Transcription
Compromising online services bycracking voicemail systemsMartin Vigo@martin vigo martinvigo.com
CPCdartsAm8261n”emíl credíabadA“LagniplayeliwhdertuCapMartin VigoProduct Security LeadFrom Galicia, SpainResearch Scuba Gin tonics@martin vigo - martinvigo.com
Historyback to ezines
“You can just enter all 2-digit combinations untilyou get the right one” “A more sophisticated and fast way to do this is totake advantage of the fact that such machinestypically do not read two numbers at a time, anddiscard them, but just look for the correctsequence”Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm
“Quickly Enter the following 70809001(this is the shortest string for entering everypossible 2-digit combo.)”Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard
“Defaults For ASPEN Are:(E.G. Box is 888) .Use Normal Hacking Techniques:------------------------------i.e.1111 \ /999912344321”A Tutorial of Aspen Voice Mailbox Systems, by Slycath
“There is also the old "change the message" secretto make it say something to the effect of this lineaccepts all toll charges so you can bill third partycalls to that number”Hacking Answering Machines 1990 by Predat0r
Voicemail security in the ‘80s Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing sending multiple passwords at once The greeting message is an attack vector
Voicemail security todaychecklist time!
Voicemail security todayDefault passwords Common passwords Bruteforceable passwords Efficient bruteforcing is an attack vectorLast 4 digits of the phone numberSprint 111111T-Mobile by entering multiplepasswords at once The greeting messageAT&TLast 7 digit of the phone numberVerizon Last 4 digits of the phone number
Voicemail security today2012 Research study by Data 32012Default passwordsCommon passwords Bruteforceablepasswords Efficient bruteforcingby entering multiplepasswords at once The greeting messageis an attack vector
Voicemail security todayDefault passwords Common passwordsBruteforceablepasswords Efficient bruteforcingby entering multiplepasswords at once The greeting messageis an attack vectorAT&T T-Mobile 4 to 7 digitsSprint 4 to 10 digits4 to 10 digitsVerizon 4 to 6 digits
Voicemail security todayDefault passwordsCommon passwords BruteforceablepasswordsEfficient bruteforcingby entering multiplepasswords at once The greeting messageis an attack vectorCan try multiple pins at a time 0000#1111#2222#Without waiting for prompt or error messages
voicemailcracker.pybruteforcing voicemails fast, cheap, easy, efficiently and undetected
voicemailcracker.py Fast Uses Twilio’s APIs to make hundreds of calls at a timeCheap Entire 4 digits keyspace for 40 A 50% chance of correctly guessing a 4 digit PIN for 5 Check 1000 phone numbers for default PIN for 13Easy Fully automated Configured with specific payloads for major carriersEfficient Optimizes bruteforcing Tries multiple PINs in the same call Uses existing research to prioritize default PINs, common PINs, patterns, etc.
Undetected
Straight to voicemail Multiple calls at the same time It’s how slydial service works in realityCall when phone is offline OSINT Airplane, movie theater, remote trip,Do Not DisturbHLR database Queryable global GSM database Provides mobile device informationincluding connection status Use backdoor voicemailnumbers No need to dial victim’snumber! AT&T: 408-307-5049 Verizon: 301-802-6245 T-Mobile: 805-637-7243 Sprint: 513-225-6245
voicemailcracker.py Fast Cheap Uses Twilio’s services to make hundreds of calls at a timeAll 4 digits keyspace under 10Easy Enter victim’s phone number and wait for the PIN Configured with specific payloads for major carriersEfficient Optimizes bruteforcing Tries multiple PINs in the same call Uses existing research to prioritize default PINs, common PINs, patterns, etc. Undetected Supports backdoor voicemail numbers
Demobruteforcing voicemail systems with voicemailcracker.py
Impactso what?
What happens if youdon’t pick up?
Voicemail takes thecall and records it!
Attack vector1. Bruteforce voicemail system, ideally using backdoor numbers2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR)3. Start password reset process using “Call me” feature4. Listen to the recorded message containing the secret code5. Profit!voicemailcracker.py can do all this automatically
Democompromising WhatsApp
We done? Not yet
User interaction basedprotectionPlease press any key to hear the code Please press [ARANDOMKEY] to hear the code Please enter the code
Can we beat thisrecommendedprotection?
Hint
Another hintDefault passwordsCommon passwordsBruteforceablepasswordsEfficient bruteforcingby entering multiplepasswords at onceThe greeting messageis an attack vector
We can record DTMFtones as the greetingmessage!
Attack vector1. Bruteforce voicemail system, ideally using backdoor numbers2. Update greeting message according to the account to be hacked3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR)4. Start password reset process using “Call me” feature5. Listen to the recorded message containing the secret code6. Profit!voicemailcracker.py can do all this automatically
Democompromising Paypal
Vulnerable servicessmall subset
Password reset
2FA
Verification
Consent
Open source
voicemailautomator.py No bruteforcing Support for 1 carrier only Change greeting message with specially craftedpayloads Retrieve messages containing the secret temp codesGit repo: github.com/martinvigo/voicemailautomator
Recommendations
Recommendations for online services Don’t use automated calls for security purposes nor SMS (check out my recent BSidesLV talk: “Ransombile, yetanother reason to ditch SMS”) If not possible, detect answering machine and fail Require user interaction before providing the secret with the hope that carriers ban DTMF tones from greeting messages
Recommendations for carriers Ban DTMF tones from greeting messages Eliminate backdoor voicemail services or don’t allow access to login prompt from themVoicemail disabled by default and can only be activated from the actual phone or online No default PIN Don’t allow common PINs Detect abuse and bruteforce attempts Don’t process multiple PINs at once
Recommendations for you Disable voicemail or use longest possible, random PINDon’t provide phone number to online services unlessrequired or it’s the only way to get 2FA use a virtual number to prevent OSINT and SIM swappingUse 2FA apps only
TL;DRAutomated phone calls are a common solution for password reset, 2FAand verification services. These can be compromised by leveraging oldweaknesses and current technology to exploit the weakest link,voicemail systemsStrong password policy2FA enforcedAbuse/Bruteforce preventionA in OWASP Top 10 checklistMilitary grade crypto end to endLots of cyberPassword reset 2FA Verification Consentover phone call
THANK YOU!@martin tinvigo
1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR) 4. Start password reset process using “Call me” feature 5. Listen to