[Infowarrior] - AT&T/Cingular Voicemail Susceptible to Caller ID Spoofing

Sat Jul 7 01:33:53 UTC 2007

iPhone Users: AT&T / Cingular Voicemail Susceptible to Caller ID Spoofing

http://www.oreillynet.com/onlamp/blog/2007/06/iphone_users_att_cingular_voic
.html

Saturday June 30, 2007 9:37PM
by Nitesh Dhanjani in Technical

I just got myself an iPhone and I¹m extremely pleased with it. I think it¹s
the best cell phone on the market - a sheer pleasure to use.

The purpose of this post is to alert new iPhone customers about a security
vulnerability in AT&T/Cingular¹s Voicemail system that has not been fixed
for more than a year. I first wrote about this on February 1, 2006: Exploit
Cingular Voicemail Vulnerability via Caller ID Spoofing. As soon as I got my
new AT&T/Cingular number, I tested for this vulnerability and I can confirm
that it still exists for new AT&T/Cingular accounts (atleast for iPhone
customers). I can¹t force AT&T / Cingular to fix this issue, but I can tell
you about it so you know what to do to protect yourself from this
vulnerability.

Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular
voicemail system is configured by default not to ask for a password when you
check your voicemail from the handset (it asks for your voicemail password
if you call your number from another cell phone and press * when your
voicemail answers). Unfortunately, the AT&T/Cingular voicemail system trusts
Caller ID to determine if the handset is calling it. Because Caller ID can
be spoofed easily (see below), anyone can gain access into your voicemail by
calling you and spoofing your phone number (it will appear as if you are
calling yourself when your phone rings) - should you not answer the call,
your voicemail will answer and allow the intruder full access to your
messages.

Here is how to test the vulnerability:

   1. Buy a calling card from Spoofcard. This service lets you spoof your
caller ID.
   2. Use another phone and call your cell phone using Spoofcard. When the
Spoofcard asks you what number you want to spoof, enter your number again.
   3. Do not pickup your cell phone. When the call goes into voicemail, if
you are able to listen to your messages without being prompted for a
password, then you are vulnerable.

Here is how to protect yourself from this vulnerability:

   1. Call your AT&T/Cingular voicemail (dial your own number from the
iPhone).
   2. Press 4 to go to ³Personal Options².
   3. Press 2 to go to ³Administrative Options².
   4. Press 1 to go to ³Password².
   5. Press 2 to turn your password ³ON².
   6. Hang-up and call your voicemail again from your iPhone. If your
voicemail system asks you for your voicemail password you are all set.

I sincerely hope that AT&T/Cingular gets around to fixing this huge security
hole in their voicemail system. 