SlideShare a Scribd company logo

Compromising online accounts by cracking voicemail systems

Priyanka Aash
Priyanka Aash

"Voicemail systems have been with us since the 80s. They played a big role in the earlier hacking scene and re-reading those e-zines, articles and tutorials paints an interesting picture. Not much has changed. Not in the technology nor in the attack vectors. Can we leverage the last 30 years innovations to further compromise voicemail systems? And what is the real impact today of pwning these? In this talk I will cover voicemail systems, it's security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the broader impact of gaining unauthorized access to voicemail systems today and introduce a new tool that automates the process."

Technology
1 of 48
Download to read offline
Compromising online services by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com
Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
History
Year 1983 “Voice Mail” patent is granted
History: hacking voicemail systems • When? • In the 80s • What? • Mostly unused boxes that were part of business or cellular phone systems • Why? • As an alternative to BSS • Used as a "home base" for communication • Provided a safe phone number for phreaks to give out to one another • http://audio.textfiles.com/conferences/PHREAKYBOYS
How? back to ezines
Hacking Answering Machines 1990 by Predat0r “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard “Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
A Tutorial of Aspen Voice Mailbox Systems, by Slycath “Defaults For ASPEN Are:   (E.G. Box is 888) …. Use Normal Hacking Techniques:   -------------------------------   i.e.   1111     |   |/   9999   1234   4321”
Voicemail security in the 80s • Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing sending multiple passwords at once • The greeting message is an attack vector
Voicemail security today checklist time!
Voicemail security today Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 111111 • T-Mobile • Last four digits of the phone number • Sprint • Last 7 digit of the phone number • Verizon • Last 4 digits of the phone number • According to verizon.com/support/ smallbusiness/phone/ setupphone.htm
Voicemail security today Default passwords Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector 2012 Research study by Data Genetics http://www.datagenetics.com/blog/september32012
Voicemail security today Default passwords Common passwords Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 4 to 10 digits • T-Mobile • 4 to 7 digits • Sprint • 4 to 10 digits • Verizon • 4 to 6 digits
Voicemail security today Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • Can try 3 pins at a time • Without waiting for prompt or error message
voicemailcracker.py bruteforcing voicemails fast, cheap, easy, efficiently and undetected
voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • Entire 4 digits keyspace for $40 • A 50% chance of correctly guessing a 4 digit PIN for $5 • Check 1000 phone numbers for default PIN for $13 • Easy • Fully automated • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc.
Undetected
Straight to voicemail • Multiple calls at the same time • It’s how slydial service works in reality • Call when phone is offline • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • HLR Records • Queryable global GSM database • Provides mobile device information including connection status • Use backdoor voicemail numbers • No need to dial victim’s number! • AT&T: 408-307-5049 • Verizon: 301-802-6245 • T-Mobile: 805-637-7243 • Sprint: 513-225-6245
voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • All 4 digits keyspace under $10 • Easy • Enter victim’s phone number and wait for the PIN • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc. • Undetected • Supports backdoor voicemail numbers
Demo bruteforcing voicemail systems with voicemailcracker.py
Impact so what?
What happens if you don’t pick up?
Voicemail takes the call and records it!
Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 3. Start password reset process using “call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this for you!
Demo compromising WhatsApp
We done? Not yet…
User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
Can we beat this currently recommended protection?
Hint
Another hint Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector
We can record DTMF tones as the greeting message!
Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 4. Start password reset process using “call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this for you!
Demo compromising Paypal
Vulnerable services small subset
Password reset
2FA
Verification
Open source
voicemailcracker.py limited edition • Support for 1 carrier only • No bruteforcing • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: https://github.com/martinvigo
Recommendations
Recommendations for online services • Don’t use automated calls (or SMS) for security purposes • If not possible, detect answering machine and fail • Require user interaction before giving the secret • with the hope that carriers ban DTMF tones from greeting messages
Recommendations for carriers • Voicemail disabled by default • and can only be activated from the actual phone or online • No default PIN • Don’t allow common PINs • Detect abuse and bruteforce attempts • Don’t process multiple PINs at once • Eliminate backdoor voicemail services • or don’t allow access to login prompt from them
Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless strictly required • Use only 2FA apps
TL;DR Automated phone calls are a common solution for password reset, 2FA and verification services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification over phone call Military grade crypto end to end Lots of cyber
THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo

Recommended

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
Rohan Fernandes
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
Kaushik Patra
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Martin Vigo
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
Brian Pichman
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
Jeremy Quadri
 
Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
alxdvs
 

Recommended

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
Rohan Fernandes
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
Kaushik Patra
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Martin Vigo
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
Brian Pichman
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
Jeremy Quadri
 
Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
alxdvs
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction
Speakinprivate
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
Flavio Eduardo de Andrade Goncalves
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers Safe
AVG Technologies AU
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
Geoffrey Vaughan
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
Security Innovation
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online Security
Conn Ó Muíneacháin
 
Digital security for Sri Lankan activists
Digital security for Sri Lankan activistsDigital security for Sri Lankan activists
Digital security for Sri Lankan activists
Sanjana Hattotuwa
 
205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master
Dan Tervo
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
Alan Percy
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
TelcoBridges Inc.
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
Finbarr Ring
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
Finbarr Ring
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4
gpioa
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
Ernest Staats
 
