Feeds

back to article Reg probe bombshell: How we HACKED mobile voicemail without a PIN

Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson's press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security. Your humble correspondent has just …

COMMENTS

This topic is closed for new posts.

Page:

I'm actually surprised, I wasn't aware that if you are calling from your own phone you don't need to authenticate.

I live in Canada, and if I call my voicemail, even from my own phone, I have to enter my pin. Calling from elsewhere requires my number and pin. I don't see it as an inconvenience, it's the same concept as having a pin on your phone or a password on your laptop.

Someone with physical possession of your phone shouldn't be able to check your voicemails with no auth.

9
2
Bronze badge

Well I've never come across a system which made you enter a PIN when calling from your own phone, neither for mobile nor fixed. I've lived abroad in Europe and it was the same in the countries I lived in there.

Simply stopping the spoofing would be a good step for me as I like the convenience of not having to enter yet another PIN.

2
1
Anonymous Coward

Same in the U.S.

I have never used a network in the U.S. that doesn't require a PIN for all voicemail access. Honestly I'm shocked that it is possible to do so in the UK or other countries in Europe. You can never guarantee that the person using a phone is the owner of the phone.

3
3
Bronze badge

"Simply stopping the spoofing"

Actually stopping the spoofing isn't really a solution. It can be, and is, a useful facility of telecoms that the CLI can be presented as something other than the line you are on. Also, in some cases, if you area calling from a voip system you may not actually have a line that can present something intelligible to the destination so being able to present another number is useful. This is part of telecoms equipment throughout the digital world and it isn't really viable to suddenly stop this facility.

The problem actually arises by people/companies who should know better validating on something so inherently unvalidatable(? that a word?). They should use the ANI, not the CLI to validate, or request a PIN. A pin should be forced to be set as soon as someone gets a new account with a mobile provider.

6
0
Bronze badge

Yeah, OK to be clear, I meant stopping voice mail systems from not seeing past snooping. I'm not against CLI being used for a variety of other purposes.

0
0
Bronze badge

I'm entirely against CLI being spoofed, whether that facility is "useful" or not, since that's what makes it impossible to identify and block nuisance calls.

5
5
Silver badge

re: CLI being spoofed

>I'm entirely against CLI being spoofed

If you aren't going to allow it to be "spoofed" - then you will need a government agency to issue official CLIs and enforce their use. A phone version of the DVLC

And it's going to have to have international agreements so foreign calls are also correctly id-ed.

And it's going to have to deal with Skype, VOIP, conference calls web-sms gateways etc.

It's a little like having a law saying your reply-to email can't be "spoofed"

5
4
Silver badge

"They should use the ANI, not the CLI to validate,"

Seconded.

CLI is spoofable BY DESIGN. It's just a way of presenting a arbitrary message to the enduser which bears no actual relationship to the calling number other than that's the most common use.

ANI is used to generate accounting data so the telcos have a vested interest in making sure it's accurate and unspoofable.

Guess which one the emergency services get?

CLI has always been spoofable from a ISDN connection, VOIP just makes it even easier.

USA-style CLI is even easier to spoof. A burst of appropriate tones during the call will tweak most of their CLI boxes and if done as the call connects, most recipents will be none-the-wiser as it happens in the time taken for the handset to actually reach their ear.

5
0
Bronze badge

Why spoof

As I explained in the article I have a perfectly valid reason for spoofing. When the call is going through a switchboard the person receiving the call wants to see the number from the subscriber who originated it not the switchboard in the middle.

OTOH and I have come across an opposite scenario. You are not supposed to use a SKY decoder outside the UK. Sky will occasionally ask the box to ring it up so that they can check the CLI. A friend had his box in Europe and intercepted the line so that outgoing calls went to his home in the UK where he had an ISDN PABX. From there it routed the call out to Sky with his Home CLI

1
1
Bronze badge

I guess depends on the carrier in Europe as well

My provider (Elisa, in Finland) has always required the PIN, which I consider the only sane method, because just because it is my phone does not mean it is me using it.

0
0

Bloody Telenor.SE always want the PIN - It is a pain in the ass because I have run out of storage area for PIN numbers so I cannot use their voice mail.

1
0

Re: Same in the U.S.

Honestly I'm shocked that it is possible to do so in the UK or other countries in Europe.

Because we do not care. The majority here never use voice mail for anything; It just never caught on. Almost everyone use a mobile as their main phone so they can always see the missed calls and they use SMS instead of voice.

For me it's a stupid misfeature and I would like to switch it off: People let the phone ring till it get to the voicemail (this happens easily because the "ring counter" starts well before the "bell" in the other end rings), then they hang up - often leaving 3-4 seconds of scratchy sounds - and then the person they dialled gets hounded by SMS's from the voicemail service for quite a while and one cannot ignore it entirely because about 1% of the callers still leave a voice message and then expect you to act on it instead of just sending an SMS, like normal people do.

7
2
Silver badge

Re: Same in the U.S.

agreed. I have *never* used my voicemail on my phone. The main reason? They charge me to do so. If I get charged to pick up voicemail then I sure as hell aint going to use it. The message recorded is "I wont check voicemail don't leave one".

