Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack AT&T Voicemail With Android

Posted by kdawson on from the who-needs-social dept.

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

17 of 242 comments (clear)

  1. Placing blame by SilverHatHacker · · Score: 5, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    1. Re:Placing blame by JaZz0r · · Score: 5, Informative

      Caller ID spoofing is nothing new. It can be done from a number of different services. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

      --
      "Careful! We don't want to learn from this!" -Calvin & Hobbes
    2. Re:Placing blame by pushing-robot · · Score: 4, Interesting

      Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).

      Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

      --
      How can I believe you when you tell me what I don't want to hear?
    3. Re:Placing blame by eyeota · · Score: 5, Informative

      ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

  2. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  3. Re:passwords.. by Lehk228 · · Score: 4, Insightful

    without a password voicemail should only accept connections from the owners phone.

    --
    Snowden and Manning are heroes.
  4. So what's new? by Anonymous Coward · · Score: 4, Informative

    This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

  5. Re:passwords.. by X0563511 · · Score: 4, Insightful

    It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

    If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  6. Re:passwords.. by markov_chain · · Score: 4, Insightful

    He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

    --
    Tsunami -- You can't bring a good wave down!
  7. Re:Any other phone? by reaper · · Score: 4, Informative

    Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

    --
    - Dan
  8. Re:They Deserve It by victorhooi · · Score: 4, Insightful

    heya,

    Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

    I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

    It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

    So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

    It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

    Cheers,
    Victor

  9. years old vulnerability by SuperBanana · · Score: 4, Informative

    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

    Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. Carriers have known about the issue for half a decade or more.

    The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

    --
    Please help metamoderate.
    1. Re:years old vulnerability by nxtw · · Score: 4, Funny

      Holy shit, that post looks familiar.

  10. Re:passwords.. by tomhudson · · Score: 4, Interesting

    1-2-3-4-5

    Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.

    Arrested, charged, convicted, probation ... does it again!

    The cops never changed the password.

  11. Re:They Deserve It by DavidD_CA · · Score: 4, Insightful

    How many people even know to put a password on their cellphone voicemail?

    I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

    --
    -David
  12. Re:Ha! by fuzzyfuzzyfungus · · Score: 4, Insightful

    One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?

  13. slashdot worthy? by ZeroNullVoid · · Score: 5, Funny

    please tell me this is slashdot worthy?

    I see this post as the same thing as saying one of the following:

    You can hack into a car by throwing your android phone really hard at a window.
    There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
    Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
    Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
    Hack the airwaves, play music on your android.