×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hack AT&T Voicemail With Android

kdawson posted more than 3 years ago | from the who-needs-social dept.

Security 242

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

242 comments

Ha! (-1)

Anonymous Coward | more than 3 years ago | (#32739300)

Most excellent.

Re:Ha! (1, Informative)

icebike (68054) | more than 3 years ago | (#32739360)

Passwords People, they are not just for Game shows.

Spoofing caller id should be illegal, but there are just enough loopholes to let you get away with it.

I don't believe this is ONLY restricted to AT&T.

Re:Ha! (3, Insightful)

mrsteveman1 (1010381) | more than 3 years ago | (#32739420)

Really? You think the caller ID spoofing is the problem here?

Re:Ha! (3, Informative)

X0563511 (793323) | more than 3 years ago | (#32739444)

I like how you forget the first sentence by the time you move on to the second.

Allow me to repeat him:

Passwords People, they are not just for Game shows.

Re:Ha! (1)

icebike (68054) | more than 3 years ago | (#32739448)

My first line somehow escape your attention?

Re:Ha! (2, Insightful)

mrsteveman1 (1010381) | more than 3 years ago | (#32739572)

No it didn't. The fault here is entirely with AT&T, it is not because of missing passwords/pin numbers (which should not matter), nor is it a lack of regulation concerning caller ID.

Re:Ha! (2, Informative)

icebike (68054) | more than 3 years ago | (#32739606)

Nonsense. MOST voicemail systems assume calls from the same number are from the owner of record. ATT IS NOT ALONE.

Re:Ha! (3, Insightful)

mrsteveman1 (1010381) | more than 3 years ago | (#32739644)

So riddle me this, what would happen if i went to make a call from my cell phone to another number, but spoofed the caller ID, whose minutes am I then using? Who gets charged?

Doubt it would be the owner of the spoofed number paying. If it DOES work that way, it simply proves AT&T is incompetent. If it doesn't work that way, then their billing department isn't as dumb as their customer security department.

Re:Ha! (1)

e3m4n (947977) | more than 3 years ago | (#32739978)

callerid is not the same as the ANI number on the call. The ANI is what is used to bill.

Precisely (2, Interesting)

baileydau (1037622) | more than 3 years ago | (#32740084)

callerid is not the same as the ANI number on the call. The ANI is what is used to bill.

I think that was exactly the GPs point.

If they used the ANI rather than the caller ID, there wouldn't be a problem.

Re:Ha! (1)

ElKry (1544795) | more than 3 years ago | (#32739656)

And yet, they are at fault anyway. Just because a lot of people do something doesn't mean their responsibility is automatically waived.

Re:Ha! (1)

BlueBoxSW.com (745855) | more than 3 years ago | (#32739492)

I would have been funnier if you started your comment with the word "Really?"...

Re:Ha! (0)

Anonymous Coward | more than 3 years ago | (#32739874)

Really? You would have been? (Not that your current funniness is a high bar...)

Re:Ha! (1)

AK Marc (707885) | more than 3 years ago | (#32739984)

I think caller ID spoofing is fraud and should be prosecuted as a criminal charge, and those phone companies that allow CID spoofing should be charged as conspirators.

Placing blame (5, Informative)

SilverHatHacker (1381259) | more than 3 years ago | (#32739310)

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

Re:Placing blame (5, Informative)

JaZz0r (612364) | more than 3 years ago | (#32739394)

Caller ID spoofing is nothing new. It can be done from a number of [spoofcard.com] different [telespoof.com] services [spooftel.com]. You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Re:Placing blame (3, Insightful)

PopeRatzo (965947) | more than 3 years ago | (#32740022)

You can even call these services from an iPhone! New headline: iPhone Can Hack Unsecured Voicemail

Yes, but if the story were to mention that, it wouldn't work as FUD.

Re:Placing blame (0)

Anonymous Coward | more than 3 years ago | (#32739476)

This, I've messed with friends voicemail accounts years ago by dialing in and entering 0000 as a password..

