Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Voice Fixes Security Flaw, Almost

samzenpus posted more than 5 years ago | from the almost-got-it-that-time dept.

Security 55

gardel writes "Google appears to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain. Until about 7pm PDT Tuesday, an unauthorized party could use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number, giviing the spoofer access to greetings and voicemail, and the ability to make outbound calls, including expensive international calls. Though spoofing via SIP is no longer possible, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access."

cancel ×

55 comments

Sorry! There are no comments related to the filter you selected.

Hello (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27337703)

Welcome back losers

Pristy Foss

Typo (0)

Kawahee (901497) | more than 5 years ago | (#27337707)

giviing (sic) the spoofer access to greetings and voicemail

I refer you to my signature:

Re:Typo (2, Funny)

Anonymous Coward | more than 5 years ago | (#27337759)

giviing (sic) the spoofer access to greetings and voicemail

I refer you to my signature:

And I refer you to how to properly use sic [wikipedia.org] , which is to say: It should be enclosed in square brackets, not in parenthesis.

Gosh, now I can feel smugly superior, too!

Re:Typo (-1, Offtopic)

sortius_nod (1080919) | more than 5 years ago | (#27338081)

Bravo, you have out-trolled a troll. Sir, I tip my hat to you.

Re:Typo (0, Offtopic)

Tubal-Cain (1289912) | more than 5 years ago | (#27338325)

Shame on you. Neither the square brackets you reprimanded him for getting wrong, nor italicized.

And I refer you to how to properly use [sic]...

FTFY

Re:Typo (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27338647)

Fuck the fuck you?

Re:Typo (0, Offtopic)

Tubal-Cain (1289912) | more than 5 years ago | (#27338753)

Fixed That For You

Re:Typo (0, Offtopic)

Vu1turEMaN (1270774) | more than 5 years ago | (#27340185)

wtf is this, engadget?

Re:Typo (1)

Xtifr (1323) | more than 5 years ago | (#27346583)

Great, so don't pay him for his post. But—unlike the slashdot "editors"—he's not actually asking to be paid for his postings, so that's kind of a big difference.

Re:Typo (0)

Anonymous Coward | more than 5 years ago | (#27337763)

giviing (sic) the spoofer access to greetings and voicemail

I refer you to my signature:

It's not a typo. Giviing is the Icelandic spelling. Gee Whiiz.

Re:Typo (1, Funny)

Aranykai (1053846) | more than 5 years ago | (#27337819)

Not a typo, this article was merely written by the brilliant minds that brought us the Nintendo Wii

Re:Typo (1, Offtopic)

numbsafari (139135) | more than 5 years ago | (#27338111)

Oh no you diint!

Re:Typo (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27338491)

oh for mod points now...

Re:Typo (1)

drinkypoo (153816) | more than 5 years ago | (#27338151)

Not a typo, this article was merely written by the brilliant minds that brought us the Nintendo Wii

It had to be 'Wii', because 'We' is heavily encumbered, and 'Wi' would be pronounced like "Why", which is not a question they want to be asking - some other video game manufacturer will be happy to tell you.

Re:Typo (1)

cybernanga (921667) | more than 5 years ago | (#27338277)

Whee... would have done

"including expensive international calls" (2, Interesting)

conner_bw (120497) | more than 5 years ago | (#27337713)

Where expensive is an arbitrary number between the inability to use an internet chat program and proprietary price gouging?

Re:"including expensive international calls" (4, Funny)

David Gould (4938) | more than 5 years ago | (#27337839)

Where expensive is an arbitrary number between the inability to use an internet chat program and proprietary price gouging?

That, or "expensive international calls" is a euphemism for "phone sex".

Phreakers (5, Funny)

Anonymous Coward | more than 5 years ago | (#27337731)

Hackers, meet the Phreakers, Phreakers, meet the Hackers. Have fun!!

Re:Phreakers (2, Funny)

sortius_nod (1080919) | more than 5 years ago | (#27338089)

Oh, we've met, we don't get along, but we've met.

