Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Cellphones News

Hack AT&T Voicemail With Android 242

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"
This discussion has been archived. No new comments can be posted.

Hack AT&T Voicemail With Android

Comments Filter:
  • Placing blame (Score:5, Informative)

    by SilverHatHacker ( 1381259 ) on Tuesday June 29, 2010 @08:19PM (#32739310)
    I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.
    • Re:Placing blame (Score:5, Informative)

      by JaZz0r ( 612364 ) on Tuesday June 29, 2010 @08:29PM (#32739394)
      Caller ID spoofing is nothing new. It can be done from a number of [spoofcard.com] different [telespoof.com] services [spooftel.com]. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      +1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

      "How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before

      • by Bert64 ( 520050 )

        Don't complain to the developers or the spoofing services...

        Complain to the telco that uses something as insecure as CLI to authenticate you.

        The spoofing services are doing you a favor by educating people about how easy it is to spoof CLI. Would you rather be totally naive and completely trusting when you get a call from your banks number and a guy with a nigerian accent cheerfully takes down your account details?

    • Re:Placing blame (Score:5, Interesting)

      by pushing-robot ( 1037830 ) on Tuesday June 29, 2010 @08:53PM (#32739570)

      Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).

      Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

      • Re: (Score:3, Interesting)

        by QuantumRiff ( 120817 )

        does it have to be on ATT's network? What if I spoof the Caller ID of my home phone using asterisk? (or something else?)

      • Re: (Score:3, Insightful)

        by mjwx ( 966435 )

        Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

        I dont see why Google should do anything about the applications. Nothing has violated Google's TOS here. They are violating AT&T's TOS so let AT&T be the bad guys and ban the violators from their networks.

    • by SuperBanana ( 662181 ) on Tuesday June 29, 2010 @09:00PM (#32739616)

      I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

      Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. [slashdot.org] Carriers have known about the issue for half a decade or more.

      The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

    • Re:Placing blame (Score:5, Informative)

      by eyeota ( 686153 ) on Tuesday June 29, 2010 @09:03PM (#32739634)
      ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.
      • No Bell in the right mind accepts ANI from their customer

        Bell? what is this "Bell" stuff you're talking about? All the baby bells have been gobbled up. AT&T and Verizon are all that's left... [jerrykang.net]

    • Who is blaming Android? Tone of the article is negative towards AT&T, not towards Android. It just happens that apps to do this are easy to come by for Android.

    • by rjch ( 544288 )

      I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

      The article isn't blaming Android for this - the finger is pointed at AT&T for such lax security. The only reason Android is referenced is that there happen to be apps available to spoof caller ID from them.

      In Australia, we don't have this problem because caller ID spoofing of any kind is not allowed and is actively blocked from any landline or mobile service - if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset

      • if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset to a default.

        I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

        • by rjch ( 544288 )

          I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

          On all Australian services I've worked with (and as a former Asterisk engineer, I've worked with a few) if you try to present a number that does not belong to the service (or within the number range assigned to that service - provided you've paid for the privilege) then the default number will be presented.

          • I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

            On all Australian services I've worked with (and as a former Asterisk engineer, I've worked with a few) if you try to present a number that does not belong to the service (or within the number range assigned to that service - provided you've paid for the privilege) then the default number will be presented.

            Thats what I mean. You can still pretend to be another number on the same service.

    • Re: (Score:3, Insightful)

      by sjames ( 1099 )

      It is absolutely positively NOT how voicemail is supposed to work but Android isn't the blame.

      AT&T knows very well that caller-id is worthless for authentication AND it has access to the much more authoritative ANI (which cannot be spoofed so easily).

      I wouldn't blame the customers either. If you mistakenly believe that AT&T has a single grain of common sense, you might imagine they DO use ANI (I'll bet the manual reads "from your phone only" rather than "from any phone that sends your number in it's

    • by mjwx ( 966435 )

      I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerised system. The fact that you're spoofing it using an Android app is irrelevant.

      You see this is how AT&T is trying to discredit android. Locking down the handsets is bad enough but now they're trying to say "OMG, they're out of the walled garden, it's terrible and look at all the damage they are doing !!110NE11!

