Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1327 posts

Uber Geek
+1 received by user: 256


Topic # 87262 23-Jul-2011 22:44
Send private message

Today's Herald purports that you can hack into another users Telecom mobile voicemail using a spoofed callerID over VoIP.

See http://m.nzherald.co.nz/nz/news/article.php?c_id=1&objectid=10740363

Is this factual?

Are there VoIP providers that allow you to program any chosen callerID as outgoing without any verification?

The article suggests using Skype. But I know that Skype requires you to verify your spoofed ID by replying to a SMS to the number concerned.

Create new topic
600 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 497248 24-Jul-2011 00:19
Send private message

1eStar: Today's Herald purports that you can hack into another users Telecom mobile voicemail using a spoofed callerID over VoIP.

See http://m.nzherald.co.nz/nz/news/article.php?c_id=1&objectid=10740363

Is this factual?


Yes, yes it is.  The article is incorrect about one thing, it is entirely possible to protect the VM from caller ID spoofing (ref: Vodafone's response).  It is all about whether or not the voicemail system (and network) should trust the caller id information or not.  Basically, if it doesn't have enough information to _bill_ the phone for the call, you don't trust it.


Are there VoIP providers that allow you to program any chosen callerID as outgoing without any verification?


Yes, there are.  They are used for more than VM hacking too.  Google "SWATTING": 

http://en.wikipedia.org/wiki/Swatting

However, even a good pin won't protect you in the land of VoIP.  With VoIP, it doesn't take very long to dial a number, pump in 4 digits and hang up.  With 4 digits, and 1 attempt per second, that's less than 3 hours.

Jason




7617 posts

Uber Geek
+1 received by user: 720

Subscriber

  Reply # 497294 24-Jul-2011 09:45
Send private message

Yep the NZ Herald makes a big thing of this and soon every school boy who thinks of themselves as a geek will be trying it. Nothing like a bit of MSM publicity to make people take note that it can be done as the RIAA found out when they publicized the use of music sharing programs back 10 years ago..




Regards,

Old3eyes


 
 
 
 


BDFL - Memuneh
58932 posts

Uber Geek
+1 received by user: 10298

Administrator
Trusted
Geekzone
Subscriber

  Reply # 497301 24-Jul-2011 10:18
Send private message

FTA:

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes."

That's the key point here. If people use the obvious "autlogin" feature then what can one do really?

It's however no different than going to Cafe [not naming names today] in Ngaio and looking their blackboard in the kitchen and seeing in big letter "voice mail PIN XXXX". Obviously more than one employee listen to their voice mail to check for bookings, etc... But it's also clearly visible to anyone sitting on the deck or from the kitchen towards the back of the cafe.

"Personal responsibility" is key here. As Jerry Maguire said, "Help me help you"...





600 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 497350 24-Jul-2011 14:30
Send private message

freitasm: FTA: 

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes." 

That's the key point here. If people use the obvious "autlogin" feature then what can one do really? 




I'm going to rant a bit, because I had a product proposal for just this problem (back in 2007), but people kept telling me, "No one would buy that, it doesn't generate revenue!" :)

Autologin shouldn't work from any device other than the mobile phone it is assigned to on a trusted network.  This isn't an old problem, it isn't even a hard problem to solve.  Web sites have dealt (and continue to deal) with this exact same situation.

Just as web developers learned to do, carriers need to divide their network into trusted and untrusted, and scrub any sensitive data which is coming in from an untrusted network.  Heck, carriers have known about this problem for a long, long time.  The T-Mobile Sidekick was very publicly attacked in exactly the same way back in 2005.

So, instead of having a VM system which everyone can connect to, and which trusts the provided CLI, you have two paths to connect to the VM, one from the local network with a trusted CLI, and one from everywhere else, which doesn't.  Then if the VM doesn't support an untrusted CLI, you remove it from the message.

There are fancier ways to extend the trusted network when the traffic is transmitted across untrusted third parties, but the basic idea remains, if it isn't trusted, don't use it for identification.




27 posts

Geek


  Reply # 505549 12-Aug-2011 14:25
Send private message

Wouldn't it be easier to just use the ANI data for authentication? I was of the impression that ANI can be/is used for billing and is therefore (supposed to be) tamper-proof.

600 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 505570 12-Aug-2011 14:46
Send private message

heydonms: Wouldn't it be easier to just use the ANI data for authentication? I was of the impression that ANI can be/is used for billing and is therefore (supposed to be) tamper-proof.


Nope, you can't trust the ANI (from off-net) either. :)  If you google for it, you'll find how.

http://www.schneier.com/blog/archives/2006/03/caller_id_spoof.html

But then, the part of the carrier that cross bills for termination doesn't really care about the ANI as long as they know which carrier it came from.




2040 posts

Uber Geek
+1 received by user: 212

Subscriber

  Reply # 505579 12-Aug-2011 14:56
Send private message

freitasm: It's however no different than going to Cafe [not naming names today] in Ngaio and looking their blackboard in the kitchen and seeing in big letter "voice mail PIN XXXX". Obviously more than one employee listen to their voice mail to check for bookings, etc... But it's also clearly visible to anyone sitting on the deck or from the kitchen towards the back of the cafe.

"Personal responsibility" is key here. As Jerry Maguire said, "Help me help you"...



There is also a bar in Featherson St with their wifi password on the wall behind the bar where customers can read it :)

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.