20.5k unique visitors in the last 3 days

The Vulnerability of Voicemail

Security engineer Martin Vigo has shown how quick and easy it is to hack anybody's voicemail. That access can then be used to take control of WhatsApp, PayPal and more.

Several years ago the UK was gripped by a scandal where the voicemails of celebrities and other individuals were hacked by newspaper journalists who flouted privacy laws to obtain source material for their stories. Describing the violations as ‘hacking’ made the journalists seem more sophisticated than they were; mostly they used default passcodes because so many people fail to change them. Nevertheless the implications were serious, and at least the public were warned about the risks of not resetting their passcode. But has the security surrounding voicemail improved in the meantime? Our industry behaves as if a PIN is all that is needed to protect voicemail. This ignores the rising tide of account takeover frauds, where criminals use all sorts of methods to gain access and control to various telecoms and online services. Voicemail can be a gateway for account takeover, and security engineer Martin Vigo recently illustrated the vulnerability of voicemail by explaining how he wrote a software program which uses brute force to determine a 4-digit voicemail PIN in just a few minutes. He then showed how gaining control of somebody’s voicemail allowed him to take control of their WhatsApp and PayPal accounts, just two of the many services which incorporate automated voice calls into procedures to validate the user’s identity.

To begin with, Vigo showed how his software can try many combinations of possible PIN codes in a very short space of time. His task is made easier because:

  • telcos create ‘backdoors’ to their voicemail systems so there is no need to disturb the user by calling their actual phone;
  • VOIP software allows many calls to be programmed and executed cheaply in a short space of time; and
  • many potential PINs can be checked during the same call by concatenating them into a single long string of characters.

The following video shows Vigo cracking a voicemail PIN in just two minutes.

Then Vigo demonstrated how easy it is to take control of WhatsApp if you have already accessed a user’s voicemail. You simply request the WhatsApp verification code be communicated as a voice call, knowing it will be saved to voicemail. This video demonstrates how the hack is executed in practice.

https://www.youtube.com/watch?v=-n2NCc5TnCE

Some organizations apply a more sophisticated security technique where a human user is expected to press a button on their keypad before a security code is played for them. The idea is that this will prevent the security info being recorded as voicemail. But the reality is that the system is just waiting to hear a DTMF tone matching its expectations, so can be tricked by changing the voicemail greeting to a recording of DTMF tones! The following video shows Vigo using this technique to obtain access to PayPal.

The security implications are enormous. For example, Vigo points out that Netflix, Instagram, Ebay and LinkedIn all permit passwords to be reset using automated voice calls whilst Apple, Google, Microsoft and Yahoo offer automated voice calls as one of the factors in two-factor authentication.

Voice revenues may be declining but telcos will continue offering voicemail services for many years to come. Just because revenues are falling does not mean the security risks are declining. On the contrary, increased reliance on phones as a means of verifying a person’s identity means the consequences for hacked voicemail are probably greater now than they have ever been before. Martin Vigo’s work deserves respect. All interested parties – telcos, online service providers and consumers – should consider acting upon his recommendations. You can read Vigo’s overview of his voicemail hacking experiments here, and the slides of his presentation at the DEF CON 26 hacker convention are available here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email