Hacking your Voice Mail

Published by marco on

tl;dr: If you don’t use your voice mail for your phone, then you should disable it. It is ridiculously insecure and can or will be used by hackers to gain access to other services you use (e.g. Whatsapp or PayPal).

On Sunrise, you can deactivate your voice mail by “calling” #145#. To re-activate, call *145#. You’ll get a confirmation message.

The CCC annual conference (Chaos Computer Club) took place last weekend, in Leipzig, Germany. There were several interesting talks, but this one stood out: Vigo’s presentation was very good and didn’t seem as padded as other presentations. On top of that, it’s a real-life hack that can affect anyone with a phone and active voice-mail.

What does he do?

He takes us through a bit of history about hacking old phone systems—the “phreakers” of the good, old days would hack systems with special sounds (DTMF tones) or by flooding poorly written checking algorithms with more data than they was expecting. Using these tricks, they would gain access to free international calling or be able to charge calls to other people’s accounts.

It still works today.

Wait, how? We all have Smartphones now. We barely even use voice-calling! Nobody uses voice mail anymore.

All very true. But: just because you’re not using your voice mail doesn’t mean that someone else can’t use it.

His hack is multi-stage. I’ve summarized a bit below, but you should watch the video for the exact steps.[1]

  1. Find a phone number that user has set up as a 2FA for the service you want to crack (he shows examples with Whatsapp and PayPal)
  2. Get the service type for that number (e.g. O2 or Vodaphone)
  3. Call the service number for that phone’s voice mail
  4. Brute-force the PIN like it’s 1975 (takes a few seconds)
  5. You now have access to that number’s voice mail
  6. Make sure that phone’s calls will go to voice mail (several techniques here)
  7. Go to the service and request a passwood reset, but say you want them to call you instead of sending a text
  8. The service calls with an automated message
  9. It lands in voice mail
  10. Use your software to load the voice mail and send it through voice-recognition software to get the code it read aloud
  11. Record this code as DTMF in your outgoing message
  12. When the service calls again to verify the code (you’re supposed to type it in at that point), your outgoing message will play the DTMF tones at the correct time and the service thinks you typed it
  13. You can now proceed with password-reset on that account because you’ve “confirmed” that it’s your phone, when all you have access to is the voice mail.

35C3 − Compromising online accounts by cracking voicemail systems by Martin Vigo (YouTube)


[1] He presented several hacks in a nice build-up, but I wrote that list from memory, so I might have gotten some minor details wrong. The basic thrust of it is correct, though.