I just achieved one of my career goals, giving a talk at DEF CON. What an incredible experience, I cannot thank enough the amazing people that make this con happen. My talk’s title was “Compromising online accounts by cracking voicemail systems” and I thought I write a blog post about it for people that was not able to attend. The goal of my talk was to demonstrate that the current state of security of voicemail systems is not much better than it was 30 years ago and what exactly is the impact of gaining unauthorized access to a victim’s voicemail today.

Voicemail systems have been with us for a long time and started to become popular in the ’80s. Just like with any other technology, the hackers and phreakers at the time got busy testing the security of these systems. They left us an amazing collection of articles and e-zines with valuable information of the approaches they took to hack them.

With that in mind, as in any other research, we need to start by looking into prior art.

Voicemail hacking in the ’80s

I searched for information about how voicemail systems worked and were compromised in the past. The goal was to compare the security bar to what we have today and learn their hacking techniques to check if 30 years later they still apply.

Among all the content I read, I want to quote 5 articles that summarize how weak the security was at the time:

“You can just enter all 2-digit combinations until you get the right one”

…

“A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”

Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm

 

“Quickly Enter the following string:

12345678987654321357924686429731474193366994488552277539596372582838491817161511026203040506070809001

(this is the shortest string for entering every possible 2-digit combo.)”

Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard

 

“Quickly Enter the following string:

12345678987654321357924686429731474193366994488552277539596372582838491817161511026203040506070809001

(this is the shortest string for entering every possible 2-digit combo.)”

Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard

 

“Defaults For ASPEN Are:

  (E.G. Box is 888)

….

Use Normal Hacking Techniques:

  ——————————-

  i.e.

  1111  

   |

  \|/

  9999

  1234

  4321”

A Tutorial of Aspen Voice Mailbox Systems, by Slycath

 

“There is also the old “change the message” secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”

Hacking Answering Machines 1990 by Predat0r

Just by looking at this five articles, we can conclude that in terms of security there are several issues:

• Default passwords
• Common passwords
• Bruteforceable passwords
• Efficient bruteforcing sending multiple passwords at once
• The greeting message is an attack vector

While this is not ideal, it was to be expected given that computer security was pretty much non-existent in the ’80s.

Voicemail security today

Instead of a discussion, let’s take what we learned from the ’80s and run a checklist focusing on the 4 major US carriers:

Default passwords? Check

According to public documentation on their sites:

• AT&T: 111111
• T-Mobile: Last 4 digits of the phone number
• Sprint: Last 7 digit of the phone number
• Verizon: Last 4 digits of the phone number

Common passwords? Check

According to a fantastic research by Data Genetics in 2012, humans have very predictable patterns when it comes to choosing a PIN. This research makes a number of interesting discoveries but I will highlight some that are very relevant for our purpose:

• You have around a 22% chance of guessing a 4-digit PIN by just trying the Top 20 most common. This means that you will be able to guess every 4th victim’s PIN by trying 20 of the 10k possible PINs
• 4-digit PINs starting with 19 are very common. The reason for this is because people tend to use their birth year as a PIN
• People does not only follow patterns for 4-digit PINs but also for 5, 6, and longer.

Bruteforceable passwords? Check

• AT&T: 4 to 10 digits
• T-Mobile: 4 to 7 digits
• Sprint: 4 to 10 digits
• Verizon: 4 to 6 digits

Efficient bruteforcing? Check

You can try multiple PINs at a time when trying to login into a voicemail by simply concatenating PINs with the # symbol. For example: 0000#1111#2222#. You can do this without waiting for the prompt to finish or even the error message.

voicemailcracker.py

With everything I learned from e-zines and verifying those techniques on voicemail systems today, I concluded that it should be possible to crack voicemail systems if I would have the right tool. That’s when I decided to write voicemailcracker, a tool that allows you to bruteforce voicemail systems fast, cheap, easy, efficiently and undetected.

fast

vociemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. voicemailcracker launches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN.

cheap

Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13.

easy

voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all.

efficiently

vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed.

undetected

This is the most important feature. Up till now I’ve talked about making hundreds of calls simultaneously to interact with the voicemail system. But… how do you access the voicemail in first place? You have to call the victim and wait for him not to pick up so the call forwards to the voicemail. This is less than ideal because, even though call flooding the victim will make many calls go straight to voicemail, this is very noisy and the victim will most probably end up contacting the carrier to figure out what is going on.