Re:Phreakers (0)

Anonymous Coward | more than 5 years ago | (#27338235)

Phreakers were, arguably, the original hackers. You know, in that time before PCs?

Re:Phreakers (1)

YttriumOxide (837412) | more than 5 years ago | (#27341587)

And for many years after... I was arrested for phreaking in the late '90s.

Re:Phreakers (0)

Anonymous Coward | more than 5 years ago | (#27341797)

And for many years after... I was arrested for phreaking in the late '90s.

You'd think you'd learn after being arrested for streaking in the late '80s.

Re:Phreakers (1)

YttriumOxide (837412) | more than 5 years ago | (#27341931)

Not so much in the late 80s, but in the early 80s I streaked a lot... but then again, I was under the age of 5, so that's probably a fair excuse.

Prolly shouldn't have used Trixbox (4, Informative)

BitZtream (692029) | more than 5 years ago | (#27337771)

Not the google actually does, but you'll find plenty of VoIP setups that you can trick this way.

Its too simple to configure these setups to trust outside caller id info (which is trivial to fake since most of the time no one checks to make sure the info being sent is allowed from the line) and to use that info for authentication to voicemail automatically.

Its kind of like considering * a trusted host for rsh/rcp and when you turn a nice pointy/clicky gui over to a random person to admin your phone system, it ends up happening pretty often. Save money right up till you get that massive phone bill cause some guy was bouncing calls off you.

Re:Prolly shouldn't have used Trixbox (1)

BitZtream (692029) | more than 5 years ago | (#27337783)

Or they authenticate SIP phones by using their phone number as a password.

Re:Prolly shouldn't have used Trixbox (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27338641)

Well, it is not only a "VoIP" problem. You still can access Metro PCS cellphones voicemail boxes that way. I used to check all my girlfriends' voicemails and be able to delete the ones I wanted, simply by setting the caller ID on my Asterisk as theirs.
Now, Metro PCS tells the users to create a password to secure their mailboxes. But, still, if your dtmf is working right, you can enter their passwords and keep looking into their voicemail boxes. Usually girls' passwords are really easy to guess: their body measures, birth dates, BF's birth date, so that is no big deal.

And used to work with all other carriers as well, besides old Nextels, as Nextel accounts used to get another number to call for their voicemail boxes. I don't know if Sprint changed it though.

Re:Prolly shouldn't have used Trixbox (1)

RobBebop (947356) | more than 5 years ago | (#27341371)

I used to check all my girlfriends' voicemails

AC and claiming to have multiple girlfriends while posting on Slashdot? I smell a rat.

Re:Prolly shouldn't have used Trixbox (1)

mzs (595629) | more than 5 years ago | (#27341497)

You're creepy.

Modern Day Phreakers (0)

mc1138 (718275) | more than 5 years ago | (#27337777)

This sort of thing really is inevitable. With the merging of more and more systems onto the internet, you're going to have a lot more malicious people much more accessible to your data. It used to be phone networks were either too slow, or just too inaccessible for all but really determined people, or one that has a captain crunch whistle... but now, even the dumbest script kiddie can begin to go after systems that have even small vulnerabilities.

2600 plz (4, Funny)

Anonymous Coward | more than 5 years ago | (#27338079)

I took down google voice with my captain crunch whistle.

Blue box? (0)

jspenguin1 (883588) | more than 5 years ago | (#27338127)

Is it still vulnerable to Woz's blue box?

Re:Blue box? (2, Funny)

Anonymous Coward | more than 5 years ago | (#27339509)

You're an idiot trying to fish for mod points by mentioning something vaguely relevant despite the fact you have no idea what it is, if you knew what it was and what this is you would know that it wouldn't work at all since it's completely different. Using a blue box here is equivalent to using a brick to access a locked user account on Windows XP simply because a brick can break a glass window.

Who cares (0)

Anonymous Coward | more than 5 years ago | (#27338139)

It's not like any of us can get a Google Voice account right now anyway.

I still haven't figured out exactly what it is. Can you call out via Google Voice? Does it act as a regular SIP provider? What the hell is the point of Google Voice?

