Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack AT&T Voicemail With Android

Posted by kdawson on from the who-needs-social dept.

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

26 of 242 comments (clear)

  1. Placing blame by SilverHatHacker · · Score: 5, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    1. Re:Placing blame by JaZz0r · · Score: 5, Informative

      Caller ID spoofing is nothing new. It can be done from a number of different services. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

      --
      "Careful! We don't want to learn from this!" -Calvin & Hobbes
    2. Re:Placing blame by Anonymous Coward · · Score: 3, Insightful

      +1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

      "How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before Android even existed. Some call spoof sites / applications prohibit you from entering the same number as both your number and the number you are calling (i'd assume to avoid their services being involved with things like this).

      Bottom line, don't like it? Put a password on your voicemail. Upset that this is your option? Then complain to the developers / people behind services that allow call spoofing. Don't put the blame on an open source platform, let alone of one of many corporation behind that platform.

    3. Re:Placing blame by pushing-robot · · Score: 4, Interesting

      Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).

      Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

      --
      How can I believe you when you tell me what I don't want to hear?
    4. Re:Placing blame by eyeota · · Score: 5, Informative

      ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

    5. Re:Placing blame by PopeRatzo · · Score: 3, Insightful

      You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

      Yes, but if the story were to mention that, it wouldn't work as FUD.

      --
      You are welcome on my lawn.
  2. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  3. Re:passwords.. by Lehk228 · · Score: 4, Insightful

    without a password voicemail should only accept connections from the owners phone.

    --
    Snowden and Manning are heroes.
  4. So what's new? by Anonymous Coward · · Score: 4, Informative

    This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

  5. Re:Ha! by mrsteveman1 · · Score: 3, Insightful

    Really? You think the caller ID spoofing is the problem here?

  6. Re:Ha! by X0563511 · · Score: 3, Informative

    I like how you forget the first sentence by the time you move on to the second.

    Allow me to repeat him:

    Passwords People, they are not just for Game shows.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  7. Re:passwords.. by X0563511 · · Score: 4, Insightful

    It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

    If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  8. Re:passwords.. by markov_chain · · Score: 4, Insightful

    He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

    --
    Tsunami -- You can't bring a good wave down!
  9. Re:They Deserve It by jeppster · · Score: 3, Insightful

    My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

  10. Re:Any other phone? by reaper · · Score: 4, Informative

    Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

    --
    - Dan
  11. Re:They Deserve It by victorhooi · · Score: 4, Insightful

    heya,

    Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

    I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

    It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

    So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

    It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

    Cheers,
    Victor

  12. years old vulnerability by SuperBanana · · Score: 4, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.

    The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

    --
    Please help metamoderate.
    1. Re:years old vulnerability by nxtw · · Score: 4, Funny

      Holy shit, that post looks familiar.

  13. Re:passwords.. by tomhudson · · Score: 4, Interesting

    1-2-3-4-5

    Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.

    Arrested, charged, convicted, probation ... does it again!

    The cops never changed the password.

  14. Re:Ha! by mrsteveman1 · · Score: 3, Insightful

    So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?

    Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.

  15. Not just Android by agent_vee · · Score: 3, Informative

    My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.

  16. Re:They Deserve It by DavidD_CA · · Score: 4, Insightful

    How many people even know to put a password on their cellphone voicemail?

    I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

    --
    -David
  17. Re:Ha! by fuzzyfuzzyfungus · · Score: 4, Insightful

    One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?

  18. Re:passwords.. by Anonymous Coward · · Score: 3, Informative

    > If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

    No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.

    Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.

    Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.

  19. slashdot worthy? by ZeroNullVoid · · Score: 5, Funny

    please tell me this is slashdot worthy?

    I see this post as the same thing as saying one of the following:

    You can hack into a car by throwing your android phone really hard at a window.
    There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
    Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
    Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
    Hack the airwaves, play music on your android.

  20. Re:Who cares? by wembley+fraggle · · Score: 3, Interesting

    I had heard of a scam wherein hackers change your outgoing voicemail message to be "I accept the charges", and then call you collect from one of those strange high-priced calling codes. Effectively, you end up responsible for a huge phone bill, some percentage of which goes to the hackers.

    This could be one of those urban legends too- it's late and I'm too tired to confirm it right now, but one can at least see how this isn't necessarily a non-issue.