[Infowarrior] - Making a PBX 'botnet' out of Skype or Google Voice?
Richard Forno
rforno at infowarrior.org
Sun Apr 12 18:15:24 UTC 2009
http://www.thestandard.com/news/2009/04/10/making-pbx-botnet-out-skype-or-google-voice
Making a PBX 'botnet' out of Skype or Google Voice?
Robert McMillan, IDG News Service04.10.2009
Flaws in popular Internet-based telephony systems could be exploited
to create a network of hacked phone accounts, somewhat like the
botnets that have been wreaking havoc with PCs for the past few years.
Researchers at Secure Science recently discovered ways to make
unauthorized calls from both Skype and the new Google Voice
communications systems, according to Lance James, the company's
cofounder.
An attacker could gain access to accounts using techniques discovered
by the researchers, then use a low-cost PBX (private branch exchange)
program to make thousands of calls through those accounts.
The calls would be virtually untraceable, so attackers could set up
automated messaging systems to try and steal sensitive information
from victims, an attack known as vishing. The calls might be a
recorded message asking the recipient to update their bank account
details, for example.
"If I steal a bunch of [Skype accounts], I can set up [a PBX] to round-
robin all those numbers, and I can set up a virtual Skype botnet to
make outbound calls. It would be hell on wheels for a phisher and it
would be a hell of an attack for Skype," James said.
In Google Voice, the attacker could even intercept or snoop on
incoming calls, James said. To intercept a call, the attacker would
use a feature called Temporary Call Forwarding to add another number
to the account, then use free software such as Asterisk to answer the
call before the victim ever heard a ring. By then pressing the star
symbol, the call could then be forwarded to the victim's phone, giving
the attacker a way to listen in on the call.
Secure Science researchers were able to access accounts they had set
up using an online service called spoofcard, which allows users to
make it appear as though they are calling from any number they wish.
Spoofcard has been used in the past to access voicemail accounts. Most
famously, it was blamed when actress Lindsay Lohan's BlackBerry
account was hacked three years ago and then used to send inappropriate
messages.
The attacks on Google Voice and Skype use different techniques, but
essentially they both work because neither service requires a password
to access its voicemail system.
For the Skype attack to work, the victim would have to be tricked into
visiting a malicious Web site within 30 minutes of being logged into
Skype. In the Google Voice attack (pdf), the hacker would first need
to know the victim's phone number, but Secure Science has devised a
way to figure this out using Google Voice's Short Message Service (SMS).
Google patched the bugs that enabled Secure Science's attack last week
and has now added a password requirement to its voicemail system, the
company said in a statement. "We have been working in coordination
with Secure Science to address the issues they raised with Google
Voice, and we have already made several improvements to our systems,"
the company said. "We have not received any reports of any accounts
being accessed in the manner described in the report, and such access
would require a number of conditions to be met simultaneously."
The Skype flaws have not yet been patched, according to James. EBay,
Skype's parent company, did not immediately respond to a request for
comment.
The attacks show how tricky it will be to securely integrate the old-
school telephone system into the more free-wheeling world of the
Internet, James said. "This kind of proves ... how easy VoIP is to
screw up," he said. He believes that these kinds of flaws almost
certainly affect other VoIP systems as well. "There are people out
there who can figure out how to tap your phone lines."
Reprinted with permission from IDG News Service. Story copyright 2009
IDG News Service Inc. All rights reserved.
More information about the Infowarrior
mailing list