A recording will reveal the secret code and you can finish resetting your password. The recording will play the secret code, the voicemail will store the message, and the attacker has now access to it. In this demo I will show how I compromise WhatsApp by abusing the verification process over phone call. WhatsApp allows you to verify that you own the phone number you claim to own by receiving an SMS with a code and enter it in the app or receiving the same code over phone call after waiting for a minute.
This is in case for some reason you are not able to receive SMS. That is what I take advantage of in this demo. It gives you a URL to the recording so you can hear the code and complete the verification process. While most online services work like WhatsApp, I found some that are aware of this problem and implement a protection mechanism that requires you to perform an action when you receive the call before hearing the secret code.
I found that it comes in three flavors:. In all three cases, it is expected that the user interacts with the keypad before the code is revealed. This means that if the voicemail picks up the call, nobody can press any key and therefore the code will not be revealed and recorded as a message.
Our goal is now to bypass this protection. Indeed, hackers understand technologies they like to the detail and that helps tremendously in their thought process. I mention this because while I was trying to figure out ways to bypass the user interaction protection, I took advantage of the hacker way of doing things, and thought about how the technology I was trying to hack worked under the hood.
I explained to you the user interaction based protection as a security layer in which the automated call is waiting for the user to press a key in order to reveal the code. But this is not exactly true. In reality, the system is not waiting for the user to physically press the keypad. Looking at it this way was key to find a bypass. We know that we need to somehow trigger DTMF tones when the automated call is picked up by the voicemail, but how can we do that? I realized that the bypass to the protection is recording DTMF tones as the greeting message!
The first thing that the voicemail will do when it takes the call is play the greeting message, and the automated call expects DTMF tones to be played after the call is picked up. It works like a charm! Paypal implemented the protection in an interesting way. As soon as you do that, the UI will update and you will be prompted to enter a new password.
This demo shows how you can use voicemailcracker to update the greeting message with DTMF tones corresponding to the code that Paypal displays and take over the account. I showed you a systematic problem with relying on automated calls to protect sensitive actions. But what services are vulnerable to this?
During my talk, I showed a small subset of online services I considered popular or critical due to the impact. It has always been a surprise to me that media, articles and discussions around SMS focus solely on 2FA when it is been used for password reset as well. Same for phone calls. Paypal, Netflix, Instagram, Ebay and LinkedIn are just a few of the online services that support password reset over automated phone call.
The Reddit hack is still recent and reminded us of what we have been talking about for the last 5 years. SMS is insecure. But automated calls are as well and delivering 2FA temp codes over the phone should be deprecated.
They only require that you proof ownership of the SIM card. The registration process happens over SMS but can also be done over phone call. WhatsApp and Signal are examples of it and both are vulnerable to the voicemail attack vector. But verification over phone call is not just implemented on mobile apps, there are other services that use SIM card ownership verification to offer other type of services.
Twilio allows you to own a Caller ID if you proof you own it. Google Voice requires that virtual phones are linked to real numbers. Again, an attacker can abuse the explained vulnerabilities to acquire multiple virtual numbers and use them for scamming or other malicious purposes. When we talk about consent, we usually think about lawyers and signing papers.
Unfortunately that is not always the case. LocationSmart is a service that allows you to track a phone number if the owner provides consent. It was recently on the news due to a great article from Brian Krebs which talked about how the public demo, which allowed you to track your phone, could be manipulated to track other phones.
When I found out about this I wondered how the consent was granted. And as you can imaging, consent is provided by pressing 1 when you receive an automated phone call. Conveniently, their youtube channel has a nice demo highlighting this. In other words, the only thing stopping someone from knowing where you are at all times is the security of your voicemail system.
While I would like to release voicemailcracker in its entirety, it would be irresponsible. I did disclosed my finding responsibly to carriers and all the vulnerable services I mentioned above. Unfortunately the response was less than satisfactory and I have a feeling that there is still a long way to go before online services and specially carriers take this issue seriously.
Because vociemailcracker makes it so easy to compromise voicemails I decided to release instead a voicemailautomator. This tool is the same as voicemailcracker but I removed the option for bruteforcing and limited support for one carrier only.
This way, you will be able to test but only on your own test voicemail. I think voicemailautomator is the sweet point between not releasing a tool for script kiddies and not releasing anything at all that could be used to verify my claims and push carriers into strengthening voicemail security.
You can download voicemailautomator from my github repo. As mentioned above, I contacted all mentioned online services and the four major US carriers with all the details of this investigation months ago. Sprint did not reach out to me at all as of this writing even though I was promised by several IT people that my report has been escalated to the appropriate teams. Most of online services decided that this was an issue they could not fix or was a tradeoff between usability and security.
Only Ebay took action and removed the option to reset passwords over phone calls immediately. Twilio also worked with me and we had a meeting to discuss options. The point of me spending time researching these issues is because I want carriers to take voicemail security seriously.
Jump to navigation. If you don't change default passwords on your voicemail accounts, you or your company could be in for an expensive surprise. There are hackers who know how to compromise voicemail systems to accept and make international collect calls without your knowledge or permission.
A hacker calls into a voicemail system searching for mailboxes that still have the default passwords active or have passwords with easily-guessed combinations, such as " The hacker then places a collect call to the number. When the operator hears the outgoing message, the collect call is connected. The hacker can then use the connection for long periods of time to make other international calls. In another version of this scam, a hacker breaks into a voicemail system's call forwarding feature, programs the system to forward calls to an international number, then uses it to make calls.
Setup your account with correct information. Enter the number you want to call after opening the app on your phone.
Use optional voice changer if need be. Record the call if you choose. Press "Place Call" button. Tips SpoofApp is available for Android, iPhone, and BlackBerry devices, but have been banned by some of the app markets. You can still download it! If you can not download the SpoofApp from the Android Market, just click on this link to go directly to the download page on their website. You can also click here or just type in the URL m. Subscribe Now. Share Your Thoughts Click to share your thoughts.
0コメント