I of course didn't feel the need to brag on blogs about how clever I was because I was 13 at the time, so I was old enough to realise I wasn't "hacking" their voicemail.

Jesus Christ people, this kind of stuff makes me ashamed to be a Computer Science student, I've honestly thought of dropping out and doing Maths so I wouldn't have to be associated with these people.

Re:Placing blame (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32739988)

This, I've messed with friends voicemail accounts years ago by dialing in and entering 0000 as a password..

I of course didn't feel the need to brag on blogs about how clever I was because I was 13 at the time, so I was old enough to realise I wasn't "hacking" their voicemail.

Jesus Christ people, this kind of stuff makes me ashamed to be a Computer Science student, I've honestly thought of dropping out and doing Maths so I wouldn't have to be associated with these people.

You might brush up on your Engrish too while you change studies.
I am the same age as you and even I REALIZE that this is a whistle blowing article, not a blog entry. Your post makes no sense. Why would being a CS student associate you with script kiddies or the like?

You are a fucking idiot.

Re:Placing blame (3, Insightful)

Anonymous Coward | more than 3 years ago | (#32739490)

+1, this is NOT an included feature of Android. You have to download an application in order to accomplish this. And, if i'm not mistaken, blackberry and iphones both have access to such apps.

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?" - Seriously? what kind of statement is that? This has NOTHING to do with Google directly. As SilverHatHacker said, if you don't put a password on it, you're just as much to blame. Call spoofing has been around since before Android even existed. Some call spoof sites / applications prohibit you from entering the same number as both your number and the number you are calling (i'd assume to avoid their services being involved with things like this).

Bottom line, don't like it? Put a password on your voicemail. Upset that this is your option? Then complain to the developers / people behind services that allow call spoofing. Don't put the blame on an open source platform, let alone of one of many corporation behind that platform.

Re:Placing blame (4, Interesting)

pushing-robot (1037830) | more than 3 years ago | (#32739570)

Yeah, this is how I always understood voicemail to work. Blame users for not having proper passwords, and blame phone companies for being hopelessly inept at security. Caller ID is useless for authentication; it dates to the early 1970s, when AT&T still assumed the entire phone network was trusted (and thus black/blue boxes were becoming the rage).

Of course, now Google has to play whack-a-mole locking out these apps for much the same reason Apple locks their handhelds: No matter who's really at fault, they get the bad press.

Re:Placing blame (2, Interesting)

QuantumRiff (120817) | more than 3 years ago | (#32740040)

does it have to be on ATT's network? What if I spoof the Caller ID of my home phone using asterisk? (or something else?)

years old vulnerability (4, Informative)

SuperBanana (662181) | more than 3 years ago | (#32739616)

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

Yep, this is such old news it's not even funny. It is a years-old vulnerability that was covered years ago in slashdot, among other places- I couldn't find any articles with a lazy google search, but I did turn up a comment talking about this very problem from 2006. [slashdot.org] Carriers have known about the issue for half a decade or more.

The only point I see TFA trying to make in a very roundabout way is that because the Android market is more open than Apple's, stuff like this "can happen", which is slightly true.

Re:Placing blame (5, Informative)

eyeota (686153) | more than 3 years ago | (#32739634)

ATT's implementation is indeed to blame. CallerID is the calling presentation of a call, not the source/origination. Using CallerID to authenticate anything requires trusting the person making the call and that's just not smart. ANI or Automatic Number Identification is what should be used to identify the call; it's what is used to bill the call after all. No Bell in the right mind accepts ANI from their customer. The bell switch always lookus up the TN originating the call and set the ANI to appropriate value. The ANI is what should be used to authenticate VM as it cannot be set by the customer. Sprint's implementation is indeed correct as I've tried spoofing my own cell # in the past to call into VM was was unsuccessful.

Re:Placing blame (0)

Anonymous Coward | more than 3 years ago | (#32739774)

I am happier and happier to be a Sprint customer every day.

Seriously, what is AT&T thinking?

