwords..

[justleavealonemmmkay]

Using CAMEL (Intelligent Networking for Mobile), route the untrusted call to the any point in your network which has a trusted route to the VM system. Set up a second leg from that point to VM, using trusted info like the IMSI.

This solution has been up for the last 6 years on our PLMN.

Re:passwords..

[Khyber]

Why are you using insecure SIM cards in the first place? That system has been hacked, cracked, and even I made a few thousand dollars showing people how to do it with a card reader and HEX editor.

And the SIM contains all the information required for the account - which is why it's so easy to hijack.

Re:passwords..

[CompMD]

You just described how T-Mobile's Visual Voicemail works on my Garminfone. The message goes to my regular voicemail, and then it is downloaded to my phone as an audio file I can play through a GUI on the phone.

BREAKING NEWS

Not using a password allows hackers access to your data!

More at 11.

THIS IS NOT A PROBLEM !!

This is a good thing for all concerned !! Voice mail is for numbnuts/eggsax !! Easy is required !!

Re:THIS IS NOT A PROBLEM !!

[TheVelvetFlamebait]

It's kind of sad how many situations this cut-and-paste troll is appropriate.

They Deserve It

[j0hnyquest]

If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.

Re:They Deserve It

If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.

I have a password on my voicemail. 1.3.3.7. Same as my luggage!

Re:They Deserve It

[jeppster]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

Re:They Deserve It

[victorhooi]

heya,

Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

Cheers,
Victor

Re:They Deserve It

If you don't wear a seatbelt when you're driving at over 30mph, you deserve to have me suddenly hit the brakes when I'm driving ahead of you so you rear-end me and slam your head into your windshield. Plain and simple.

If you don't look at which alley you're walking down, you deserve to have me pop out behind a garbage can and mug your sorry ass. Plain and simple.

If you don't park straight in a standard public parking lot and allow me to park safely, you deserve to have me key your car and/or pop your tires. Plain and simple.

Ain't karma a bitch?

Re:They Deserve It

[DavidD_CA]

How many people even know to put a password on their cellphone voicemail?

I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

Re:They Deserve It

Even if you do have a password, with this method, anyone can access your voicemail and guess it. No one should even have the opportunity to try a password except you.

Re:They Deserve It

Did you mean "we were burgled", or did they really turn you and your wife into burglars?

Re:They Deserve It

while it would suck and would still be illegal, there are two faults in your application of his logic.

First, in this analogy your wife, and yourself, would have never locked the doors on your house before. You don't even have a key, though the house is setup for you to use one if you wish.

Additionally, being hacked and burglarized are different. In this analogy someone would have broken in, looked at all your stuff, and might possibly lock the door to which you've never taken the key.

Re:They Deserve It

[Michael+Kristopeit]

No one should even have the opportunity to try a password except you.

uhh... then why have a password?

Re:They Deserve It

[Nirvelli]

Most people have no idea they can access their voicemail from other phones. Most people only know that when their cell phone says "you have a message" then they can push the special button and check it and that's it. They think, "The only time somebody can listen to my voicemail is if they steal my phone."
Why would they ever think to put on a password? As far as they know, there's absolutely no reason to. They probably don't even know you can have a password on it.

Re:They Deserve It

[nobodyman]

I think most people would agree with you in the abstract, but keep in mind that the majority of mobile phone owners don't even know that such a thing is even possible. We know better so we use passwords. The thing is, AT&T also knows better, and they have the ability to mitigate the risk, but are doing nothing. Shouldn't they be held at least partially responsible?

Re:They Deserve It

[cgenman]

Why should you lock your voicemail if the only phone that is supposed to have access to it is your own?

If someone is spoofing your phone to your phone company, there are much bigger problems. It isn't impossible, but phone cloning is much harder to do now than in the early days of drive-by number stealing. These days the phone companies have pretty solid ways of knowing who you are for billing and other purposes. Yet they use caller-ID to determine voicemail access? That's just a bad implementation.

Re:They Deserve It

[MobileTatsu-NJG]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that.

I think for his logic to be interpreted correctly, you only deserved it if you left your house unlocked all the time.

Re:They Deserve It

burgle (bûrgl): To burglarize.

Your welcome.

Re:They Deserve It

[pipedwho]

Think on the bright side, at least the door jamb and locks weren't damaged during the 'break and enter'.