Instead of call flooding, we can use OSINT techniques to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight.

Another way I explored monitoring when a victim has his phone offline is to take advantage of Home Location Register (HLR). This is a global, queryable database that provides information about a cellphone. Among others, it can tell you if the phone is connected to a tower or not which is exactly what we need. Truth is though, my tests had mixed results and it wasn’t truly realtime. I had to find better way. One in which I could always go directly to the victim’s voicemail and without any previous requirements.

Enter backdoor voicemail systems. Turns out, carriers expose services which you can dial into, provide someones phone number, and leave a message directly without actually calling that person. But you know what else you can do? You can dial into the service, provide the person phone number, press * or # and access the voicemail login prompt!

Now we have a 100% reliable method of interacting directly with voicemail systems without the requirement of calling the victim while the phone is offline. But this is not the only advantage. During my tests with voicemailcracker, every 4th or 5th call will drop because the victim’s line would get saturated. While voicemailcracker can handle call failures and simply retries, backdoor voicemail systems are designed to be used by everyone, not just the owner of the voicemail. This means that it can take in many calls at once, to the point that I never got one single call dropped, not even while making hundreds of them simultaneously.

voiemaicracker allows you to provide a backdoor voicemail number to dial into instead of the victim’s mobile, making the attack completely undetected. You can find backdoor voicemail numbers online by simply googling for it. Still, here are some for you to try:

• AT&T: 408-307-5049
• T-Mobile: 805-637-7243
• Sprint: 513-225-6245
• Verizon: 301-802-6245

voicemacracker demo

In this demo you will see how the tool works and how I am able to obtain the PIN of my test voicemail by trying the top 20 most common 4-digit PINs.

As you can see, the tool tries 3 PINs at a time and makes multiple in parallel to cover all possibilities. You may be wondering… how does the tool know when the correct PIN was found? Many think that I do some kind of audio processing to guess when the voicemail grants access but I am way to lazy for that. Usually the easiest approach is the best solution. I noticed that when you try 3 wrong PINs, voicemail systems hangup for security purposes. This means that if I try 3 PINs and fail, the call duration will always be the same. With this in mind, I tell Twilio to wait in line for 10 seconds right after trying the 3 PINs. If the call last (FAILTIME + 10) seconds, I know I logged in and got the right PIN. Easy right? Call duration is the key!

Impact

So what? We can compromise voicemails… big deal! Probably, if you are like me, all messages you have are scammers and marketing campaigns. Well, this was the point of my DEF CON talk. There is much more to it. If an attacker has access to your voicemail, he may be able to compromise your email, social networks, financial services, private conversations, track you and more…

Automated phone calls as a secure channel

You may not be as familiar with this as with SMS but have you ever tried to reset your password and got a 6 digit code on your phone you had to enter to complete the password reset process? Turns out, many online services allow you to receive an automated phone call instead of a SMS. A recording will reveal the secret code and you can finish resetting your password. My question to you is, what happens if you don’t pick up the phone? The voicemail system will, and the automated call can’t tell if it was you or the voicemail who picked up. The recording will play the secret code, the voicemail will store the message, and the attacker has now access to it.

Attack vector

The attack vector is fairly straightforward:

1. Bruteforce voicemail system, ideally using backdoor numbers
2. Ensure calls go straight to voicemail since the online service calls the victim directly (call flooding, OSINT, HLR)
3. Start the password reset process using “Call me” feature
4. Listen to the recorded message containing the secret code
5. Profit!

The best part is that voicemailcracker can help you do this automatically.