Re:Placing blame (1)

ytaews (1837554) | more than 3 years ago | (#32739660)

As AT&T told us with the whole iPad email thing, it's not their fault for not having a password by default, nor is it Android's fault for allowing Caller ID spoofing, it's the fault of the people who let the public know their voicemail wasn't safe.

Re:Placing blame (0)

Anonymous Coward | more than 3 years ago | (#32739692)

It's not quite the same thing as not having a password on your computer. If you don't have a password on your computer, anyone can use it, but typically only if they have physical access to it. Similarly, if you leave the default password on your home router, anyone can mess with it, but the default is to only allow logins from the local network, so close proximity to the device is required, and even more so if wifi is disabled or has a strong WAP2 password. This is quite different as anyone anywhere in the world can access your voicemail.

What is really needed is for a change in the way voicemail is handled. Voicemail should be an IP service, with an app installed on phones to access it (and uses the SIM and other information on the phone as ID), and also have a POTS interface which is disabled by default and requires a password to be set before enabling it. This way, even if someone declines to set a password, their voicemail is safe as long as they maintain custody of their phone and SIM card.

Re:Placing blame (1)

Stupendoussteve (891822) | more than 3 years ago | (#32739702)

Who is blaming Android? Tone of the article is negative towards AT&T, not towards Android. It just happens that apps to do this are easy to come by for Android.

Re:Placing blame (1)

rjch (544288) | more than 3 years ago | (#32739752)

I fail to see how Android is at fault here. That is basically how voicemail is intended to work, and if you don't put a password on it, you're just as much to blame - same as with any computerized system. The fact that you're spoofing it using an Android app is irrelevant.

The article isn't blaming Android for this - the finger is pointed at AT&T for such lax security. The only reason Android is referenced is that there happen to be apps available to spoof caller ID from them.

In Australia, we don't have this problem because caller ID spoofing of any kind is not allowed and is actively blocked from any landline or mobile service - if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset to a default.

Where caller ID spoofing of any kind is allowed, carriers should not activate a service without a random pin number being assigned first.

Re:Placing blame (1)

MichaelSmith (789609) | more than 3 years ago | (#32739888)

if you attempt to present caller ID for a number that does not belong to the service the call is originating from, then the caller ID is reset to a default.

I wouldn't say we don't have the problem. You could get away with another number ob the originating service. We have fewer operators and less competition. which leads to other problems of course.

Re:Placing blame (2, Insightful)

sjames (1099) | more than 3 years ago | (#32740112)

It is absolutely positively NOT how voicemail is supposed to work but Android isn't the blame.

AT&T knows very well that caller-id is worthless for authentication AND it has access to the much more authoritative ANI (which cannot be spoofed so easily).

I wouldn't blame the customers either. If you mistakenly believe that AT&T has a single grain of common sense, you might imagine they DO use ANI (I'll bet the manual reads "from your phone only" rather than "from any phone that sends your number in it's faked caller ID") even if you don't know what it's called. After all, they're the phone company, surely they know which phone you're calling from, they DO know who to bill the minutes to after all.

Any other phone? (5, Interesting)

jarrettwold2002 (601633) | more than 3 years ago | (#32739316)

Can you do this with any other phone or device? If the method can be performed in a platform agnostic manner, then it doesn't matter if it's Android. It's simply a platform hole on AT&T's end, and Google being thrown in as a straw man.

Re:Any other phone? (4, Informative)

reaper (10065) | more than 3 years ago | (#32739532)

Ya, I did it with Asterisk a while back. Found out accidentally when I dialed my cell phone while setting my call ID to my cell's number. So I tried it with a friend's number. Hilarity ensued.

Re:Any other phone? (1)

nobodyman (90587) | more than 3 years ago | (#32739864)

I agree that it's not Google's fault, but I think the point is that Android lowers the bar for someone attempting this. Configuring asterisk to spoof caller ID and retrieving voicemail is possible, but relatively few have the proficiency to do this. Any idiot can buy an Android phone.

