SlideShare a Scribd company logo

Compromising online accounts by cracking voicemail systems

Priyanka Aash
Priyanka Aash

"Voicemail systems have been with us since the 80s. They played a big role in the earlier hacking scene and re-reading those e-zines, articles and tutorials paints an interesting picture. Not much has changed. Not in the technology nor in the attack vectors. Can we leverage the last 30 years innovations to further compromise voicemail systems? And what is the real impact today of pwning these? In this talk I will cover voicemail systems, it's security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the broader impact of gaining unauthorized access to voicemail systems today and introduce a new tool that automates the process."

Technology
1 of 48
Download to read offline
Compromising online services by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com
Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
History
Year 1983 “Voice Mail” patent is granted
History: hacking voicemail systems • When? • In the 80s • What? • Mostly unused boxes that were part of business or cellular phone systems • Why? • As an alternative to BSS • Used as a "home base" for communication • Provided a safe phone number for phreaks to give out to one another • http://audio.textfiles.com/conferences/PHREAKYBOYS
How? back to ezines
Hacking Answering Machines 1990 by Predat0r “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard “Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
A Tutorial of Aspen Voice Mailbox Systems, by Slycath “Defaults For ASPEN Are:   (E.G. Box is 888) …. Use Normal Hacking Techniques:   -------------------------------   i.e.   1111     |   |/   9999   1234   4321”
Voicemail security in the 80s • Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing sending multiple passwords at once • The greeting message is an attack vector
Voicemail security today checklist time!
Voicemail security today Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 111111 • T-Mobile • Last four digits of the phone number • Sprint • Last 7 digit of the phone number • Verizon • Last 4 digits of the phone number • According to verizon.com/support/ smallbusiness/phone/ setupphone.htm
Voicemail security today Default passwords Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector 2012 Research study by Data Genetics http://www.datagenetics.com/blog/september32012
Voicemail security today Default passwords Common passwords Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 4 to 10 digits • T-Mobile • 4 to 7 digits • Sprint • 4 to 10 digits • Verizon • 4 to 6 digits
Voicemail security today Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • Can try 3 pins at a time • Without waiting for prompt or error message
voicemailcracker.py bruteforcing voicemails fast, cheap, easy, efficiently and undetected
voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • Entire 4 digits keyspace for $40 • A 50% chance of correctly guessing a 4 digit PIN for $5 • Check 1000 phone numbers for default PIN for $13 • Easy • Fully automated • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc.
Undetected
Straight to voicemail • Multiple calls at the same time • It’s how slydial service works in reality • Call when phone is offline • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • HLR Records • Queryable global GSM database • Provides mobile device information including connection status • Use backdoor voicemail numbers • No need to dial victim’s number! • AT&T: 408-307-5049 • Verizon: 301-802-6245 • T-Mobile: 805-637-7243 • Sprint: 513-225-6245
voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • All 4 digits keyspace under $10 • Easy • Enter victim’s phone number and wait for the PIN • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc. • Undetected • Supports backdoor voicemail numbers
Demo bruteforcing voicemail systems with voicemailcracker.py
Impact so what?
What happens if you don’t pick up?
Voicemail takes the call and records it!
Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 3. Start password reset process using “call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this for you!
Demo compromising WhatsApp
We done? Not yet…
User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
Can we beat this currently recommended protection?
Hint
Another hint Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector
We can record DTMF tones as the greeting message!
Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 4. Start password reset process using “call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this for you!
Demo compromising Paypal
Vulnerable services small subset
Password reset
2FA
Verification
Open source
voicemailcracker.py limited edition • Support for 1 carrier only • No bruteforcing • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: https://github.com/martinvigo
Recommendations
Recommendations for online services • Don’t use automated calls (or SMS) for security purposes • If not possible, detect answering machine and fail • Require user interaction before giving the secret • with the hope that carriers ban DTMF tones from greeting messages
Recommendations for carriers • Voicemail disabled by default • and can only be activated from the actual phone or online • No default PIN • Don’t allow common PINs • Detect abuse and bruteforce attempts • Don’t process multiple PINs at once • Eliminate backdoor voicemail services • or don’t allow access to login prompt from them
Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless strictly required • Use only 2FA apps
TL;DR Automated phone calls are a common solution for password reset, 2FA and verification services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification over phone call Military grade crypto end to end Lots of cyber
THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo

Recommended

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksRohan Fernandes
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A DiscussionKaushik Patra
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsMartin Vigo
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security SeminarJeremy Quadri
 
Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital Worldalxdvs
 

Recommended

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksRohan Fernandes
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A DiscussionKaushik Patra
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsMartin Vigo
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security SeminarJeremy Quadri
 
Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital Worldalxdvs
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction Speakinprivate
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeAVG Technologies AU
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online SecurityConn Ó Muíneacháin
 
Digital security for Sri Lankan activists
Digital security for Sri Lankan activistsDigital security for Sri Lankan activists
Digital security for Sri Lankan activistsSanjana Hattotuwa
 
205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master205-5-6-Security Seminar - Master
205-5-6-Security Seminar - MasterDan Tervo
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksAlan Percy
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksTelcoBridges Inc.
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigationMehedi Hasan
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing researchFinbarr Ring
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing researchFinbarr Ring
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4gpioa
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
Internet security
Internet securityInternet security
Internet securityAntony Mathew
 
