Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.



608 posts

Ultimate Geek
+1 received by user: 50


Topic # 87262 23-Jul-2011 22:44

Today's Herald purports that you can hack into another users Telecom mobile voicemail using a spoofed callerID over VoIP.

See http://m.nzherald.co.nz/nz/news/article.php?c_id=1&objectid=10740363

Is this factual?

Are there VoIP providers that allow you to program any chosen callerID as outgoing without any verification?

The article suggests using Skype. But I know that Skype requires you to verify your spoofed ID by replying to a SMS to the number concerned.

Create new topic
601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 497248 24-Jul-2011 00:19 Send private message

1eStar: Today's Herald purports that you can hack into another users Telecom mobile voicemail using a spoofed callerID over VoIP.

See http://m.nzherald.co.nz/nz/news/article.php?c_id=1&objectid=10740363

Is this factual?


Yes, yes it is.  The article is incorrect about one thing, it is entirely possible to protect the VM from caller ID spoofing (ref: Vodafone's response).  It is all about whether or not the voicemail system (and network) should trust the caller id information or not.  Basically, if it doesn't have enough information to _bill_ the phone for the call, you don't trust it.


Are there VoIP providers that allow you to program any chosen callerID as outgoing without any verification?


Yes, there are.  They are used for more than VM hacking too.  Google "SWATTING": 

http://en.wikipedia.org/wiki/Swatting

However, even a good pin won't protect you in the land of VoIP.  With VoIP, it doesn't take very long to dial a number, pump in 4 digits and hang up.  With 4 digits, and 1 attempt per second, that's less than 3 hours.

Jason




5432 posts

Uber Geek
+1 received by user: 227

Subscriber

  Reply # 497294 24-Jul-2011 09:45 Send private message

Yep the NZ Herald makes a big thing of this and soon every school boy who thinks of themselves as a geek will be trying it. Nothing like a bit of MSM publicity to make people take note that it can be done as the RIAA found out when they publicized the use of music sharing programs back 10 years ago..




Regards,

Old3eyes

BDFL
49909 posts

Uber Geek
+1 received by user: 4621

Administrator
Trusted
Geekzone
Subscriber

  Reply # 497301 24-Jul-2011 10:18 Send private message

FTA:

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes."

That's the key point here. If people use the obvious "autlogin" feature then what can one do really?

It's however no different than going to Cafe [not naming names today] in Ngaio and looking their blackboard in the kitchen and seeing in big letter "voice mail PIN XXXX". Obviously more than one employee listen to their voice mail to check for bookings, etc... But it's also clearly visible to anyone sitting on the deck or from the kitchen towards the back of the cafe.

"Personal responsibility" is key here. As Jerry Maguire said, "Help me help you"...





601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 497350 24-Jul-2011 14:30 Send private message

freitasm: FTA: 

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes." 

That's the key point here. If people use the obvious "autlogin" feature then what can one do really? 




I'm going to rant a bit, because I had a product proposal for just this problem (back in 2007), but people kept telling me, "No one would buy that, it doesn't generate revenue!" :)

Autologin shouldn't work from any device other than the mobile phone it is assigned to on a trusted network.  This isn't an old problem, it isn't even a hard problem to solve.  Web sites have dealt (and continue to deal) with this exact same situation.

Just as web developers learned to do, carriers need to divide their network into trusted and untrusted, and scrub any sensitive data which is coming in from an untrusted network.  Heck, carriers have known about this problem for a long, long time.  The T-Mobile Sidekick was very publicly attacked in exactly the same way back in 2005.

So, instead of having a VM system which everyone can connect to, and which trusts the provided CLI, you have two paths to connect to the VM, one from the local network with a trusted CLI, and one from everywhere else, which doesn't.  Then if the VM doesn't support an untrusted CLI, you remove it from the message.

There are fancier ways to extend the trusted network when the traffic is transmitted across untrusted third parties, but the basic idea remains, if it isn't trusted, don't use it for identification.




27 posts

Geek


  Reply # 505549 12-Aug-2011 14:25 Send private message

Wouldn't it be easier to just use the ANI data for authentication? I was of the impression that ANI can be/is used for billing and is therefore (supposed to be) tamper-proof.

601 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 505570 12-Aug-2011 14:46 Send private message

heydonms: Wouldn't it be easier to just use the ANI data for authentication? I was of the impression that ANI can be/is used for billing and is therefore (supposed to be) tamper-proof.


Nope, you can't trust the ANI (from off-net) either. :)  If you google for it, you'll find how.

http://www.schneier.com/blog/archives/2006/03/caller_id_spoof.html

But then, the part of the carrier that cross bills for termination doesn't really care about the ANI as long as they know which carrier it came from.




1547 posts

Uber Geek
+1 received by user: 95

Subscriber

  Reply # 505579 12-Aug-2011 14:56 Send private message

freitasm: It's however no different than going to Cafe [not naming names today] in Ngaio and looking their blackboard in the kitchen and seeing in big letter "voice mail PIN XXXX". Obviously more than one employee listen to their voice mail to check for bookings, etc... But it's also clearly visible to anyone sitting on the deck or from the kitchen towards the back of the cafe.

"Personal responsibility" is key here. As Jerry Maguire said, "Help me help you"...



There is also a bar in Featherson St with their wifi password on the wall behind the bar where customers can read it :)

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Who Audits IRD?
Created by gundar, last reply by joker97 on 22-Oct-2014 14:10 (16 replies)
Pages... 2


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


Another Trade Me competitor: SellShed
Created by freitasm, last reply by SellShed on 22-Oct-2014 11:54 (42 replies)
Pages... 2 3


Spark Socialiser
Created by freitasm, last reply by old3eyes on 22-Oct-2014 10:37 (26 replies)
Pages... 2


Snap have failed our company!
Created by dafman, last reply by toejam316 on 22-Oct-2014 13:03 (25 replies)
Pages... 2


22nd Only: PB Tech BROTHER HL1110 Mono laser Printer $15 shipped(after $30 cashback)
Created by loceff13, last reply by Andib on 22-Oct-2014 14:13 (11 replies)

Just bought a TiVo online. No wireless adaptor. Will a standard one work? Or do I need the TiVo one ?
Created by Limerick, last reply by graemeh on 20-Oct-2014 16:03 (11 replies)

iPad Air 2 and iPad Mini 3. Gonna get one?
Created by Dingbatt, last reply by Geektastic on 22-Oct-2014 13:15 (64 replies)
Pages... 3 4 5



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.