Re:Any other phone? (2, Informative)

jothar hillpeople (1789504) | more than 3 years ago | (#32739646)

I did this on a Verizon Droid using a spoof app, to a Verizon number. Not on purpose- i was trying to goof on a friend by having his phone ring with his own number. Then i got the voicemail prompt, and i hung up.

Re:Any other phone? (0)

Anonymous Coward | more than 3 years ago | (#32739710)

You can do this with many VOIP services. I have done it with an asterisk box and a PRI (T-1).

Re:Any other phone? (1, Informative)

Anonymous Coward | more than 3 years ago | (#32739754)

I was able to change the number my work landline displayed and was able to access my ATT voicemail after I removed my password. We use a NEC IPK II for our voicemail system and it literally takes a few seconds to change the outgoing number for a phone.

passwords.. (0)

random_ID (1822712) | more than 3 years ago | (#32739324)

Any politician dumb enough not to password protect EVERYTHING deserves the results. As for average joe customer, I could see some being surprised by this - ATT should probably change the system to require passcode/PIN.

Re:passwords.. (4, Insightful)

Lehk228 (705449) | more than 3 years ago | (#32739338)

without a password voicemail should only accept connections from the owners phone.

Re:passwords.. (0)

random_ID (1822712) | more than 3 years ago | (#32739390)

Did you read the bit about caller ID spoofing?

Re:passwords.. (4, Insightful)

X0563511 (793323) | more than 3 years ago | (#32739456)

It's the damn phone company. If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

If it's a cell, likewise - there are cell specific identifiers. namely the SIM details...

Re:passwords.. (3, Informative)

Anonymous Coward | more than 3 years ago | (#32739836)

> If it's a landline, you mean to tell me they can't see what circuit it's coming from all the way back to your house?

No "they" can't, at least not in real-time. "They" in this case means AT&T, Verizon/MCI, Sprint, etc. -- any of the large telcos. The infrastructure is simply too big (circuit-wise, switch-wise, etc.), too old, and too "dumb" (in a literal sense) to provide this in real-time. This is not Ethernet we're talking about here.

Validation based on ANI (this is not the same as Caller ID) is possible, since an ANI isn't spoofable on classic telco networks...... except with the introduction of VoIP into the fray, ANI spoofing is achievable since many VoIP-to-TDM carriers permit/pass user (LEC)-defined ANIs. Yes, I said user-passed ANI, and I mean it.

Here's a better idea: induce password requirements on a customer's voicemail. Minimum of 4 digits, no repeating numbers ("0000" is invalid). It USED to be this way (back when I subscribed to voicemail services in 1998). So why has this changed? Fix that and done, problem solved, next issue.

Re:passwords.. (1)

MichaelSmith (789609) | more than 3 years ago | (#32739866)

Similar problem with default wifi router passwords. If the default password was set to the serial number of the device, hacking would be more difficult. Not perfect, but better. For a mobile phone the voicemail password could be part of the IMEI. Then you can set what you want. Not sure about land lines. Maybe something from the subscribers personal information? Their date of birth for example.

Re:passwords.. (1)

greerga (2924) | more than 3 years ago | (#32740038)

Back when I worked at an ISP, the dial-up PRI (http://en.wikipedia.org/wiki/Primary_rate_interface) could see caller ID even if it was blocked. The PRI was through Sprint IIRC and the local telco was Cincinnati Bell, so it wasn't the same system.

Re:passwords.. (4, Insightful)

markov_chain (202465) | more than 3 years ago | (#32739468)

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

Because that's not how vmail is used (1)

SuperKendall (25149) | more than 3 years ago | (#32739762)

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?

Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.

Re:Because that's not how vmail is used (1)

pipedwho (1174327) | more than 3 years ago | (#32740004)

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar?

Because most people expect to be able to check voicemail even when the phone is not working or with them. People WANT a number they can call, from anywhere, and check voicemail.

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

In fact, most people I know hardly ever bother to even check their voice mail - they rely purely on SMS and their phone's 'recent missed calls' list. If their phone stopped working or wasn't available, access to voice mail would be the least of their problems.