Re:They Deserve It

[Urza9814]

What carrier are you on? On Verizon (at least when I got my phone), it won't let you do _anything_ with your voicemail until you've set a password. This kind of 'hack' has been around for many, many years. Any carrier that doesn't require a voicemail password is being _extremely_ negligent.

Re:They Deserve It

[sjames]

Since it's SUPPOSED to only be accessible from your own phone, IT IS NOT THE USER'S FAULT!

Most people would naturally believe that THE PHONE COMPANY knows what number you're calling from. Apparently, AT&T only gives a flip about that when it comes to billing.

Re:They Deserve It

[DavidD_CA]

I used AT&T voicemail (now I have a third-party voicemail service).

And I don't recall ever having to set a password, let alone dial my password every time I'd check my voicemail.

Re:They Deserve It

Actually, in Victoria at least the police will fine you for leaving your car unlocked :-/

As for the thief, it's still theft, and the police will treat it as such, which probably means they'll take your details, perhaps dust the car for prints, then fill in the paperwork so you can make an insurance claim.

Re:They Deserve It

[mlts]

T-Mobile forces you to set a PIN, but leaves it up to you if you want it enabled when calling in on your own phone.

Re:They Deserve It

How many people even know to put a password on their cellphone voicemail?

I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

All modern day voicemail accounts repeatedly annoy you to do so when setting it up.

Re:They Deserve It

AT&T's customers don't deserve this. But AT&T does.

Re:They Deserve It

All modern day voicemail accounts force you to set a PIN, but they rarely force you to enter the PIN when dialing in from your own number.

Re:They Deserve It

[pavon]

Same here with both Verizon and T-Mobile.

Re:They Deserve It

[blackicye]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

This is more akin to your locksmith knowing that your door was left unlockable every night and not informing you that he wasn't able to make it such that you could actually lock your door before you go to bed.

Re:They Deserve It

[mjwx]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

If your wife regally forgets to lock your house door then yes, yes you did deserve to get robbed.

By the same token if you don't put a password on important information stores then it's your own fault when someone just walks in a takes/modifies/deletes your info.

Re:They Deserve It

[mjwx]

It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

The Police dont have to care but they still have to act on any information (I.E. they find your stuff or the car park had CCTV security installed). Now your insurance company, that's a whole different story. If you left your car unlocked you are "negligent" and they really don't have to care. I generally go by "would this be covered by my Insurance" when thinking about how well to secure something.

Re:They Deserve It

[ArsenneLupin]

My wife forgot to lock our house door one night and we were burglarized.

More like "my wife forgot to lock our bedroom door one night, and a thief got in and stole the jewelry out of the nightstand. I didn't know that our front door locks could be so easily picked and that we were supposed to lock the doors within our house as well."

If voice-mail are "protected" by caller-id, most users (... and apparently the telco too...) will think that an "additional" protection (the password) is not needed.

The system designers should either use ANI (less easily spoofable), or not rely on any caller identification at all, rather than giving a "false sense of security" both to their customers and to the employees who configure the default password.

Re:They Deserve It

[delinear]

There's also no AT&T figure in his analogy. If you're paying someone to look after the security of your house and you have a reasonable expectation that they've locked the doors (or added some external security that negates your need to lock your doors) then it's still responsible of you to check your own doors are locked, but it's less irresponsible if you just assume it's been taken care of on your behalf.

Re:They Deserve It

[delinear]

Yeah, I recently had to to this when switching carriers from Vodafone to O2 - it wouldn't let me check my voicemail because I'd not set a password, but once I set it, it never asked for it again unless I try and access my mail from a different number. An average user will likely think the password is only for that situation, there was nothing to prompt me to enable the password when dialling from my own number, it was just assumed I'd want this turned off as a convenience.

Re:They Deserve It

[Bert64]

Most insurers will require that you take reasonable measures to protect the items being insured, locking the car is one of those reasonable measures and if you left it unlocked the insurance will likely be declared void and you won't get anything.

Re:They Deserve It

Yep , the party at fault here is the Telco provider. Their servers are insecure, and their customers are suffering.

Think of it like this: WebServer talks to Browser ... any decent web developer will tell you that you NEVER trust anything coming from the client (browser) ... that means even though you validated the input with some javascript, you still need to validate the incoming variables serverside, because the client can (maliciously) alter the javascript. The server bit is the only part you have control over.

