Several years ago the UK was gripped by a scandal where the voicemails of celebrities and other individuals were hacked by newspaper journalists who flouted privacy laws to obtain source material for their stories. Describing the violations as ‘hacking’ made the journalists seem more sophisticated than they were; mostly they used default passcodes because so many people fail to change them. Nevertheless the implications were serious, and at least the public were warned about the risks of not resetting their passcode. But has the security surrounding voicemail improved in the meantime? Our industry behaves as if a PIN is all that is needed to protect voicemail. This ignores the rising tide of account takeover frauds, where criminals use all sorts of methods to gain access and control to various telecoms and online services. Voicemail can be a gateway for account takeover, and security engineer Martin Vigo recently illustrated the vulnerability of voicemail by explaining how he wrote a software program which uses brute force to determine a 4-digit voicemail PIN in just a few minutes. He then showed how gaining control of somebody’s voicemail allowed him to take control of their WhatsApp and PayPal accounts, just two of the many services which incorporate automated voice calls into procedures to validate the user’s identity.
To begin with, Vigo showed how his software can try many combinations of possible PIN codes in a very short space of time. His task is made easier because:
- telcos create ‘backdoors’ to their voicemail systems so there is no need to disturb the user by calling their actual phone;
- VOIP software allows many calls to be programmed and executed cheaply in a short space of time; and
- many potential PINs can be checked during the same call by concatenating them into a single long string of characters.
The following video shows Vigo cracking a voicemail PIN in just two minutes.
ARVE Error: Mode: lazyload not available (ARVE Pro not active?), switching to normal mode
Then Vigo demonstrated how easy it is to take control of WhatsApp if you have already accessed a user’s voicemail. You simply request the WhatsApp verification code be communicated as a voice call, knowing it will be saved to voicemail. This video demonstrates how the hack is executed in practice.
https://www.youtube.com/watch?v=-n2NCc5TnCE
Some organizations apply a more sophisticated security technique where a human user is expected to press a button on their keypad before a security code is played for them. The idea is that this will prevent the security info being recorded as voicemail. But the reality is that the system is just waiting to hear a DTMF tone matching its expectations, so can be tricked by changing the voicemail greeting to a recording of DTMF tones! The following video shows Vigo using this technique to obtain access to PayPal.
ARVE Error: Mode: lazyload not available (ARVE Pro not active?), switching to normal mode
The security implications are enormous. For example, Vigo points out that Netflix, Instagram, Ebay and LinkedIn all permit passwords to be reset using automated voice calls whilst Apple, Google, Microsoft and Yahoo offer automated voice calls as one of the factors in two-factor authentication.
Voice revenues may be declining but telcos will continue offering voicemail services for many years to come. Just because revenues are falling does not mean the security risks are declining. On the contrary, increased reliance on phones as a means of verifying a person’s identity means the consequences for hacked voicemail are probably greater now than they have ever been before. Martin Vigo’s work deserves respect. All interested parties – telcos, online service providers and consumers – should consider acting upon his recommendations. You can read Vigo’s overview of his voicemail hacking experiments here, and the slides of his presentation at the DEF CON 26 hacker convention are available here.