Re:Because that's not how vmail is used (2, Insightful)

PopeRatzo (965947) | more than 3 years ago | (#32740056)

'Most' people I know use their mobiles for pretty much everything. I would hazard a guess that it is an incredibly small percentage of mobile phone users that actually WANT a universally accessible voice mail service.

So then, just require a password when calling from any phone besides the cellular phone to which the voice mail account is associated.

This is hardly an insurmountable technical issue. There's no reason you couldn't just have calls from the cell phone access the voice mail directly, but if you want to use a different phone to get you voice mail, you need to enter a 4 digit PIN or something (at least).

You can't get an email account without a password, so why should people expect voicemail to be any different, "for convenience"?

Re:Because that's not how vmail is used (1)

pipedwho (1174327) | more than 3 years ago | (#32740116)

I completely agree with this. For those that want the additional 'universal voice mail access' service, let them enable it separately and force it to require a valid password/PIN.

Re:passwords.. (1)

macguys (472025) | more than 3 years ago | (#32740064)

He's got a point. Why can't voice mail run over some data connection authenticated by the phone's unique ID or something similar? They certainly do billing that way. It is 2010, and voice mail still works by having the phone call out to a magic number- how antiquated!

Doesn't that defeat the whole "GSM; move your SIM from one phone to another" thing?

Re:passwords.. (0)

Anonymous Coward | more than 3 years ago | (#32739496)

without a password voicemail should only accept connections from the owners phone.

Swoosh!!!!
(that's the sound of the ID spoofing part going over your head)

Re:passwords.. (2, Informative)

quetwo (1203948) | more than 3 years ago | (#32739504)

and how would things like roaming work? I'm sure there are lots of cases when you are not on your own carrier's network (even if it says it on your phone's screen).....

Re:passwords.. (1)

omnichad (1198475) | more than 3 years ago | (#32739750)

The same way that the roaming tower knows whom to bill for carrying the call. They can easily use ANI or SIM details to verify the identity - caller ID is just an info service, not a security mechanism.

Re:passwords.. (1)

shutdown -p now (807394) | more than 3 years ago | (#32739764)

and how would things like roaming work?

I would imagine in roughly the same way they use to determine whom to charge for roaming?

I mean, funny how they don't get these kinds of things wrong when it comes to billing, eh?

Re:passwords.. (0)

mcrbids (148650) | more than 3 years ago | (#32739686)

without a password voicemail should only accept connections from the owners phone.

Uh, Whoosh?

You missed something here! See, the voicemail IS only accepting connections "from the owner's phone" - and that's determined by the caller ID. However, because Caller ID is easily spoofed in the right environments, this isn't a very secure solution...

Re:passwords.. (4, Interesting)

tomhudson (43916) | more than 3 years ago | (#32739642)

1-2-3-4-5

Local police station used that, a guy spent months messing around with informants, cops girlfriends (awkward when you can hear both the girlfriend and the wife leaving messages for the same cop), etc.

Arrested, charged, convicted, probation ... does it again!

The cops never changed the password.

BREAKING NEWS (0)

Anonymous Coward | more than 3 years ago | (#32739354)

Not using a password allows hackers access to your data!

More at 11.

THIS IS NOT A PROBLEM !! (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32739368)

This is a good thing for all concerned !! Voice mail is for numbnuts/eggsax !! Easy is required !!

They Deserve It (1, Insightful)

j0hnyquest (1571815) | more than 3 years ago | (#32739382)

If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.

Re:They Deserve It (0)

Anonymous Coward | more than 3 years ago | (#32739466)

If you don't have a password on your voicemail, you deserve to have it hacked into. Plain and simple.

I have a password on my voicemail. 1.3.3.7. Same as my luggage!

Re:They Deserve It (3, Insightful)

jeppster (1031326) | more than 3 years ago | (#32739524)

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that. Good to know; I appreciate the heads up, and I'll be sure to let her know.

Re:They Deserve It (4, Insightful)

victorhooi (830021) | more than 3 years ago | (#32739592)

heya,

Look, I don't think the parent means you deserve it, in some grand-cosmic karma scheme or something.

