Forgot your password?
typodupeerror
Security Cellphones News

Hack AT&T Voicemail With Android 242

Posted by kdawson
from the who-needs-social dept.
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
This discussion has been archived. No new comments can be posted.

Hack AT&T Voicemail With Android

Comments Filter:
  • Re:passwords.. (Score:5, Insightful)

    by Lehk228 (705449) on Tuesday June 29, 2010 @09:21PM (#32739338) Journal
    without a password voicemail should only accept connections from the owners phone.
  • They Deserve It (Score:1, Insightful)

    by j0hnyquest (1571815) on Tuesday June 29, 2010 @09:28PM (#32739382)
    If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.
  • by TheEyes (1686556) on Tuesday June 29, 2010 @09:29PM (#32739398)

    "How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

    Answer: none, since Microsoft isn't paying them to target AT&T.

  • Re:Ha! (Score:3, Insightful)

    by mrsteveman1 (1010381) on Tuesday June 29, 2010 @09:32PM (#32739420)

    Really? You think the caller ID spoofing is the problem here?

  • OP Notes On Post (Score:0, Insightful)

    by Anonymous Coward on Tuesday June 29, 2010 @09:37PM (#32739454)
    I am the one who posted this - it is my first Slashdot submission. Please don't flame too hard. I am posting anon because I am a convicted hacker on probation. I just wanted to add that we noticed a side effect of doing this: If the target is using an Iphone, their Visual Voicemail will prompt for a password the moment the attacker logs out of their voicemail box. The target must then reset their VM password.
  • Re:passwords.. (Score:5, Insightful)

    by X0563511 (793323) on Tuesday June 29, 2010 @09:37PM (#32739456) Homepage Journal

    It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

    If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

  • Re:passwords.. (Score:5, Insightful)

    by markov_chain (202465) on Tuesday June 29, 2010 @09:38PM (#32739468) Homepage

    He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

  • Re:Placing blame (Score:3, Insightful)

    by Anonymous Coward on Tuesday June 29, 2010 @09:42PM (#32739490)

    +1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

    "How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before Android even existed. Some call spoof sites / applications prohibit you from entering the same number as both your number and the number you are calling (i'd assume to avoid their services being involved with things like this).

    Bottom line, don't like it? Put a password on your voicemail. Upset that this is your option? Then complain to the developers / people behind services that allow call spoofing. Don't put the blame on an open source platform, let alone of one of many corporation behind that platform.

  • Re:They Deserve It (Score:3, Insightful)

    by jeppster (1031326) on Tuesday June 29, 2010 @09:47PM (#32739524) Homepage
    My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.
  • Re:Ha! (Score:3, Insightful)

    by mrsteveman1 (1010381) on Tuesday June 29, 2010 @09:53PM (#32739572)

    No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

  • Re:They Deserve It (Score:5, Insightful)

    by victorhooi (830021) on Tuesday June 29, 2010 @09:56PM (#32739592)

    heya,

    Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

    I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

    It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

    So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

    It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

    Cheers,
    Victor

  • Re:They Deserve It (Score:0, Insightful)

    by Anonymous Coward on Tuesday June 29, 2010 @09:56PM (#32739596)

    If you don't wear a seatbelt when you're driving at over 30mph, you deserve to have me suddenly hit the brakes when I'm driving ahead of you so you rear-end me and slam your head into your windshield. Plain and simple.

    If you don't look at which alley you're walking down, you deserve to have me pop out behind a garbage can and mug your sorry ass. Plain and simple.

    If you don't park straight in a standard public parking lot and allow me to park safely, you deserve to have me key your car and/or pop your tires. Plain and simple.

    Ain't karma a bitch?

  • Re:Ha! (Score:4, Insightful)

    by mrsteveman1 (1010381) on Tuesday June 29, 2010 @10:05PM (#32739644)

    So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?

    Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.

  • Re:They Deserve It (Score:5, Insightful)

    by DavidD_CA (750156) on Tuesday June 29, 2010 @10:09PM (#32739676) Homepage

    How many people even know to put a password on their cellphone voicemail?

    I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

  • Re:Ha! (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Tuesday June 29, 2010 @10:27PM (#32739804) Journal
    One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?
  • by TheVelvetFlamebait (986083) on Tuesday June 29, 2010 @10:28PM (#32739810) Journal

    It's kind of sad how many situations this cut-and-paste troll is appropriate.

  • Re:They Deserve It (Score:3, Insightful)

    by nobodyman (90587) * on Tuesday June 29, 2010 @10:53PM (#32739968) Homepage

    I think most people would agree with you in the abstract, but keep in mind that the majority of mobile phone owners don't even know that such a thing is even possible. We know better so we use passwords. The thing is, AT&T also knows better, and they have the ability to mitigate the risk, but are doing nothing. Shouldn't they be held at least partially responsible?

  • Re:Placing blame (Score:4, Insightful)

    by PopeRatzo (965947) * on Tuesday June 29, 2010 @11:04PM (#32740022) Homepage Journal

    You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

    Yes, but if the story were to mention that, it wouldn't work as FUD.

  • by PopeRatzo (965947) * on Tuesday June 29, 2010 @11:08PM (#32740056) Homepage Journal

    'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

    So then, just require a password when calling from any phone besides the cellular phone to which the voice mail account is associated.

    This is hardly an insurmountable technical issue. There's no reason you couldn't just have calls from the cell phone access the voice mail directly, but if you want to use a different phone to get you voice mail, you need to enter a 4 digit PIN or something (at least).

    You can't get an email account without a password, so why should people expect voicemail to be any different, "for convenience"?

  • Re:Placing blame (Score:3, Insightful)

    by sjames (1099) on Tuesday June 29, 2010 @11:15PM (#32740112) Homepage

    It is absolutely positively NOT how voicemail is supposed to work but Android isn't the blame.

    AT&T knows very well that caller-id is worthless for authentication AND it has access to the much more authoritative ANI (which cannot be spoofed so easily).

    I wouldn't blame the customers either. If you mistakenly believe that AT&T has a single grain of common sense, you might imagine they DO use ANI (I'll bet the manual reads "from your phone only" rather than "from any phone that sends your number in it's faked caller ID") even if you don't know what it's called. After all, they're the phone company, surely they know which phone you're calling from, they DO know who to bill the minutes to after all.

  • ...what? (Score:3, Insightful)

    by Urza9814 (883915) on Tuesday June 29, 2010 @11:15PM (#32740114)

    AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.

    But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.

  • Re:Placing blame (Score:3, Insightful)

    by mjwx (966435) on Wednesday June 30, 2010 @02:03AM (#32740980)

    Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

    I dont see why Google should do anything about the applications. Nothing has violated Google's TOS here. They are violating AT&T's TOS so let AT&T be the bad guys and ban the violators from their networks.

  • How many? (Score:3, Insightful)

    by ScrewMaster (602015) on Wednesday June 30, 2010 @07:42AM (#32742548)

    How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?

    Answer: none. Nobody knows Washington better than AT&T.

Save energy: Drive a smaller shell.

Working...