It's the same thing! ... GSM module in phone talks to Telco Cell Networks ... they're just blindly trusting whatever is coming from the GSM module.

I realize there must be budget / time constraints / network standards they must adhere to ... but smart phones are getting smarter, and the public are getting more and more capable every day. The Telcos have to move with the times and stop shit like this happening. It's 2010 people, get your cocks out of your hands and step up.

Heck, the Telcos shouldn't assume anything on the client side. I am working on a project in my spare time at the moment that involves a GSM module, and I'm talking to the GSM network and I am totally astonished at how bloody shaky the standards and networks are.

Re:They Deserve It

[mcgrew]

The trouble is, most people (especially older ones) equate voicemail with an answering machine. The figure they never needed a password on an answering machine so they shouldn't use one for voicemail. Of course, that's like comparing a non-networked PC to one on the internet; you never needed a password for DOS.

Remember, half the world has a two digit IQ, and even among those with three digits most don't really understand how computers work, or even that their phone is actually a computer with a two way radio in it. Most people think it's just like their 1962 AT&T phone, with some kind of magic that makes cords and wires unnecessary.

Re:They Deserve It

Actually since your in australia and we cant think for ourselves the police wont just not care. but you will get a few hundred dollar fine for leaving it unlocked.

Re:They Deserve It

[victorhooi]

heya,

Lol, can't tell if your'e being sarcastic or not.

The first seems to be simple application of the Darwin-award. It's like Princess Diana, and how she apparently wasn't wearing a seatbelt. Look, boo-hoo, Princess of the People, and all, but seriously, you get into a high-speed car chase and you forget to wear a seatbelt? People that don't wear seat-belts are retarded. And I've not worn my seatbelt before - sometimes I've been rushed and it takes me a minute or so before I realise I forgot, or I was on my parent's property, and driving around in the truck.

In either of those two cases, if something happened, I'd hope I'd be man enough to say, "gee, that was stupid. I forgot to put it on. I deserve what's coming". See, personal responsibility, seems to be a dirty word these days.

Your second case - err, why it may not be your fault, in Sydney, it'd be like intentionally walking around in say Blacktown, or Parramatta (two not so good suburbs) in the middle of the night, with say, decent clothes on. You're just asking for trouble. And the police will have little sympathy for you if you get mugged, and don't really have a reason to be there.

Once, I was in Redfern (another not-so-decent neighbourhood, or it was before), taking street photographs on my SLR, and interviewing the locals. Unmarked police car came up to me, and two cops said, "Mate, we don't want you to be here. We don't want you coming up to the station in ten minutes with a broken nose. Get out of here.". They were a bit tactless, but I do see their point.

And your third example, this is a pet hate. If you illegally park, and your car gets damaged, suck it up. Seriously, I hate people who illegally park. They do it in shopping centres in Australia all the time. It shows a general selfishness, and disregard for other people - it's like, stuff you, I'm really important, so I'm just going to park here because I feel like it. If you car gets damaged, the police won't give a toss, and I doubt insurance will cover you either.

Cheers,
Victor

So what's new?

This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

Re:So what's new?

Yes, exactly, this is news to no one at all.

Anyway, hopefully this little bit of hysteria will assist in hastening the demise of cellular voicemail, in favor of secure IP-based voicemail services, like Google Voice. Incidentally, Google even provides (optional) voicemail access over the phone... the account holder can toggle automatic CallerID-access (with a big warning). But phone access shouldn't be enabled -- even if passworded -- unless absolutely necessary.

Re:So what's new?

[DarthBart]

Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

Now, granted, there is ANI, which is often set to the main "Bill-To Number" on your customer account, and that is used in the event of a call to 911. But you almost always have to have a direct SS7 connection to get or set the ANI. Very rarely will you find a an end user that has SS7 capability.

It is the responsibility of the circuit end user to ensure that their customers are not playing mickey mouse games with CID. As a former administrator of a very large Asterisk deployment, I laid out the dialplans and configurations so that if someone was trying to set their CID to something outside of our DID pool, the system would reject the call and play a message about not setting bogus CIDs.
 

Re:So what's new?

[AK+Marc]

how does the telco know what CID to set for the business placing the call.

How about they don't set the CID, but strip it if the number handed to them isn't authorized on that line? That would fix the problem in most cases.

Re:So what's new?

