Spoof Caller ID (CLI) to hack voicemail?

Forums › VoIP › Spoof Caller ID (CLI) to hack voicemail?

1eStar

1604 posts

Uber Geek

#87262 23-Jul-2011 22:44

Today's Herald purports that you can hack into another users Telecom mobile voicemail using a spoofed callerID over VoIP.

See http://m.nzherald.co.nz/nz/news/article.php?c_id=1&objectid=10740363

Is this factual?

Are there VoIP providers that allow you to program any chosen callerID as outgoing without any verification?

The article suggests using Skype. But I know that Skype requires you to verify your spoofed ID by replying to a SMS to the number concerned.

jpollock

600 posts

Ultimate Geek

Trusted

#497248 24-Jul-2011 00:19

1eStar: Today's Herald purports that you can hack into another users Telecom mobile voicemail using a spoofed callerID over VoIP.

See http://m.nzherald.co.nz/nz/news/article.php?c_id=1&objectid=10740363

Is this factual?

Yes, yes it is. The article is incorrect about one thing, it is entirely possible to protect the VM from caller ID spoofing (ref: Vodafone's response). It is all about whether or not the voicemail system (and network) should trust the caller id information or not. Basically, if it doesn't have enough information to _bill_ the phone for the call, you don't trust it.

Are there VoIP providers that allow you to program any chosen callerID as outgoing without any verification?

Yes, there are. They are used for more than VM hacking too. Google "SWATTING":

http://en.wikipedia.org/wiki/Swatting

However, even a good pin won't protect you in the land of VoIP. With VoIP, it doesn't take very long to dial a number, pump in 4 digits and hang up. With 4 digits, and 1 attempt per second, that's less than 3 hours.

Jason

---
http://blog.jason.pollock.ca

Backblaze

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).

old3eyes

8995 posts

Uber Geek

Subscriber

#497294 24-Jul-2011 09:45

Yep the NZ Herald makes a big thing of this and soon every school boy who thinks of themselves as a geek will be trying it. Nothing like a bit of MSM publicity to make people take note that it can be done as the RIAA found out when they publicized the use of music sharing programs back 10 years ago..

Regards,

Old3eyes

freitasm

BDFL - Memuneh
76342 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#497301 24-Jul-2011 10:18

FTA:

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes."

That's the key point here. If people use the obvious "autlogin" feature then what can one do really?

It's however no different than going to Cafe [not naming names today] in Ngaio and looking their blackboard in the kitchen and seeing in big letter "voice mail PIN XXXX". Obviously more than one employee listen to their voice mail to check for bookings, etc... But it's also clearly visible to anyone sitting on the deck or from the kitchen towards the back of the cafe.

"Personal responsibility" is key here. As Jerry Maguire said, "Help me help you"...

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

jpollock

600 posts

Ultimate Geek

Trusted

#497350 24-Jul-2011 14:30

freitasm: FTA:

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes."

That's the key point here. If people use the obvious "autlogin" feature then what can one do really?

I'm going to rant a bit, because I had a product proposal for just this problem (back in 2007), but people kept telling me, "No one would buy that, it doesn't generate revenue!" :)

Autologin shouldn't work from any device other than the mobile phone it is assigned to on a trusted network. This isn't an old problem, it isn't even a hard problem to solve. Web sites have dealt (and continue to deal) with this exact same situation.

Just as web developers learned to do, carriers need to divide their network into trusted and untrusted, and scrub any sensitive data which is coming in from an untrusted network. Heck, carriers have known about this problem for a long, long time. The T-Mobile Sidekick was very publicly attacked in exactly the same way back in 2005.

So, instead of having a VM system which everyone can connect to, and which trusts the provided CLI, you have two paths to connect to the VM, one from the local network with a trusted CLI, and one from everywhere else, which doesn't. Then if the VM doesn't support an untrusted CLI, you remove it from the message.

There are fancier ways to extend the trusted network when the traffic is transmitted across untrusted third parties, but the basic idea remains, if it isn't trusted, don't use it for identification.

---
http://blog.jason.pollock.ca

heydonms

27 posts

Geek

#505549 12-Aug-2011 14:25

Wouldn't it be easier to just use the ANI data for authentication? I was of the impression that ANI can be/is used for billing and is therefore (supposed to be) tamper-proof.

jpollock

600 posts

Ultimate Geek

Trusted

#505570 12-Aug-2011 14:46

heydonms: Wouldn't it be easier to just use the ANI data for authentication? I was of the impression that ANI can be/is used for billing and is therefore (supposed to be) tamper-proof.

Nope, you can't trust the ANI (from off-net) either. :) If you google for it, you'll find how.

http://www.schneier.com/blog/archives/2006/03/caller_id_spoof.html

But then, the part of the carrier that cross bills for termination doesn't really care about the ANI as long as they know which carrier it came from.

---
http://blog.jason.pollock.ca

graemeh

2078 posts

Uber Geek

#505579 12-Aug-2011 14:56

freitasm: It's however no different than going to Cafe [not naming names today] in Ngaio and looking their blackboard in the kitchen and seeing in big letter "voice mail PIN XXXX". Obviously more than one employee listen to their voice mail to check for bookings, etc... But it's also clearly visible to anyone sitting on the deck or from the kitchen towards the back of the cafe.

"Personal responsibility" is key here. As Jerry Maguire said, "Help me help you"...

There is also a bar in Featherson St with their wifi password on the wall behind the bar where customers can read it :)