I think what he's referring to is that, well, you have to take responsibility for securing your belongings.

It's simple common-sense. In Australia, if I leave my car unlocked in a car-park, and then come back to find my stuff inside gone, if I go to the police and report it, I doubt they'll have a lot of sympathy for me. They'll probably write me off as an idiot - and rightly so. Everybody makes mistakes, but sometimes *touch wood* you have to take responsibiltiy for them.

So while the story about your wife and you being burglarised is sad - ultimately you're adults, you have to take responsibility for your own mistakes. In this case, it was forgetting to lock the doors. That's not to say theft isn't wrong, but I think it's sad how people today don't seem to want to take responsibility for themselves.

It's like those kids who come out crying, boo-hoo, I'm pregnant, my life is ruined, blah blah blah. Well, whoop-de-doo, you chose to have intercourse, who's fault is that? And you chose to do it without using contraception, even smarter. Idiots.

Cheers,
Victor

Re:They Deserve It (2, Insightful)

nobodyman (90587) | more than 3 years ago | (#32739968)

I think most people would agree with you in the abstract, but keep in mind that the majority of mobile phone owners don't even know that such a thing is even possible. We know better so we use passwords. The thing is, AT&T also knows better, and they have the ability to mitigate the risk, but are doing nothing. Shouldn't they be held at least partially responsible?

Re:They Deserve It (1)

cgenman (325138) | more than 3 years ago | (#32740002)

Why should you lock your voicemail if the only phone that is supposed to have access to it is your own?

If someone is spoofing your phone to your phone company, there are much bigger problems. It isn't impossible, but phone cloning is much harder to do now than in the early days of drive-by number stealing. These days the phone companies have pretty solid ways of knowing who you are for billing and other purposes. Yet they use caller-ID to determine voicemail access? That's just a bad implementation.

Re:They Deserve It (1, Funny)

Anonymous Coward | more than 3 years ago | (#32739698)

Did you mean "we were burgled", or did they really turn you and your wife into burglars?

Re:They Deserve It (0)

Anonymous Coward | more than 3 years ago | (#32740018)

burgle (bûrgl): To burglarize.

Your welcome.

Re:They Deserve It (1, Informative)

Anonymous Coward | more than 3 years ago | (#32739816)

while it would suck and would still be illegal, there are two faults in your application of his logic.

First, in this analogy your wife, and yourself, would have never locked the doors on your house before. You don't even have a key, though the house is setup for you to use one if you wish.

Additionally, being hacked and burglarized are different. In this analogy someone would have broken in, looked at all your stuff, and might possibly lock the door to which you've never taken the key.

Re:They Deserve It (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#32740010)

My wife forgot to lock our house door one night and we were burglarized. By your logic, we deserved that.

I think for his logic to be interpreted correctly, you only deserved it if you left your house unlocked all the time.

Re:They Deserve It (1)

pipedwho (1174327) | more than 3 years ago | (#32740074)

Think on the bright side, at least the door jamb and locks weren't damaged during the 'break and enter'.

Re:They Deserve It (0, Insightful)

Anonymous Coward | more than 3 years ago | (#32739596)

If you don't wear a seatbelt when you're driving at over 30mph, you deserve to have me suddenly hit the brakes when I'm driving ahead of you so you rear-end me and slam your head into your windshield. Plain and simple.

If you don't look at which alley you're walking down, you deserve to have me pop out behind a garbage can and mug your sorry ass. Plain and simple.

If you don't park straight in a standard public parking lot and allow me to park safely, you deserve to have me key your car and/or pop your tires. Plain and simple.

Ain't karma a bitch?

Re:They Deserve It (4, Insightful)

DavidD_CA (750156) | more than 3 years ago | (#32739676)

How many people even know to put a password on their cellphone voicemail?

I wouldn't expect to need to, since I was never asked for one in the first place nor did any instructions or guidance tell me otherwise.

Re:They Deserve It (0)

Anonymous Coward | more than 3 years ago | (#32739696)

Even if you do have a password, with this method, anyone can access your voicemail and guess it. No one should even have the opportunity to try a password except you.