    • if you don't put a password on it, you're just as much to blame

      Do you lock the door to each room in your house?
      No, you don't need to, you just lock the front door (and other exterior doors).

      Same thing here: customers (and apparently the telco too) believed that caller-id was protection enough, so no password is needed.

      The real scandal here is why isn't caller-id unspoofable? If this hack would only be possible from professional equipment or from PABX'es connected via a trunk line, I might understand.

      But accessible from every handset? The designers of such system mu

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Tuesday June 29, 2010 @08:19PM (#32739316)
    Comment removed based on user account deletion
    • Re:Any other phone? (Score:5, Informative)

      by reaper ( 10065 ) on Tuesday June 29, 2010 @08:48PM (#32739532) Homepage Journal

      Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

      • I agree that it's not Google's fault, but I think the point is that Android lowers the bar for someone attempting this. Configuring asterisk to spoof caller ID and retrieving voicemail is possible, but relatively few have the proficiency to do this. Any idiot can buy an Android phone.

    • Re: (Score:2, Informative)

      I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.
  • So what's new? (Score:4, Informative)

    by Anonymous Coward on Tuesday June 29, 2010 @08:28PM (#32739384)

    This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

    • Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

      Now, granted, there is ANI, which is often set to the main "Bill-To Num

      • by AK Marc ( 707885 )
        how does the telco know what CID to set for the business placing the call.

        How about they don't set the CID, but strip it if the number handed to them isn't authorized on that line? That would fix the problem in most cases.
      • Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

        It should also be the responsibility of the up line provider to make sure that the advertised caller IDs are either blank or valid before passing them on. If an advertised caller ID isn't a subset of the valid subscribed numbers for its respective down line segment, then it should either be blanked or invalidated.

  • Not just Android (Score:3, Informative)

    by agent_vee ( 1801664 ) on Tuesday June 29, 2010 @09:07PM (#32739662)
    My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.
  • ...IMEI rather than phone No.

    As well as a password.

    If you get a new phone! all you need to do is link your new IMEI and remove the old one. It's more secure and pushes things up a notch legal-wise if someone tries to spoof a IMEI!!

    • by mjwx ( 966435 )

      ...IMEI rather than phone No.

      What if I change phones? My old phone breaks and I buy the $40 special from JB HiFi.

      I have to call the phone companies customer disservice line and get my new IMEI assigned to my voicemail account and hope they dont screw it up in the six to eight weeks it takes them to do anything.

      A better solution is to enforce voicemail passwords. They already make you set a message before activating it, adding a requirement for a 4 digit min numerical password should be trivial.

  • Is the default really no password for most AT&T phones? I seem to recall part of the iPhone setup requiring you to enter a vmail password.

  • by tompaulco ( 629533 ) on Tuesday June 29, 2010 @09:31PM (#32739828) Homepage Journal
    I had an AT&T answering machine which you could access remotely. I, of course, had set the pin. However, someone still managed to get in and hack it and changed my greeting to something about sucking male genitalia. I was not amused. I ended up disabling the remote access completely since apparently any old idiot can call in and figure out how to get into the menus.
  • by ZeroNullVoid ( 886675 ) on Tuesday June 29, 2010 @10:15PM (#32740100)
    please tell me this is slashdot worthy?

    I see this post as the same thing as saying one of the following:

    You can hack into a car by throwing your android phone really hard at a window.
    There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
    Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
    Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
    Hack the airwaves, play music on your android.
  • ...what? (Score:3, Insightful)

    by Urza9814 ( 883915 ) on Tuesday June 29, 2010 @10:15PM (#32740114)

    AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.

    But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.

  • I haven't tried for a couple of years, but accessing voicemail by spoofing CLI certainly used to work on at least two UK mobile networks (N.B. I tested it using my own accounts).

    Many people are not aware how easy it can be to spoof CLI in the UK.

  • How many? (Score:3, Insightful)

    by ScrewMaster ( 602015 ) on Wednesday June 30, 2010 @06:42AM (#32742548)

    How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?

    Answer: none. Nobody knows Washington better than AT&T.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...