Slashdot Mirror
Hack AT&T Voicemail With Android
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Comment removed based on user account deletion
without a password voicemail should only accept connections from the owners phone.
Snowden and Manning are heroes.
This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.
Really? You think the caller ID spoofing is the problem here?
I like how you forget the first sentence by the time you move on to the second.
Allow me to repeat him:
Passwords People, they are not just for Game shows.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?
If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!
Tsunami -- You can't bring a good wave down!
and how would things like roaming work? I'm sure there are lots of cases when you are not on your own carrier's network (even if it says it on your phone's screen).....
My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.
Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.
- Dan
No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.
heya,
Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.
I think what he's referring to is that, well, you have to take responsibility for securing your belongings.
It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.
So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.
It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.
Cheers,
Victor
Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.
Sig Battery depleted. Reverting to safe mode.
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.
The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.
Please help metamoderate.
1-2-3-4-5
Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.
Arrested, charged, convicted, probation ... does it again!
The cops never changed the password.
So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?
Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.
I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.
My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.
How many people even know to put a password on their cellphone voicemail?
I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.
-David
One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?
It's kind of sad how many situations this cut-and-paste troll is appropriate.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
I had an AT&T answering machine which you could access remotely. I, of course, had set the pin. However, someone still managed to get in and hack it and changed my greeting to something about sucking male genitalia. I was not amused. I ended up disabling the remote access completely since apparently any old idiot can call in and figure out how to get into the menus.
If you are not allowed to question your government then the government has answered your question.
> If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?
No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.
Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.
Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.
Most people have no idea they can access their voicemail from other phones. Most people only know that when their cell phone says "you have a message" then they can push the special button and check it and that's it. They think, "The only time somebody can listen to my voicemail is if they steal my phone."
Why would they ever think to put on a password? As far as they know, there's absolutely no reason to. They probably don't even know you can have a password on it.
I think most people would agree with you in the abstract, but keep in mind that the majority of mobile phone owners don't even know that such a thing is even possible. We know better so we use passwords. The thing is, AT&T also knows better, and they have the ability to mitigate the risk, but are doing nothing. Shouldn't they be held at least partially responsible?
Dear Mr. / Ms. Politico: I talked to my boss and he's cool with the plan. We will wire you your 1 million dollars into the account of your choice, you just have to push our bill through. Let me know what you want to do.
Thanks,
Your local lobbyist
Or somesuch similar conversation. Not everybody's life is as boring as ours is.
Faster! Faster! Faster would be better!
So then, just require a password when calling from any phone besides the cellular phone to which the voice mail account is associated.
This is hardly an insurmountable technical issue. There's no reason you couldn't just have calls from the cell phone access the voice mail directly, but if you want to use a different phone to get you voice mail, you need to enter a 4 digit PIN or something (at least).
You can't get an email account without a password, so why should people expect voicemail to be any different, "for convenience"?
You are welcome on my lawn.
callerid is not the same as the ANI number on the call. The ANI is what is used to bill.
I think that was exactly the GPs point.
If they used the ANI rather than the caller ID, there wouldn't be a problem.
Ever stop to think
please tell me this is slashdot worthy?
I see this post as the same thing as saying one of the following:
You can hack into a car by throwing your android phone really hard at a window.
There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
Hack the airwaves, play music on your android.
AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.
But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.
I had heard of a scam wherein hackers change your outgoing voicemail message to be "I accept the charges", and then call you collect from one of those strange high-priced calling codes. Effectively, you end up responsible for a huge phone bill, some percentage of which goes to the hackers.
This could be one of those urban legends too- it's late and I'm too tired to confirm it right now, but one can at least see how this isn't necessarily a non-issue.
T-Mobile forces you to set a PIN, but leaves it up to you if you want it enabled when calling in on your own phone.
A couple things I could think of off the top of my head that might make this an issue for you if somebody hacked your VM;
Lock you out of your VM for laughs. Sure, no biggie to fix but a hassle.
Plant some messages on your phone and then attract the attention of the police by calling someone I knew was being monitored by the DEA and spoofing your number to them. Have fun deneying that you don't know "Jose" or anything about a drug deal
Change your message to something threatening against the Pres., VP or PM depending where you live (a properly worded greeting would be easy) and then maybe call the Feds to report it. Have fun explaining it.
If you don't care that's fine, just try to remember that things that are "non-issue" to you may be very big issues to someone else.
How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?
Answer: none. Nobody knows Washington better than AT&T.
The higher the technology, the sharper that two-edged sword.