Internet security
Internet securityInternet security
Internet security
Antony Mathew
 
Cyber security
Cyber securityCyber security
Cyber security
shachibattar
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 

More Related Content

Similar to Compromising online accounts by cracking voicemail systems

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master
Dan Tervo
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
Alan Percy
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
TelcoBridges Inc.
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan
 

Similar to Compromising online accounts by cracking voicemail systems (20)

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction SpeakInPrivate Phones - Introduction
SpeakInPrivate Phones - Introduction
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers Safe
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online Security
 
Digital security for Sri Lankan activists
Digital security for Sri Lankan activistsDigital security for Sri Lankan activists
Digital security for Sri Lankan activists
 
205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master205-5-6-Security Seminar - Master
205-5-6-Security Seminar - Master
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
 
Eisfor marketing research
Eisfor marketing researchEisfor marketing research
Eisfor marketing research
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Crontab Cyber Security session 4
Crontab Cyber Security session 4Crontab Cyber Security session 4
Crontab Cyber Security session 4
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Internet security
Internet securityInternet security
Internet security
 
Cyber security
Cyber securityCyber security
Cyber security
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 

Compromising online accounts by cracking voicemail systems

  • 1. Compromising online services by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com
  • 2. Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
  • 4. Year 1983 “Voice Mail” patent is granted
  • 5. History: hacking voicemail systems • When? • In the 80s • What? • Mostly unused boxes that were part of business or cellular phone systems • Why? • As an alternative to BSS • Used as a "home base" for communication • Provided a safe phone number for phreaks to give out to one another • http://audio.textfiles.com/conferences/PHREAKYBOYS
  • 7. Hacking Answering Machines 1990 by Predat0r “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
  • 8. Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
  • 9. Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard “Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
  • 10. A Tutorial of Aspen Voice Mailbox Systems, by Slycath “Defaults For ASPEN Are:   (E.G. Box is 888) …. Use Normal Hacking Techniques:   -------------------------------   i.e.   1111     |   |/   9999   1234   4321”
  • 11. Voicemail security in the 80s • Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing sending multiple passwords at once • The greeting message is an attack vector
  • 13. Voicemail security today Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 111111 • T-Mobile • Last four digits of the phone number • Sprint • Last 7 digit of the phone number • Verizon • Last 4 digits of the phone number • According to verizon.com/support/ smallbusiness/phone/ setupphone.htm
  • 14. Voicemail security today Default passwords Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector 2012 Research study by Data Genetics http://www.datagenetics.com/blog/september32012
  • 15. Voicemail security today Default passwords Common passwords Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 4 to 10 digits • T-Mobile • 4 to 7 digits • Sprint • 4 to 10 digits • Verizon • 4 to 6 digits
  • 16. Voicemail security today Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • Can try 3 pins at a time • Without waiting for prompt or error message
  • 17. voicemailcracker.py bruteforcing voicemails fast, cheap, easy, efficiently and undetected
  • 18. voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • Entire 4 digits keyspace for $40 • A 50% chance of correctly guessing a 4 digit PIN for $5 • Check 1000 phone numbers for default PIN for $13 • Easy • Fully automated • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc.
  • 20. Straight to voicemail • Multiple calls at the same time • It’s how slydial service works in reality • Call when phone is offline • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • HLR Records • Queryable global GSM database • Provides mobile device information including connection status • Use backdoor voicemail numbers • No need to dial victim’s number! • AT&T: 408-307-5049 • Verizon: 301-802-6245 • T-Mobile: 805-637-7243 • Sprint: 513-225-6245
  • 21. voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • All 4 digits keyspace under $10 • Easy • Enter victim’s phone number and wait for the PIN • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc. • Undetected • Supports backdoor voicemail numbers
  • 22. Demo bruteforcing voicemail systems with voicemailcracker.py
  • 24.
  • 25. What happens if you don’t pick up?
  • 26. Voicemail takes the call and records it!
  • 27. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 3. Start password reset process using “call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this for you!
  • 29. We done? Not yet…
  • 30. User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
  • 31. Can we beat this currently recommended protection?
  • 32. Hint
  • 33. Another hint Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector
  • 34. We can record DTMF tones as the greeting message!
  • 35. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR records) 4. Start password reset process using “call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this for you!
  • 39. 2FA
  • 42. voicemailcracker.py limited edition • Support for 1 carrier only • No bruteforcing • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: https://github.com/martinvigo
  • 44. Recommendations for online services • Don’t use automated calls (or SMS) for security purposes • If not possible, detect answering machine and fail • Require user interaction before giving the secret • with the hope that carriers ban DTMF tones from greeting messages
  • 45. Recommendations for carriers • Voicemail disabled by default • and can only be activated from the actual phone or online • No default PIN • Don’t allow common PINs • Detect abuse and bruteforce attempts • Don’t process multiple PINs at once • Eliminate backdoor voicemail services • or don’t allow access to login prompt from them
  • 46. Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless strictly required • Use only 2FA apps
  • 47. TL;DR Automated phone calls are a common solution for password reset, 2FA and verification services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification over phone call Military grade crypto end to end Lots of cyber