[pipedwho]

Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

It should also be the responsibility of the up line provider to make sure that the advertised caller IDs are either blank or valid before passing them on. If an advertised caller ID isn't a subset of the valid subscribed numbers for its respective down line segment, then it should either be blanked or invalidated.

Re:So what's new?

Nothing new.

The mechanism for that is well established and available in ISDN, SS7, SIP, H.323 and other protocols, VoIP or PSTN.

What is lacking is ingress filtering. If the call comes from an untrusted connection any "network provided" or "client provided, screened" flag must be discarded. When the call is delivered to the end user or application (voicemail) the CLI must be erased or flagged as untrusted.

Also if a trusted provider is found to send calls with a forged ANI it should be disconnected and sued - at least for break of contract. End users should also sue their providers for allowing unauthorized access else they would have no economic incentive of refusing to interconnect with shady providers.

How many politicians...

[TheEyes]

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Answer: none, since Microsoft isn't paying them to target AT&T.

OP Notes On Post

I am the one who posted this - it is my first Slashdot submission. Please don't flame too hard. I am posting anon because I am a convicted hacker on probation. I just wanted to add that we noticed a side effect of doing this: If the target is using an Iphone, their Visual Voicemail will prompt for a password the moment the attacker logs out of their voicemail box. The target must then reset their VM password.

Re:OP Notes On Post

[MichaelSmith]

I am posting anon because I am a convicted hacker on probation.

So you expect that posting anonymous will prevent the police from identifying you? You can't be a very good "hacker" if you believe that.

Re:OP Notes On Post

also, I love to suck the big black cock.

Re:OP Notes On Post

Slashdot doesn't log IPs, so there is nothing that can be identified by the police.

Re:OP Notes On Post

[MichaelSmith]

Slashdot doesn't log IPs, so there is nothing that can be identified by the police.

So how do ACs get banned?

Re:OP Notes On Post

I just want to be clear - THAT was not "me". I only suck white cocks. I have TMJ you know...

Re:OP Notes On Post

I just want to be clear - THAT was not "me". I only suck white cocks. I have TMJ you know...

I also rape my 9 cats.

Re:OP Notes On Post

[delinear]

To be fair, he did say he was a convicted hacker - maybe it's the "not getting caught" bit that he's rubbish at, in which case his post and your own aren't mutually exclusive and he can expect a knock on the door any time now :)

Re:OP Notes On Post

[mcgrew]

I am posting anon because I am a convicted hacker on probation.

Dude, if your probation terms say you can't touch a compuer, don't touch a computer!! Jesus, man, you want to go back to prison?

Re:Any other phone?

[reaper]

Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

years old vulnerability

[SuperBanana]

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.

The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

Re:years old vulnerability

[nxtw]

Holy shit, that post looks familiar.

spoofing soon to be illegal

house and senate have both passed bills

wouldn't want to be the first test case if you got caught

Re:spoofing soon to be illegal

house and senate have both passed bills

wouldn't want to be the first test case if you got caught

OP Agrees

Re:Any other phone?

[jothar+hillpeople]

I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.

Not just Android

[agent_vee]

My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.

Re:Any other phone?

You can do this with many VOIP services. I have done it with an asterisk box and a PRI (T-1).

Nothing new

Also available for BlackBerry or PC. I've been able to do this for at least a year now..

Voicemail shoud only accept the users phone...

[s0litaire]

...IMEI rather than phone No.

As well as a password.

If you get a new phone! all you need to do is link your new IMEI and remove the old one. It's more secure and pushes things up a notch legal-wise if someone tries to spoof a IMEI!!

Re:Voicemail shoud only accept the users phone...

[mjwx]

...IMEI rather than phone No.

What if I change phones? My old phone breaks and I buy the $40 special from JB HiFi.

I have to call the phone companies customer disservice line and get my new IMEI assigned to my voicemail account and hope they dont screw it up in the six to eight weeks it takes them to do anything.

A better solution is to enforce voicemail passwords. They already make you set a message before activating it, adding a requirement for a 4 digit min numerical password should be trivial.

iPhone makes you enter password on setup

[SuperKendall]

Is the default really no password for most AT&T phones? I seem to recall part of the iPhone setup requiring you to enter a vmail password.

Re:iPhone makes you enter password on setup

[mysidia]

For visual voicemail, not dial-in voicemail.

However, just because you set a voicemail password, doesn't mean you have enabled it.