Re:Who cares (4, Informative)

ximenes (10) | more than 5 years ago | (#27338185)

It's the same service as Grand Central, which I've been using for 2-3 years now.

The basic idea is that you can hide all of your various phone numbers behind your Google Voice number. People call it and all of your phones (or the ones you have configured for that caller or at that time of day) will ring. Whichever one you pick up gets the call, and you will be told the person's name and given the choice to actually answer or bounce them to voicemail.

On the other side, you can use the web interface to have Google Voice call one of your phones and connect you with any phone number you give it. This is free, except for international calls. I don't use this too often, but it helps when you don't want people to find out one of your 'real' phone numbers.

The best part is that you can control incoming calls essentially with a spam filter. When people call you they have to state their name (the first time), which plays when you answer their calls. You can decide to bounce certain numbers straight to voicemail every time or give them a 'this number is not in service' message.

Google Voice added the following features that I like:

- Voicemails are transcribed, not very well but you can usually get the jist quickly without listening
- SMS is now forwarded as well, which was pretty much the major short-coming of Grand Central.

Overall, I really like it, and the service quality has been quite good. The main thing is that it is not a phone service in itself, but something you use with other phone services.

No more "Press 1 to answer the call, press 2 to.." (1)

cjdavis (13840) | more than 5 years ago | (#27338411)

Even better, I don't have to press 1 any more to answer a call! So annoying when using a headset and your phone is tucked away somewhere.

Re:No more "Press 1 to answer the call, press 2 to (1)

ximenes (10) | more than 5 years ago | (#27338477)

It is nice that you can turn off Call Presentation now. I wish, as I did with Grand Central, that the level of configurability would get way higher. Things like having certain people's calls go through without the Call Presentation thing.

It would also be nice if the system was complex enough to understand voice commands in addition to the numbers. The biggest pain I have is answering a call on my iPhone requires changing over to keypad mode every time to hit '1'. However, it pays for itself when I manage to avoid a call that I really didn't want to take.

Another sweet feature: the contacts are now held in your Google Contacts stuff (shared with Gmail, which caused me a few initial problems), so that you can sync that up with the iPhone (and I presume other phones somehow) as well. It's really becoming a Googlefied world.

Re:No more "Press 1 to answer the call, press 2 to (1)

RJFerret (1279530) | more than 5 years ago | (#27338631)

Things like having certain people's calls go through without the Call Presentation thing.

You can do that! It's configurable by groups.

Re:Who cares (1)

tgd (2822) | more than 5 years ago | (#27339827)

If only Google would add number porting...

They talked about it for ages with Grand Central ...

Re:Who cares (0)

Anonymous Coward | more than 5 years ago | (#27339835)

Yeah but if you call someone on one of your phones they're going to see that phone number and not your Google Voice number so this all seems kind of pointless.

Re:Who cares (0)

Anonymous Coward | more than 5 years ago | (#27342579)

You can have Google voice call you and them so it shows to them as you Google voice number still. So it is not pointless.

Re:Who cares (1)

ximenes (10) | more than 5 years ago | (#27343669)

Right, this is what I meant by having Google Voice call one of your numbers to patch you through. To the recipient, it appears to come from your Google Voice phone number.

There is also an iPhone app to automate this, but I don't think it works with Google Voice (just Grand Central). Hopefully Google will come out with something official or the app gets updated.

I don't use it that often, because I typically don't care if someone gets my real number. However, when calling car dealers it's invaluable.

Has been true since early days (2, Insightful)

Em Ellel (523581) | more than 5 years ago | (#27338247)

Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.

This has been true since early days of Grand Central. I really hope they would fix this, but I doubt they will. Basically, everyone knows you can't trust Caller ID, , but they chose to do so anyway. I bet this was a business decision to allow easier use of the voicemail in order to compete with cellphone provider voicemail.

-Em

Re:Has been true since early days (1)

ximenes (10) | more than 5 years ago | (#27338283)

On the plus side, they did add some settings if you're concerned about this. Under Advanced Settings for each phone, you can now control whether or not it requires a PIN to access voicemail.