Who cares? (1)

Stiletto (12066) | more than 3 years ago | (#32739880)

Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages? Should I be afraid that Mr. Hacker knows that my wife is picking up cereal and eggs at Safeway this afternoon? Or that my buddy wants to go out for beer after work?

As Steve Jobs once said, "This is a non-issue."

Re:Who cares? (2, Interesting)

ColdWetDog (752185) | more than 3 years ago | (#32740000)

Who cares about locking down their voicemail? What is a "hacker" going to do to me with my voicemail messages?

Dear Mr. / Ms. Politico: I talked to my boss and he's cool with the plan. We will wire you your 1 million dollars into the account of your choice, you just have to push our bill through. Let me know what you want to do.

Thanks,
Your local lobbyist

Or somesuch similar conversation. Not everybody's life is as boring as ours is.

Re:They Deserve It (2, Informative)

Nirvelli (851945) | more than 3 years ago | (#32739938)

Most people have no idea they can access their voicemail from other phones. Most people only know that when their cell phone says "you have a message" then they can push the special button and check it and that's it. They think, "The only time somebody can listen to my voicemail is if they steal my phone."
Why would they ever think to put on a password? As far as they know, there's absolutely no reason to. They probably don't even know you can have a password on it.

So what's new? (4, Informative)

Anonymous Coward | more than 3 years ago | (#32739384)

This has been a problem for years. VOIP makes caller id spoofing trivial and is supported as a feature just about everywhere. The problem is the fact that VOIP is bolted on to existing infrastructure. An ip call terminating into the pstn has no inherit phone number since (obviously) it's not originating in the pstn. The solution? You can pick our own caller id.

Re:So what's new? (0)

Anonymous Coward | more than 3 years ago | (#32739622)

Yes, exactly, this is news to no one at all.

Anyway, hopefully this little bit of hysteria will assist in hastening the demise of cellular voicemail, in favor of secure IP-based voicemail services, like Google Voice. Incidentally, Google even provides (optional) voicemail access over the phone... the account holder can toggle automatic CallerID-access (with a big warning). But phone access shouldn't be enabled -- even if passworded -- unless absolutely necessary.

Re:So what's new? (1)

DarthBart (640519) | more than 3 years ago | (#32739760)

Its not specifically "VOIP" that lets you do it. It's the fact that most telcos will just pass along the Calling Party Number handed to them on the ISDN setup message, as rightly they should. If I purchase a PRI from a telco to say, share between businesses in an office complex, and get assigned a block of 10 DIDs, when I place an outgoing call on the circuit, how does the telco know what CID to set for the business placing the call.

Now, granted, there is ANI, which is often set to the main "Bill-To Number" on your customer account, and that is used in the event of a call to 911. But you almost always have to have a direct SS7 connection to get or set the ANI. Very rarely will you find a an end user that has SS7 capability.

It is the responsibility of the circuit end user to ensure that their customers are not playing mickey mouse games with CID. As a former administrator of a very large Asterisk deployment, I laid out the dialplans and configurations so that if someone was trying to set their CID to something outside of our DID pool, the system would reject the call and play a message about not setting bogus CIDs.
 

Re:So what's new? (1)

AK Marc (707885) | more than 3 years ago | (#32739912)

how does the telco know what CID to set for the business placing the call.

How about they don't set the CID, but strip it if the number handed to them isn't authorized on that line? That would fix the problem in most cases.

How many politicians... (1, Insightful)

TheEyes (1686556) | more than 3 years ago | (#32739398)

"How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Answer: none, since Microsoft isn't paying them to target AT&T.

OP Notes On Post (0, Insightful)

Anonymous Coward | more than 3 years ago | (#32739454)

I am the one who posted this - it is my first Slashdot submission. Please don't flame too hard. I am posting anon because I am a convicted hacker on probation. I just wanted to add that we noticed a side effect of doing this: If the target is using an Iphone, their Visual Voicemail will prompt for a password the moment the attacker logs out of their voicemail box. The target must then reset their VM password.

