Hacking your Voice Mail
Published by marco on
tl;dr: If you don’t use your voice mail for your phone, then you should disable it. It is ridiculously insecure and can or will be used by hackers to gain access to other services you use (e.g. Whatsapp or PayPal).
On Sunrise, you can deactivate your voice mail by “calling” #145#. To re-activate, call *145#. You’ll get a confirmation message.
The CCC annual conference (Chaos Computer Club) took place last weekend, in Leipzig, Germany. There were several interesting talks, but this one stood out: Vigo’s presentation was very good and didn’t seem as padded as other presentations. On top of that, it’s a real-life hack that can affect anyone with a phone and active voice-mail.
What does he do?
He takes us through a bit of history about hacking old phone systems—the “phreakers” of the good, old days would hack systems with special sounds (DTMF tones) or by flooding poorly written checking algorithms with more data than they was expecting. Using these tricks, they would gain access to free international calling or be able to charge calls to other people’s accounts.
It still works today.
Wait, how? We all have Smartphones now. We barely even use voice-calling! Nobody uses voice mail anymore.
All very true. But: just because you’re not using your voice mail doesn’t mean that someone else can’t use it.
His hack is multi-stage. I’ve summarized a bit below, but you should watch the video for the exact steps.
- Find a phone number that user has set up as a 2FA for the service you want to crack (he shows examples with Whatsapp and PayPal)
- Get the service type for that number (e.g. O2 or Vodaphone)
- Call the service number for that phone’s voice mail
- Brute-force the PIN like it’s 1975 (takes a few seconds)
- You now have access to that number’s voice mail
- Make sure that phone’s calls will go to voice mail (several techniques here)
- Go to the service and request a passwood reset, but say you want them to call you instead of sending a text
- The service calls with an automated message
- It lands in voice mail
- Use your software to load the voice mail and send it through voice-recognition software to get the code it read aloud
- Record this code as DTMF in your outgoing message
- When the service calls again to verify the code (you’re supposed to type it in at that point), your outgoing message will play the DTMF tones at the correct time and the service thinks you typed it
- You can now proceed with password-reset on that account because you’ve “confirmed” that it’s your phone, when all you have access to is the voice mail.