This page shows the source for this entry, with WebCore formatting language tags and attributes highlighted.


Hacking your Voice Mail


<abstract><abbr title="too long; didn't read">tl;dr</abbr>: If you don't use your voice mail for your phone, then you should disable it. It is ridiculously insecure and can or will be used by hackers to gain access to other services you use (e.g. Whatsapp or PayPal). On Sunrise, you can <a href="">deactivate your voice mail</a> by "calling" #145#. To re-activate, call *145#. You'll get a confirmation message.</abstract> The CCC annual conference (Chaos Computer Club) took place last weekend, in Leipzig, Germany. There were several interesting talks, but this one stood out: Vigo's presentation was very good and didn't seem as padded as other presentations. On top of that, it's a real-life hack that can affect anyone with a phone and active voice-mail. What does he do? He takes us through a bit of history about hacking old phone systems---the "phreakers" of the good, old days would hack systems with special sounds (<abbr title="Dual-tone Multi-frequency">DTMF</abbr> tones) or by flooding poorly written checking algorithms with more data than they was expecting. Using these tricks, they would gain access to free international calling or be able to charge calls to other people's accounts. It still works today. Wait, how? We all have Smartphones now. We barely even <i>use</i> voice-calling! <i>Nobody</i> uses voice mail anymore. All very true. But: just because <i>you're</i> not using your voice mail doesn't mean that <i>someone else</i> can't use it. His hack is multi-stage. I've summarized a bit below, but you should watch the video for the exact steps.<fn> <ol> Find a phone number that user has set up as a 2FA for the service you want to crack (he shows examples with Whatsapp and PayPal) Get the service type for that number (e.g. O2 or Vodaphone) Call the service number for that phone's voice mail Brute-force the PIN like it's 1975 (takes a few seconds) You now have access to that number's voice mail Make sure that phone's calls will go to voice mail (several techniques here) Go to the service and request a passwood reset, but say you want them to <i>call you</i> instead of sending a text The service calls with an automated message It lands in voice mail Use your software to load the voice mail and send it through voice-recognition software to get the code it read aloud Record this code as DTMF in your outgoing message When the service calls again to verify the code (you're supposed to type it in at that point), your outgoing message will play the DTMF tones at the correct time and the service thinks you typed it You can now proceed with password-reset on that account because you've "confirmed" that it's your phone, when all you have access to is the voice mail. </ol> <media src="" href="" caption="35C3 - Compromising online accounts by cracking voicemail systems" author="Martin Vigo" source="YouTube" width="560px"> <hr> <ft>He presented several hacks in a nice build-up, but I wrote that list from memory, so I might have gotten some minor details wrong. The basic thrust of it is correct, though.</ft>