With Grand Central, devices listed as 'mobile' just got special treatment, but now it's a little finer grained.

I'm not really sure how else they could handle this, besides just eliminating the PIN-less voicemail and account control features entirely or having the default as off with big warnings about the boogeymen who will get you.

Re:Has been true since early days (0, Offtopic)

Techman83 (949264) | more than 5 years ago | (#27339227)

I never thought I'd see the day where I have severe UID envy. :P

The problem is Caller ID can't be trusted... (4, Interesting)

sam0737 (648914) | more than 5 years ago | (#27338289)

It's just some data that can be faked. As long as you have a trunk line like T1 to the Telco, or something similar, you are responsible to generate the Caller ID instead of the Telco.

So what's so surprising here? It just doesn't work to use it for authentication.

Re:The problem is Caller ID can't be trusted... (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27338497)

And yet, so many agencies, such as credit card companies, require that you phone in from your "home phone" to activate new cards.

Just because you seem to have figured out that it "doesn't work to use it for authentication", does not mean that it is commonly accepted of how unreliable it truly is and continues to be. Public attention (at least by "security professionals") needs to have more and updated education on best practices. Maybe you might consider being a trainer?

Re:The problem is Caller ID can't be trusted... (4, Informative)

realperseus (594176) | more than 5 years ago | (#27338623)

And yet, so many agencies, such as credit card companies, require that you phone in from your "home phone" to activate new cards.

Credit card companies use ANI (automatic number identification) instead of CPN (calling party number) for their "authentication". HUGE difference there as ANI cannot be spoofed.. .

Re:The problem is Caller ID can't be trusted... (2, Informative)

Shadow-isoHunt (1014539) | more than 5 years ago | (#27340965)

HUGE difference there as ANI cannot be spoofed..

Yes it can, just as easily as CID.

Re:The problem is Caller ID can't be trusted... (1)

222 (551054) | more than 5 years ago | (#27342315)

Under certain conditions, it can be. To say it can happen just as easily as CID is misleading at best, though.

Re:The problem is Caller ID can't be trusted... (0)

Anonymous Coward | more than 5 years ago | (#27344841)

Oh, Puh-Leeze.

Sibling is right, parent is wrong. It is not "as easy" to spoof ANI as CID.

If you have any sort of SIP or ISDN connection, you can stuff whatever you want in CID.

You have to be a real, honest-to-goodness LEC or long-distance carrier to "stuff" ANI. And your giant phone company peers will unplug yer ass in the blink of an eye if you screw around like that, since it affects blling.

It is "good enough" (1)

coryking (104614) | more than 5 years ago | (#27343601)

The odds of your unactivated card falling into the hands of somebody who has the ability to modify the Caller ID info is most likely pretty slim.

And having a card fall into the hands of somebody spoofing Caller ID to activate them means said person is doing some serious criminal shit. In other words, having the card activated is the least of anybody's worry.

In other words, security is a balance. Activating your card from a "home phone" just weeds out casual criminals who stumble on your mail--not hard-core people doing this shit for a living.

Grand Central (1)

bucketoftruth (583696) | more than 5 years ago | (#27338299)

What does it take to get into Grand Central? I've been signing up over and over for a year now.

Re:Grand Central (1)

RJFerret (1279530) | more than 5 years ago | (#27338625)

It seems they are transitioning GrandCentral users first? In the future there's an expectation of being able to offer invites à la original gmail.

However, availability of numbers in areas you want might be limited still?

I have a local friend who signed up about a week before the Google Voice transition announcement who hasn't heard back either.

What the hell are you guys talking about? (1)

ipc0nfig (1486043) | more than 5 years ago | (#27338427)

Wasn't the CIP device destroyed? Is there a second CIP device that Starkwood was keeping in reserve? And what the hell does Google have to do with anything?

Re:What the hell are you guys talking about? (1)

Ortega-Starfire (930563) | more than 5 years ago | (#27339349)

Just wait. It will turn out that Bauer was exposed to a techno-organic virus that turns him into a CIP device that is organic and plays techno.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>