Re:OP Notes On Post (1)

MichaelSmith (789609) | more than 3 years ago | (#32739538)

I am posting anon because I am a convicted hacker on probation.

So you expect that posting anonymous will prevent the police from identifying you? You can't be a very good "hacker" if you believe that.

Re:OP Notes On Post (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32739576)

also, I love to suck the big black cock.

spoofing soon to be illegal (0)

Anonymous Coward | more than 3 years ago | (#32739636)

house and senate have both passed bills

wouldn't want to be the first test case if you got caught

Re:spoofing soon to be illegal (0)

Anonymous Coward | more than 3 years ago | (#32739650)

house and senate have both passed bills

wouldn't want to be the first test case if you got caught

OP Agrees

Not just Android (3, Informative)

agent_vee (1801664) | more than 3 years ago | (#32739662)

My friend used a application like this to fake his caller ID using his iPhone. Though it might have required jailbreaking to install.

Nothing new (0)

Anonymous Coward | more than 3 years ago | (#32739720)

Also available for BlackBerry or PC. I've been able to do this for at least a year now..

Voicemail shoud only accept the users phone... (1)

s0litaire (1205168) | more than 3 years ago | (#32739736)

...IMEI rather than phone No.

As well as a password.

If you get a new phone! all you need to do is link your new IMEI and remove the old one. It's more secure and pushes things up a notch legal-wise if someone tries to spoof a IMEI!!

iPhone makes you enter password on setup (1)

SuperKendall (25149) | more than 3 years ago | (#32739748)

Is the default really no password for most AT&T phones? I seem to recall part of the iPhone setup requiring you to enter a vmail password.

AT&T hardware has the same loophole (2, Interesting)

tompaulco (629533) | more than 3 years ago | (#32739828)

I had an AT&T answering machine which you could access remotely. I, of course, had set the pin. However, someone still managed to get in and hack it and changed my greeting to something about sucking male genitalia. I was not amused. I ended up disabling the remote access completely since apparently any old idiot can call in and figure out how to get into the menus.

Old news (1)

TimeOut42 (314783) | more than 3 years ago | (#32739902)

Old news.... Not an Android issue... Not an AT&T issue... Sounds like a disgruntled Pocket user... This is what you get when you can't be bothered to set a passkey on your voice mail. Hacking....P'shaw...

TimeOut

ad (0)

Anonymous Coward | more than 3 years ago | (#32740044)

Hilariously the advirtisement for this artilcle in g reader is for spoof card "the number 1 caller I'd spoofer"

Hari Gottipati (0)

Anonymous Coward | more than 3 years ago | (#32740068)

How old is this? I read about this back in 2006. Check this http://www.oreillynet.com/onlamp/blog/2006/02/exploit_cingular_voicemail_vul.html. Why it is a news now? Matter of the fact, it's not just from Android - you can do this from any phone with the caller id spoof app or connect the spoofing device to any phone and do it.

slashdot worthy? (5, Funny)

ZeroNullVoid (886675) | more than 3 years ago | (#32740100)

please tell me this is slashdot worthy?

I see this post as the same thing as saying one of the following:

You can hack into a car by throwing your android phone really hard at a window.
There is an app on your android phone that makes it so you can steal money from people, just put it in your pocket, hold it to their back and pretend it is a gun while asking for everything they have.
Hack your McDonald hamburger by taking the buns and putting them on your head and calling them your alien receptors.
Hack your microwave, stick your android in it for 10 minutes while running this "insert ad here" app.
Hack the airwaves, play music on your android.

...what? (2, Insightful)

Urza9814 (883915) | more than 3 years ago | (#32740114)

AT&T _still_ doesn't require a voicemail password? I thought pretty much every carrier did because of exactly this kind of trick. It surely didn't start with Android - I remember reading about it years ago, and it was old news even then.

But hell, anyone stupid enough to still use AT&T, when it seems that every week they're losing thousands of customer records, deserves anything that happens.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...