Yeah.. that's right, you gotta dial in and establish the password first.

(That doesn't turn prompting on)

You have to go into the menus and enable a different special option for it to actually ever ask for the password when you dial-in from your number.

Re:iPhone makes you enter password on setup

[FSWKU]

AT&T should make setting up a password the first thing you do on your voicemail. Set it initially to say, the last 4 digits of your account #, then change it from there. The current process is as follows:

1. Press 2 for Administrative Options
2. Press 1 for Passwords
3. Press 1 to set a password
4. Set your password
5. Get dumped back to the main menu
6. Press 2 for Administrative Options
7. Press 1 for Passwords
8. Press 2 to turn your password on

Re:Any other phone?

I was able to change the number my work landline displayed and was able to access my ATT voicemail after I removed my password. We use a NEC IPK II for our voicemail system and it literally takes a few seconds to change the outgoing number for a phone.

Because that's not how vmail is used

[SuperKendall]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?

Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.

Re:Because that's not how vmail is used

[pipedwho]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?

Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

In fact, most people I know hardly ever bother to even check their voice mail - they rely purely on SMS and their phone's 'recent missed calls' list. If their phone stopped working or wasn't available, access to voice mail would be the least of their problems.

Re:Because that's not how vmail is used

[PopeRatzo]

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

So then, just require a password when calling from any phone besides the cellular phone to which the voice mail account is associated.

This is hardly an insurmountable technical issue. There's no reason you couldn't just have calls from the cell phone access the voice mail directly, but if you want to use a different phone to get you voice mail, you need to enter a 4 digit PIN or something (at least).

You can't get an email account without a password, so why should people expect voicemail to be any different, "for convenience"?

Re:Because that's not how vmail is used

[pipedwho]

I completely agree with this. For those that want the additional 'universal voice mail access' service, let them enable it separately and force it to require a valid password/PIN.

Re:Because that's not how vmail is used

I use uReach as my voice mail. I have an 800 number. I set it up on my AT&T phone. The phone now has a pop-up menu allowing me to choose which one I want to default to. People call and I can see their number even if they have caller id block on. Someone spoofing can't hack it because it's a separate system and it has a password. Not those 4 digit kind that are so easy to break.

Unfortunately the gang here is a lot more savvy then the average Joe/Joan. I have seen execs that have other people check their email and voicemail because they couldn't figure it out to save their lives. This doesn't mean they are stupid by any means. They can recall the details of a 30 page contract point by point. They are just not mechanically inclined.

AT&T needs to protect their customers. Not doing so just means they are lazy and deserve what ever they get (come Jan 1, 2011 when they open up the iPhone to Verizon)

I was unaware of the spoofing thing though, and I consider myself pretty technically savvy. This should be fixed immediately. Let the customer take off the password if they like. I always assumed that if it wasn't calling my uReach voicemail then when it called AT&T's system it was also pausing and entering a password after that was already keyed in on the phone. You know what they say about when you ASSUME!

Re:Because that's not how vmail is used

Here's a much better way.

[Voice Mail Lady]: Please enter your password.
[You]: Beep, boop, beep, Beep
[VML]: You have no new messages, if you would like to change your change your settings press one, if you would like to add this mobile phone to the list of trusted phones press 2
[You]: Beep (2)
[VML]: retrieving sim data, signing it and returning signature, please hold..... finished, you may now access this voice mail box without a password.

Well, either that, or just require a password each time.

AT&T hardware has the same loophole

[tompaulco]

I had an AT&T answering machine which you could access remotely. I, of course, had set the pin. However, someone still managed to get in and hack it and changed my greeting to something about sucking male genitalia. I was not amused. I ended up disabling the remote access completely since apparently any old idiot can call in and figure out how to get into the menus.

Re:AT&T hardware has the same loophole

Heh, but that sounds like a personal attack. I suspect you were the victim of social engineering/hacking, rather than Caller Id spoofing. They probably guessed your code, because it was probably something meaningful to you. Or they watched you type it.

Re:Any other phone?

[nobodyman]

I agree that it's not Google's fault, but I think the point is that Android lowers the bar for someone attempting this. Configuring asterisk to spoof caller ID and retrieving voicemail is possible, but relatively few have the proficiency to do this. Any idiot can buy an Android phone.

Who cares?

