AT&T cell voicemail vulnerability STILL exists?
Decided to screw around with my AT&T voicemail service today; our local GSM carrier, Edge Wireless, was recently acquired by AT&T, and the time came to swap SIM cards and set up voicemail on the new system.
Noticed a voicemail option (enabled by default) allowing you to skip password entry if calling from your mobile — of course, my interest was in breaking into voicemail boxes with this option enabled. You see, I manage telephone systems with PRI (ISDN Primary Rate Interface) connections, and can very easily spoof my Calling Party Number (Caller ID).
I’ve heard of this issue before, and I’ve toyed around with doing this with other telephone services that “authenticate” based on CID before, too. I just cannot believe that this security vulnerability STILL exists – it’s been widely known for over 2 years!
Fudging caller ID is extremely easy. Most carriers will let PRI customers do it (we use it for forwarding calls with the original caller ID info intact, and for calling from our call center numbers). Many VOIP companies let their customers do it (for the same reasons). There are even services that take advantage of this and will allow you to visit a web site and enter a CID to call from, number to call to, and your telephone number – then bridge the call for you.
With regards to AT&T’s voicemail system, I can simply set my Caller ID to that of my victim and call the number, and hope it rolls to voicemail, but getting a call from yourself might arouse suspicion. Even better, I can just call the voicemail service center number. This is the number that the provider call-forwards busy/no answer/unavailable calls to, and can be viewed from most phones, and you can reach it from the PSTN (our local area’s service center number is 5037030985).
The iPhone uses a completely different voicemail system (to support the visual voicemail), and the service center number for regular VM users doesn’t seem to support login for iPhone users. However, I’ve tested with a couple of iPhone users here, and calling the user’s phone directly and going to voicemail still allows this vulnerability to be exploited.
I had hoped that this feature had at least used ANI for identification purposes, but sometimes ANI’s not much better; one of my carriers have a misconfigured switch which sends whatever I stuff as the Caller ID field as my ANI — I’ve even told them about it, but they don’t seem to care. After all, it could be handy for “calling from a home phone” to toll-free credit card activation services, making harassing telephone calls to toll-free operators, or screwing with your E-911 operator. Yes, we arranged a test call with 911, and the calltaker saw the address of the telephone number I forged.
The short story? Enable your voicemail password if you haven’t already. Call your mailbox, and if it doesn’t ask for your password, select Personal Options, Administrative Options, Password, and Turn Password On. Do it now, it only takes a minute. Go on, do it.
Seriously, I’ll wait.
You done?
Good.
Now, if you desire, call AT&T and complain. I’ve done it already, as have many other people, and it hasn’t helped — yet. But the more people who make them aware of this glaring security vulnerability that is a DEFAULT SETTING, the better.