Demo – Compromising WhatsApp

In this demo I will show how I compromise WhatsApp by abusing the verification process over phone call. On the left, you see the victim’s WhatsApp running on an actual phone. On the right, you see that I am actually using an Android simulator to hijack the victim’s WhatsApp account. I don’t even need a real phone!

WhatsApp allows you to verify that you own the phone number you claim to own by receiving an SMS with a code and enter it in the app or receiving the same code over phone call after waiting for a minute. This is in case for some reason you are not able to receive SMS. That is what I take advantage of in this demo. You will see how I use voicemailcracker with the option “message” to automatically retrieve and record the newest message in the voicemail. It gives you a URL to the recording so you can hear the code and complete the verification process.

User interaction based protection

While most online services work like WhatsApp, I found some that are aware of this problem and implement a protection mechanism that requires you to perform an action when you receive the call before hearing the secret code. I found that it comes in three flavors:

• Please press any key to hear the code…
• Please press [a_specific_or_random_key] to hear the code…
• Please enter the code…

In all three cases, it is expected that the user interacts with the keypad before the code is revealed. This means that if the voicemail picks up the call, nobody can press any key and therefore the code will not be revealed and recorded as a message. Our goal is now to bypass this protection.

Understanding the technology goes a long way

A hacker can be defined in many ways and usually it includes “expert in X”. Indeed, hackers understand technologies they like to the detail and that helps tremendously in their thought process. I mention this because while I was trying to figure out ways to bypass the user interaction protection, I took advantage of the hacker way of doing things, and thought about how the technology I was trying to hack worked under the hood.

I explained to you the user interaction based protection as a security layer in which the automated call is waiting for the user to press a key in order to reveal the code. But this is not exactly true. In reality, the system is not waiting for the user to physically press the keypad. Instead, the system is waiting to “hear” a very specific DTMF tone corresponding to the key it is asking you to press. Looking at it this way was key to find a bypass.

We know that we need to somehow trigger DTMF tones when the automated call is picked up by the voicemail, but how can we do that? If we go back to what we learned from phreakers in the ’80s you will notice that I cheated and skipped one lesson during the checklist exercise, the greeting message is an attack vector.

I realized that the bypass to the protection is recording DTMF tones as the greeting message! The first thing that the voicemail will do when it takes the call is play the greeting message, and the automated call expects DTMF tones to be played after the call is picked up. It works like a charm!

Attack vector

Our new attack vector has a new step:

1. Bruteforce voicemail system, ideally using backdoor numbers
2. Modify the greeting message with DTMF payloads according to the account to be hacked
3. Ensure calls go straight to voicemail since the online service calls the victim directly (call flooding, OSINT, HLR)
4. Start password reset process using “Call me” feature
5. Listen to the recorded message containing the secret code
6. Profit!

Again, voicemailcracker can do it automatically.

Demo – Compromising Paypal

Paypal implemented the protection in an interesting way. instead of requiring the user to press a key to hear the code, Paypal will display a 4 digit code in the UI when you initiate the password reset process and that is the code you need to enter when you receive the call. As soon as you do that, the UI will update and you will be prompted to enter a new password. This demo shows how you can use voicemailcracker to update the greeting message with DTMF tones corresponding to the code that Paypal displays and take over the account.

Vulnerable services

I showed you a systematic problem with relying on automated calls to protect sensitive actions. But what services are vulnerable to this? During my talk, I showed a small subset of online services I considered popular or critical due to the impact.

Password reset

It has always been a surprise to me that media, articles and discussions around SMS focus solely on 2FA when it is been used for password reset as well. If we recommend not to use SMS for 2FA, then we should definitely not use it to reset passwords. Same for phone calls. Paypal, Netflix, Instagram, Ebay and LinkedIn are just a few of the online services that support password reset over automated phone call.

2FA

The Reddit hack is still recent and reminded us of what we have been talking about for the last 5 years. SMS is insecure. But automated calls are as well and delivering 2FA temp codes over the phone should be deprecated. The big 4 support 2FA over phone call: Apple, Google, Microsoft and Yahoo.