[Stiletto]

Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages? Should I be afraid that Mr. Hacker knows that my wife is picking up cereal and eggs at Safeway this afternoon? Or that my buddy wants to go out for beer after work?

As Steve Jobs once said, "This is a non-issue."

Re:Who cares?

[ColdWetDog]

Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages?

Dear Mr. / Ms. Politico: I talked to my boss and he's cool with the plan. We will wire you your 1 million dollars into the account of your choice, you just have to push our bill through. Let me know what you want to do.

Thanks,
Your local lobbyist

Or somesuch similar conversation. Not everybody's life is as boring as ours is.

Re:Who cares?

[wembley+fraggle]

I had heard of a scam wherein hackers change your outgoing voicemail message to be "I accept the charges", and then call you collect from one of those strange high-priced calling codes. Effectively, you end up responsible for a huge phone bill, some percentage of which goes to the hackers.

This could be one of those urban legends too- it's late and I'm too tired to confirm it right now, but one can at least see how this isn't necessarily a non-issue.

Re:Who cares?

This is all good until your mistress calls and leaves a message or your employer manages to find out you've been looking for better opportunities.

Re:Who cares?

[PinkyGigglebrain]

A couple things I could think of off the top of my head that might make this an issue for you if somebody hacked your VM;
Lock you out of your VM for laughs. Sure, no biggie to fix but a hassle.
Plant some messages on your phone and then attract the attention of the police by calling someone I knew was being monitored by the DEA and spoofing your number to them. Have fun deneying that you don't know "Jose" or anything about a drug deal
Change your message to something threatening against the Pres., VP or PM depending where you live (a properly worded greeting would be easy) and then maybe call the Feds to report it. Have fun explaining it.

If you don't care that's fine, just try to remember that things that are "non-issue" to you may be very big issues to someone else.

Re:Who cares?

[Bert64]

Another thing they do..
Some voicemail systems allow you to redirect to another number, so they will redirect your voicemail to a premium rate line in another country and then dial into your voicemail locally, leaving you liable for the expensive call.

Re:Who cares?

[Bert64]

You could plant messages on a voicemail system without having to have access to it, just call it up and leave a message... A good lawyer will point that out in court and it won't go anywhere.

Re:Who cares?

[mcgrew]

Not everybody's life is as boring as ours is.

You're doing it wrong if you're bored with it. How can a thing be both fascinating and boring?

Re:Who cares?

Dude, if you've got people leaving messages like that, you've got bigger problems. Anyone who actually DOES sneaky shit regularly is a bit smarter than that... the ones who AREN'T don't do it REGULARLY because they get caught.

Re:Who cares?

[PinkyGigglebrain]

Good point, but if they had been moved to the saved email folder it might take a bit more explaining. But as you point out a good lawyer should be able to handle it in that scenario.

Of course you still have to pay for the lawyer and deal with law enforcement before it all gets cleared up.

I think my point has been made, just because a person only gets boring messages the risk of getting your VM account compromised should not be casually ignored. There are other ways it an cause a person trouble beyond someone knowing their wife wants them to pick up some eggs on the way home.

Old news

[TimeOut42]

Old news.... Not an Android issue... Not an AT&T issue... Sounds like a disgruntled Pocket user... This is what you get when you can't be bothered to set a passkey on your voice mail. Hacking....P'shaw...

TimeOut

ad

Hilariously the advirtisement for this artilcle in g reader is for spoof card "the number 1 caller I'd spoofer"

Hari Gottipati

How old is this? I read about this back in 2006. Check this http://www.oreillynet.com/onlamp/blog/2006/02/exploit_cingular_voicemail_vul.html. Why it is a news now? Matter of the fact, it's not just from Android - you can do this from any phone with the caller id spoof app or connect the spoofing device to any phone and do it.

Precisely

[baileydau]

callerid is not the same as the ANI number on the call. The ANI is what is used to bill.

I think that was exactly the GPs point.

If they used the ANI rather than the caller ID, there wouldn't be a problem.

Re:Precisely

[mcvos]

Seems rather obvious, doesn't it? Rely on something that's reliable, rather than something that can be spoofed.

slashdot worthy?

[ZeroNullVoid]

please tell me this is slashdot worthy?

I see this post as the same thing as saying one of the following:

You can hack into a car by throwing your android phone really hard at a window.
There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
Hack the airwaves, play music on your android.

Re:slashdot worthy?

[delinear]

Google Earth - hack the planet!

