Hack AT&T Voicemail With Android

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Re:passwords..

[Lehk228]

without a password voicemail should only accept connections from the owners phone.

They Deserve It

[j0hnyquest]

If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.

How many politicians...

[TheEyes]

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Answer: none, since Microsoft isn't paying them to target AT&T.

Re:Ha!

[mrsteveman1]

Really? You think the caller ID spoofing is the problem here?

OP Notes On Post

[Anonymous Coward]

I am the one who posted this - it is my first Slashdot submission. Please don't flame too hard. I am posting anon because I am a convicted hacker on probation. I just wanted to add that we noticed a side effect of doing this: If the target is using an Iphone, their Visual Voicemail will prompt for a password the moment the attacker logs out of their voicemail box. The target must then reset their VM password.

Re:passwords..

[X0563511]

It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

Re:passwords..

[markov_chain]

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

Re:Placing blame

[Anonymous Coward]

+1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before Android even existed. Some call spoof sites / applications prohibit you from entering the same number as both your number and the number you are calling (i'd assume to avoid their services being involved with things like this).

Bottom line, don't like it? Put a password on your voicemail. Upset that this is your option? Then complain to the developers / people behind services that allow call spoofing. Don't put the blame on an open source platform, let alone of one of many corporation behind that platform.

Re:They Deserve It

[jeppster]

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

Re:Ha!

[mrsteveman1]

No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

Re:They Deserve It

[victorhooi]

heya,

Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

Cheers,
Victor

Re:They Deserve It

[Anonymous Coward]

If you don't wear a seatbelt when you're driving at over 30mph, you deserve to have me suddenly hit the brakes when I'm driving ahead of you so you rear-end me and slam your head into your windshield. Plain and simple.

If you don't look at which alley you're walking down, you deserve to have me pop out behind a garbage can and mug your sorry ass. Plain and simple.

If you don't park straight in a standard public parking lot and allow me to park safely, you deserve to have me key your car and/or pop your tires. Plain and simple.

Ain't karma a bitch?

Re:Ha!

[mrsteveman1]

So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?

Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.

Re:They Deserve It

[DavidD_CA]

How many people even know to put a password on their cellphone voicemail?

I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

Re:Ha!

[fuzzyfuzzyfungus]

One is a revenue center, the other is a cost center. I think we can guess which one is further on the ball?

Re:THIS IS NOT A PROBLEM !!

[TheVelvetFlamebait]

It's kind of sad how many situations this cut-and-paste troll is appropriate.

Re:They Deserve It

[nobodyman]

I think most people would agree with you in the abstract, but keep in mind that the majority of mobile phone owners don't even know that such a thing is even possible. We know better so we use passwords. The thing is, AT&T also knows better, and they have the ability to mitigate the risk, but are doing nothing. Shouldn't they be held at least partially responsible?

Re:Placing blame

[PopeRatzo]

You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Yes, but if the story were to mention that, it wouldn't work as FUD.

Re:Because that's not how vmail is used

[PopeRatzo]

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

So then, just require a password when calling from any phone besides the cellular phone to which the voice mail account is associated.

This is hardly an insurmountable technical issue. There's no reason you couldn't just have calls from the cell phone access the voice mail directly, but if you want to use a different phone to get you voice mail, you need to enter a 4 digit PIN or something (at least).

You can't get an email account without a password, so why should people expect voicemail to be any different, "for convenience"?

Re:Placing blame

[sjames]

It is absolutely positively NOT how voicemail is supposed to work but Android isn't the blame.

AT&T knows very well that caller-id is worthless for authentication AND it has access to the much more authoritative ANI (which cannot be spoofed so easily).

I wouldn't blame the customers either. If you mistakenly believe that AT&T has a single grain of common sense, you might imagine they DO use ANI (I'll bet the manual reads "from your phone only" rather than "from any phone that sends your number in it's faked caller ID") even if you don't know what it's called. After all, they're the phone company, surely they know which phone you're calling from, they DO know who to bill the minutes to after all.

...what?

[Urza9814]

AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.

But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.

Re:Placing blame

[mjwx]

Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

I dont see why Google should do anything about the applications. Nothing has violated Google's TOS here. They are violating AT&T's TOS so let AT&T be the bad guys and ban the violators from their networks.

How many?

[ScrewMaster]

How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?

Answer: none. Nobody knows Washington better than AT&T.