LEIPZIG, GERMANY – Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers (PINs) that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like WhatsApp, PayPal, LinkedIn and Netflix.
Martin Vigo, a mobile security expert who presented his research here on Thursday at 35C3, warns that PINs that protect voicemail systems are far easier to crack than traditional passwords are a weak link that can lead to hacked-account results.
“Automated phone calls are a common solution for password resets, account verification and other services,” Vigo said. “These can be compromised by leveraging old weaknesses and current technology to exploit this weakest link – voicemail systems.”
Inspired by early pioneers of phone phreaking, Vigo applied some of the same techniques to modern day voicemail hacking. Once compromised, the researcher said, a motivated attacker can simply listen to automated password reset messages sent by online services. Compromised voicemail systems can also be set up to play dual-tone multi frequency (DTMF) tones if password-reset systems require users to input a PIN.
To help assist Vigo in the voicemail account compromise, Vigo wrote an automated script that can brute-force crack most four-digit PINs used by voicemail systems without the phone’s owner ever knowing. He released code (minus the brute-force PIN cracking feature) to GitHub called Voicemailcracker.py, to help further research in this area.
In the demo on stage at the conference, Vigo showed how the system can work with the brute-force feature turned on and demonstrated how he was able to gain access to WhatsApp, PayPal and LinkedIn. Each of the services have since updated their PIN verification system to prevent similar attacks, he said.
“Voicemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. Voicemailcracker then launches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN – all without the target’s knowledge of the attack,” he said.
The researcher discussed other means of launching attacks without the user’s knowledge such as carrying out the assault when the user is on a plane or using backdoor access to a users voicemail system that doesn’t require calling the target directly.
The researcher said he has contacted vulnerable online services and telecom providers and made them aware of the weakness.
He advises consumers not to use easy-to-guess PIN numbers, such as birth year or simple number patterns. For online services, he recommends them not use automated calls for security purposes. And he recommends carriers not allow users to use DTMF tones for greetings and to ban users from using easy-to-guess PINs.