Voicemail offers tons of conveniences to plenty of people but in this age of email, text messaging, and social media, is it still relevant and necessary?
It may still have its uses but according to this security researcher, your voicemail mailbox can be used for other malicious purposes. For example, resetting the passwords of all your online accounts like Google, Microsoft or Apple, perhaps? It sounds far-fetched but it’s totally possible.
Read on and see what this attack is all about and what you can do to protect yourself.
Mobile security researcher Martin Vigo recently demonstrated a scary voicemail loophole at the DEF CON convention in Las Vegas last week.
With it, a hacker can break into your voicemail and reset the passwords to a variety of your online accounts with a simple script.
Think accounts like PayPal, Whatsapp, Netflix, eBay – virtually any account that allows you to reset your password via an automated phone call.
Vigo said that the voicemail vulnerability he exploited has been known for a long time.
For how long? Well, he said this weakness has been documented for than 30 years but despite its potential for abuse, none of the four major carriers have addressed it so far.
Your voicemail is the weakest link
This is how it works.
Since voicemail inboxes are typically protected by simple four-digit security passcodes, a hacker can simply run brute-forcing software to guess the numeric code to break in and access the messages.
The attacker, who already has your email and phone number, can then request a password request but opt for a phone call with the reset code, instead.
With another script, the hacker can then use a variety of call flooding techniques to ensure that all of your calls go straight to voicemail.
Now since all your calls are getting routed to your voicemail inbox, guess who’s waiting to scoop up your reset code? Who else but the hacker who now has access to all of your voicemail messages.
For example, a hacker who’s impersonating you can request a password reset text message from WhatsApp. Now, after a minute delay, WhatsApp’s systems will also give you an option for a phone call that reads the code aloud instead.
See where this is going? If a hacker gets a hold of these automated messages, they can reset your passwords without your knowledge.
The thing is, according to Vigo, not even two-factor authentication can currently help you from this scenario.
Here’s the proof of concept
In Vigo’s DEF CON demonstration, he showed how his method works even for secure services like PayPal.
Actually, PayPal has security measures in place to prevent voicemail attacks like this by requiring users to type in a four-digit code during the call. However, Vigo bypassed this by cleverly setting the voicemail’s greeting message to a recording of the digit’s keypad tones.
What services are vulnerable to this attack?
“Password reset for PayPal, Instagram, Netflix, eBay, LinkedIn,” Vigo told his audience. “Authentication for WhatsApp, Signal, Twilio, Google Voice.”
Here are Vigo’s own basic steps in carrying this attack:
1. Bruteforce voicemail system, ideally using backdoor numbers
2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR)
3. Start password reset process using “Call me” feature
4. Listen to the recorded message containing the secret code
Vigo is planning on releasing a modified version of his code on GitHub soon so white hat researchers can study and verify that it works. He also tweaked the script considerably so amateurs (popularly known as script kiddies) can’t grab the script and start exploiting voicemail inboxes on their own.
How to protect your accounts from this hack
To prevent this attack from happening to you, it is recommended that you change the PIN on your voicemail to something that’s as long and complex as possible. (Never use default codes on anything.)
Next, protect your phone number at all times. Don’t give away your number to online services unless you need it for two-factor authentication. It’s advisable that you switch to app-based authentication such as Google Authenticator instead of SMS-based codes anyway.
Another option is to turn off your voicemail completely especially if you’re not using it. Your voicemail inbox is filled with spam and robocalls anyway. Just have people text you if you can’t answer their calls.
For a more general solution to this vulnerability, Vigo is asking all online services to stop using automated phone calls for security and for phone carriers to require users to change their voicemail inbox PIN code from the default to something that’s harder to crack.