Re:slashdot worthy?

Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.

Which app?!? Does this work with all microwaves?

...what?

[Urza9814]

AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.

But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.

Re:...what?

[mcgrew]

Well, right now your choice is iPhone and AT&T, or no iPhone. If you're one of the poor souls who've contracted iPhone fever you're screwed until Verizon gets it together, and I would posit that they are almost as bad as AT&T. I've had both carriers and they both suck, though AT&T sucks harder.

Welcome to 10 years ago

Its always worked this way.

Put a password on it...

Drug Trafficking in 5..4..3..

[swabeui]

A problem that companies run into from time to time is voicemail hijacking from drug traffickers. They create an account and place outgoing calls from within the company. I can see the same thing happening here. If they want to get really clever they can jump their call through a few voicemail accounts. Even if a call was tapped/traced it would probably take days or weeks (if ever) to trace down the real source. Certainly takes the power of wiretapping a few notches.

Come on guys, the world NEEDS our ideas!

If their best guess, phone # on caller ID, can't be trusted and the customer can't be bothered to make a password, how might the service know who it is dealing with? Psychic powers of awesomeness? I know the company could ENFORCE passwords, but we all know what those would like look like anyway. As far as I can guess, the only solution is......enforce a password, as shitty as it might be........because it would be something. Is it perfect? hells to the no, but that's the best my puny brain can come up with.

But, I KNOW you guys are smart, so focus on the SOLUTIONS to this problem, the world needs our brains! Please someone with more smarts give us an idea of the best way to pwn the haxors.

Requirement

[phorm]

I seem to remember that on my carrier, the first thing you're required to do when entering voicemail is to set a password.
Of course, if you've never used your voicemail, then you won't be required to do so, but then it's silly to be paying for that feature, isn't it.

Something similar was true in the UK too

[choco]

I haven't tried for a couple of years, but accessing voicemail by spoofing CLI certainly used to work on at least two UK mobile networks (N.B. I tested it using my own accounts).

Many people are not aware how easy it can be to spoof CLI in the UK.

Re:Something similar was true in the UK too

[RMH101]

Most networks have an option for users to access their voicemail from another line - it's handy if you lose your phone. This is usually either a dedicated v/m number where you dial, type in your mobile number, then your 4 digit PIN (most networks have a default of 0000 and many people never change it) or you ring your own number and press # when thru to voicemail, then type in the default PIN.
Disreputable newspaper reporters have long known about this...

What are the names of those applications?

[RichiH]

List needed.

Re:Any other phone?

[Xentan]

I've tried this in sweden with several carries and my asterisk. Not a single one will accept another CID than my phone number, except a blank one.

Its at the carriers discrestion though. After much trouble, at the company i work for, we finally was able to set any of our own numbers to any outgoing call we made. We had 100 numbers.

Re:Any other phone?

[delinear]

Well hopefully some good will come of it in the form of it raising people's awareness to the point where big telcos can no longer just ignore the problem and hope it goes away.

How many?

[ScrewMaster]

How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?

Answer: none. Nobody knows Washington better than AT&T.

Caller ID spoofing

[damn_registrars]

IANAL but I thought that caller ID spoofing was illegal, as by doing so you are using someone else's identity without their consent.

ATT doesn't make hardware

ATT hasn't been in the hardware business for almost 15 years.

ATT-branded hardware was made by Lucent for a while, and is now made by VTech of Hong Kong.

Stereotypes

kdawson, you don't have to live up to the stereotype of posting terrible stories.

Verizon

Verizon makes the default voicemail password the last four digits of your phone number by default, doesn't it? If they still do, then wouldn't that be just as easy to get into?

More kdawson flamebait....

Hey look another shit article from kdawson with a terrible headline. Try rewriting that to "Hack AT&T Voicemail with Caller ID Spoofing" and maybe people could take it seriously. Congrats kdawson, you've just earned an filter from the main page for me, sick of reading your crap. (Posting anon to not waste some well spent mod points.)

AT&T's billing also uses CallerID

At least it did last I checked. Spoofing an in-network phone number when calling an AT&T cell phone will be counted as mobile-to-mobile - no air time used on most plans.

Problem isn't just with AT&T

This problem isn't just confined to AT&T. The last time I checked Verizon did too. Described here:(http://sharpesecurity.blogspot.com/2010/02/espionage-on-budget.html).