Verification

Many services don’t require credentials for authentication. They only require that you proof ownership of the SIM card. The registration process happens over SMS but can also be done over phone call. WhatsApp and Signal are examples of it and both are vulnerable to the voicemail attack vector.

But verification over phone call is not just implemented on mobile apps, there are other services that use SIM card ownership verification to offer other type of services. Twilio allows you to own a Caller ID if you proof you own it. An attacker could use voicemailcracker to verify the Caller ID and make calls and send SMS as if it was the victim. Google Voice requires that virtual phones are linked to real numbers. Again, an attacker can abuse the explained vulnerabilities to acquire multiple virtual numbers and use them for scamming or other malicious purposes.

Consent

When we talk about consent, we usually think about lawyers and signing papers. Unfortunately that is not always the case. LocationSmart is a service that allows you to track a phone number if the owner provides consent. It was recently on the news due to a great article from Brian Krebs which talked about how the public demo, which allowed you to track your phone, could be manipulated to track other phones.

When I found out about this I wondered how the consent was granted. And as you can imaging, consent is provided by pressing 1 when you receive an automated phone call. Conveniently, their youtube channel has a nice demo highlighting this. This means that an attacker compromising your voicemail and performing the user interaction based protection bypass, can track you, 24/7. In other words, the only thing stopping someone from knowing where you are at all times is the security of your voicemail system.

Open source

It is important to back up claims with demos and code (POC||GTFO). While I would like to release voicemailcracker in its entirety, it would be irresponsible. I did disclosed my finding responsibly to carriers and all the vulnerable services I mentioned above. Unfortunately the response was less than satisfactory and I have a feeling that there is still a long way to go before online services and specially carriers take this issue seriously.

Because vociemailcracker makes it so easy to compromise voicemails I decided to release instead a voicemailautomator. This tool is the same as voicemailcracker but I removed the option for bruteforcing and limited support for one carrier only. This way, you will be able to test but only on your own test voicemail. I think voicemailautomator is the sweet point between not releasing a tool for script kiddies and not releasing anything at all that could be used to verify my claims and push carriers into strengthening voicemail security.

You can download voicemailautomator from my github repo.

Recommendations

For carriers

• Ban DTMF tones from greeting messages
• Eliminate backdoor voicemail services or don’t allow access to login prompt from them
• Voicemail should be disabled by default and can only be activated from the actual phone or online
• No default PINs or common PINs
• Detect abuse and bruteforce attempts since no human can try 100 PINs in 10 seconds
• Don’t process multiple PINs at once

For online services

• Don’t use automated calls for security purposes
• Require user interaction before providing the secret with the hope that carriers ban DTMF tones from greeting messages

For you

• Use a strong PIN to protect your voicemail. Random, long and unique
• Don’t provide your phone number to online services unless required or it’s the only way to get 2FA
• Use a virtual number to prevent OSINT and SIM swapping
• Use app-based 2FA only if possible

Responsible disclosure

As mentioned above, I contacted all mentioned online services and the four major US carriers with all the details of this investigation months ago. AT&T, Verizon and T-Mobile said that they will look into it but I am still waiting for specifics as of this writing. Sprint did not reach out to me at all as of this writing even though I was promised by several IT people that my report has been escalated to the appropriate teams.

Most of online services decided that this was an issue they could not fix or was a tradeoff between usability and security. Only Ebay took action and removed the option to reset passwords over phone calls immediately. Twilio also worked with me and we had a meeting to discuss options.

How to help

The point of me spending time researching these issues is because I want carriers to take voicemail security seriously. It is unacceptable that we have pretty much the same security bar than 30 years ago but with a much greater impact. You can help push carriers to look into this by sharing this blogpost or any of the press articles (Mashable, The Guardian) with them on social media and demand action.

You can find the slides of my talk in my SlideShare account. I will post the video of the talk once it becomes public.

DEF CON 26 talk