Cyber security
Cyber securityCyber security
Cyber securityshachibattar
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to Compromising online accounts by cracking voicemail systems

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction Speakinprivate
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeAVG Technologies AU
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online SecurityConn Ó Muíneacháin
 
Digital security for Sri Lankan activists
Digital security for Sri Lankan activistsDigital security for Sri Lankan activists
Digital security for Sri Lankan activistsSanjana Hattotuwa
 
205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master205-5-6-Security Seminar - Master
205-5-6-Security Seminar - MasterDan Tervo
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksAlan Percy
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksTelcoBridges Inc.
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigationMehedi Hasan
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing researchFinbarr Ring
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing researchFinbarr Ring
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4gpioa
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 

Similar to Compromising online accounts by cracking voicemail systems (20)

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers Safe
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online Security
 
Digital security for Sri Lankan activists
Digital security for Sri Lankan activistsDigital security for Sri Lankan activists
Digital security for Sri Lankan activists
 
205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Internet security
Internet securityInternet security
Internet security
 
Cyber security
Cyber securityCyber security
Cyber security
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Compromising online accounts by cracking voicemail systems

  • 1. Compromising online services by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com
  • 2. Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
  • 4. Year 1983 “Voice Mail” patent is granted
  • 5. History: hacking voicemail systems • When? • In the 80s • What? • Mostly unused boxes that were part of business or cellular phone systems • Why? • As an alternative to BSS • Used as a "home base" for communication • Provided a safe phone number for phreaks to give out to one another • http://audio.textfiles.com/conferences/PHREAKYBOYS
  • 7. Hacking Answering Machines 1990 by Predat0r “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
  • 8. Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
  • 9. Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard “Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
  • 10. A Tutorial of Aspen Voice Mailbox Systems, by Slycath “Defaults For ASPEN Are:   (E.G. Box is 888) …. Use Normal Hacking Techniques:   -------------------------------   i.e.   1111     |   |/   9999   1234   4321”
  • 11. Voicemail security in the 80s • Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing sending multiple passwords at once • The greeting message is an attack vector
  • 13. Voicemail security today Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 111111 • T-Mobile • Last four digits of the phone number • Sprint • Last 7 digit of the phone number • Verizon • Last 4 digits of the phone number • According to verizon.com/support/ smallbusiness/phone/ setupphone.htm
  • 14. Voicemail security today Default passwords Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector 2012 Research study by Data Genetics http://www.datagenetics.com/blog/september32012
  • 15. Voicemail security today Default passwords Common passwords Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 4 to 10 digits • T-Mobile • 4 to 7 digits • Sprint • 4 to 10 digits • Verizon • 4 to 6 digits
  • 16. Voicemail security today Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • Can try 3 pins at a time • Without waiting for prompt or error message
  • 17. voicemailcracker.py bruteforcing voicemails fast, cheap, easy, efficiently and undetected
  • 18. voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • Entire 4 digits keyspace for $40 • A 50% chance of correctly guessing a 4 digit PIN for $5 • Check 1000 phone numbers for default PIN for $13 • Easy • Fully automated • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc.
  • 20. Straight to voicemail • Multiple calls at the same time • It’s how slydial service works in reality • Call when phone is offline • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • HLR Records • Queryable global GSM database • Provides mobile device information including connection status • Use backdoor voicemail numbers • No need to dial victim’s number! • AT&T: 408-307-5049 • Verizon: 301-802-6245 • T-Mobile: 805-637-7243 • Sprint: 513-225-6245
  • 21. voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • All 4 digits keyspace under $10 • Easy • Enter victim’s phone number and wait for the PIN • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc. • Undetected • Supports backdoor voicemail numbers
  • 22. Demo bruteforcing voicemail systems with voicemailcracker.py
  • 24.
  • 25. What happens if you don’t pick up?
  • 26. Voicemail takes the call and records it!
  • 27. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 3. Start password reset process using “call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this for you!
  • 29. We done? Not yet…
  • 30. User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
  • 31. Can we beat this currently recommended protection?
  • 32. Hint
  • 33. Another hint Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector
  • 34. We can record DTMF tones as the greeting message!
  • 35. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 4. Start password reset process using “call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this for you!
  • 39. 2FA
  • 42. voicemailcracker.py limited edition • Support for 1 carrier only • No bruteforcing • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: https://github.com/martinvigo
  • 44. Recommendations for online services • Don’t use automated calls (or SMS) for security purposes • If not possible, detect answering machine and fail • Require user interaction before giving the secret • with the hope that carriers ban DTMF tones from greeting messages
  • 45. Recommendations for carriers • Voicemail disabled by default • and can only be activated from the actual phone or online • No default PIN • Don’t allow common PINs • Detect abuse and bruteforce attempts • Don’t process multiple PINs at once • Eliminate backdoor voicemail services • or don’t allow access to login prompt from them
  • 46. Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless strictly required • Use only 2FA apps
  • 47. TL;DR Automated phone calls are a common solution for password reset, 2FA and verification services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification over phone call Military grade crypto end to end Lots of cyber