Hack AT&T Voicemail With Android 242
Posted
by
kdawson
from the who-needs-social dept.
from the who-needs-social dept.
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
Placing blame (Score:5, Informative)
Re:Ha! (Score:1, Informative)
Passwords People, they are not just for Game shows.
Spoofing caller id should be illegal, but there are just enough loopholes to let you get away with it.
I don't believe this is ONLY restricted to AT&T.
So what's new? (Score:4, Informative)
This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.
Re:Placing blame (Score:5, Informative)
Re:Ha! (Score:4, Informative)
I like how you forget the first sentence by the time you move on to the second.
Allow me to repeat him:
Passwords People, they are not just for Game shows.
Re:passwords.. (Score:3, Informative)
and how would things like roaming work? I'm sure there are lots of cases when you are not on your own carrier's network (even if it says it on your phone's screen).....
Re:Any other phone? (Score:5, Informative)
Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.
Re:Ha! (Score:3, Informative)
Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.
years old vulnerability (Score:5, Informative)
I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. [slashdot.org] Carriers have known about the issue for half a decade or more.
The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.
Re:Placing blame (Score:5, Informative)
Re:Any other phone? (Score:2, Informative)
Not just Android (Score:3, Informative)
Re:Any other phone? (Score:1, Informative)
I was able to change the number my work landline displayed and was able to access my ATT voicemail after I removed my password. We use a NEC IPK II for our voicemail system and it literally takes a few seconds to change the outgoing number for a phone.
Re:They Deserve It (Score:1, Informative)
while it would suck and would still be illegal, there are two faults in your application of his logic.
First, in this analogy your wife, and yourself, would have never locked the doors on your house before. You don't even have a key, though the house is setup for you to use one if you wish.
Additionally, being hacked and burglarized are different. In this analogy someone would have broken in, looked at all your stuff, and might possibly lock the door to which you've never taken the key.
Re:passwords.. (Score:3, Informative)
> If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?
No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.
Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.
Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.
Re:They Deserve It (Score:3, Informative)
Why would they ever think to put on a password? As far as they know, there's absolutely no reason to. They probably don't even know you can have a password on it.
Re:They Deserve It (Score:3, Informative)
T-Mobile forces you to set a PIN, but leaves it up to you if you want it enabled when calling in on your own phone.