Hack AT&T Voicemail With Android 242
An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
Comment removed (Score:5, Interesting)
Re:Placing blame (Score:5, Interesting)
Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).
Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.
Re:passwords.. (Score:5, Interesting)
1-2-3-4-5
Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.
Arrested, charged, convicted, probation ... does it again!
The cops never changed the password.
AT&T hardware has the same loophole (Score:3, Interesting)
Re:Who cares? (Score:3, Interesting)
Dear Mr. / Ms. Politico: I talked to my boss and he's cool with the plan. We will wire you your 1 million dollars into the account of your choice, you just have to push our bill through. Let me know what you want to do.
Thanks,
Your local lobbyist
Or somesuch similar conversation. Not everybody's life is as boring as ours is.
Re:Placing blame (Score:3, Interesting)
does it have to be on ATT's network? What if I spoof the Caller ID of my home phone using asterisk? (or something else?)
Precisely (Score:3, Interesting)
callerid is not the same as the ANI number on the call. The ANI is what is used to bill.
I think that was exactly the GPs point.
If they used the ANI rather than the caller ID, there wouldn't be a problem.
Re:Who cares? (Score:4, Interesting)
I had heard of a scam wherein hackers change your outgoing voicemail message to be "I accept the charges", and then call you collect from one of those strange high-priced calling codes. Effectively, you end up responsible for a huge phone bill, some percentage of which goes to the hackers.
This could be one of those urban legends too- it's late and I'm too tired to confirm it right now, but one can at least see how this isn't necessarily a non-issue.
Re:Who cares? (Score:3, Interesting)
Lock you out of your VM for laughs. Sure, no biggie to fix but a hassle.
Plant some messages on your phone and then attract the attention of the police by calling someone I knew was being monitored by the DEA and spoofing your number to them. Have fun deneying that you don't know "Jose" or anything about a drug deal
Change your message to something threatening against the Pres., VP or PM depending where you live (a properly worded greeting would be easy) and then maybe call the Feds to report it. Have fun explaining it.
If you don't care that's fine, just try to remember that things that are "non-issue" to you may be very big issues to someone else.