0
0

Re: Why spoof

Hi Simon,

Sky box spoof ? I had a Sky box in the UK for nearly 7 years, and all but 1 year, it was disconnected from the phone line, because BT couldn't figure out how two incoming business lines could be packaged with a third (domestic line) so that the sky box had it's own number... Sky didn't care.. You just can't do certain things like online account checks etc, and box office movie ordering, which happen via the modem... (You can still get Box Office: Just ring Sky yourself :))

Supposedly(!!) it would be easy to figure out where the Sky box is... Surely the comms protocol between Sky Satelite and Sky Box / Dish do something like a hand shake (How else do they deliver box office movies, after you personally called Sky, or do set top box upgrades without phone line?), and from that handshake sky should be to deduce where the machine is, should it not? (Satelites are sort of line-of-sight communication devices, aren't they?)

Having a PABX seems to be a bit of overkill... Just remove the Sky box from the phone line, and Bob's your uncle...

Regards.

Guus

0
0
Silver badge
FAIL

Isn't this just like filtering external packets arriving at your network with a source IP address in the private ranges? It's good to know that at least Vodafone have a clue.

1
1
Bronze badge

No, it's not at all like that.

The same device or address (tel no in this case) can legitimately exist inside and outside your own network at different times and number portability means that any address could belong to you or could belong to another network.

There are techniques that can be employed - but simple, static address filtering isn't one.

2
0
Bronze badge
FAIL

EE: "First and foremost it’s illegal to access a voicemail account without the owner’s permission." As if that's going to stop a hacker. Come on, how can a network be so sodding naive and/or lazy?

As to Three. ouch. Not at all good.

14
0

Maybe they took the RFC seriously?

http://en.wikipedia.org/wiki/Evil_bit

2
0

Both Three and EE fail, in my opinion for the same, or at least a very similar reason: They are hiding behind PR spin that quite simply indicates that they did not even fully understand the impact of the accusation... Or they did, but try to have a stupid answer that will satisfy most of their customer base...

This is what happens when you do things on the cheap, like Three... Not sure about EE and doing things on the cheap, but clearly their investments aren't there where they should be...

Just my two cents,

Guus

2
0
Silver badge

Sorry, what did you say Orlowski's mobile number was, again?

Sent from my iPhone

11
0
Bronze badge

415-553-7400

or maybe not

1
1
Unhappy

how much time did you give them to put their house in order?

how much time did you give them to put their house in order before posting?

2
9
Bronze badge

Re: how much time did you give them to put their house in order?

Not really neccessary to give them any time. For one thing they've had since the early days of the Leveson enquiry, or even before that if you look at the advice from various bodies against relying on CLI.

For another it's bloody obvious that doing this is stupid, it's akin to your bank giving dealing with you either in person or over the phone after simply asking for your name to prove that you are the account holder, which of course they don't hence why I don't have all your money.

The only time it is conceivably OK not to require the PIN is when you are calling from your own mobile, and they verify it by using back end network info about the call other than CLI as O2 and Vodafone do. This would likely only work when you were calling your voicemail on your mobile and connected to your carrier's network and not while roaming ( I don't imagine El Reg tested this? ), but that seems like a fair trade off if you want the convenience of not having to press 4-6 extra keys

Personally I have no use for voicemail on my mobile. 95%+ of the calls I receive are from other mobiles, so if I don't answer and they don't want to try again later or see if I call back, they can send me an SMS text message.

13
0
Bronze badge

Re: how much time did you give them to put their house in order?

I'm all for giving people time to fix their stuff before making a vulnerability public but that's not what's happening here.

These carriers know the security of their voice mail system is pathetic but they don't care. There's zero chance that any halfway competent carrier doesn't understand that CLI can be spoofed.

11
0

Re: how much time did you give them to put their house in order?

Bank's really aren't much better. I recently had to call various of my banks for travelling but had forgotten half my password information but that wasn't a question as long as I answered a set of security questions, all of which could easily be answered by anybody who had got possession of my wallet (containing cards+drivers license), a couple of the slightly 'better' ones would also have required them to have stolen my Wife's purse at the same time. Given that often both wallets will be together (possibly in the same handbag) this really the sort of security to be comparing to.

0
0

Re: how much time did you give them to put their house in order?

I think you're confusing Investigative Journalism with Ethical Hacking.

0
0
(Written by Reg staff) Silver badge

Re: how much time did you give them to put their house in order?

I understand we contacted the affected mobile networks last week. EE says it has now fixed the hole - a follow-up will be published shortly.

C.

2
0
Silver badge

Re: how much time did you give them to put their house in order?

That sounds like about 7 days more than they deserved.

But I applaud your respect for the punters.

0
0

Hmm

'We approached Three about this, and a spokesman said: "The advice we've always given customers about security is to mandate their PIN. This is particularly so for people who worry that if a phone is stolen, it might be used to access their voicemail. This advice is given under the voicemail security pages of the Three website."'

Unfortunately, that's describing a completely different threat model from being hacked by any random person who knows your mobile number. Also, their voicemail security page says "You'll always be asked to enter your phone number and PIN if you access your voicemail from another mobile or landline phone." - which is manifestly wrong. Not impressed, good thing I'm not using them for voice at the moment.

12
0

Re: Hmm

You can turn pin skip off through the Ctui/IVR so even if you call from your own handset you are asked for a pin. Not many people take up this option as it is not default.

1
0
Bronze badge

haha

One thing I have learned when working on diagnostic software for mobile networks, was they do not like being treated like ordinary utility company. Complex billing structures, subsidised phones etc. play rather well with plenty of "add ons" they will be happy sell you, so what's how they view themself. Yet, there is precious nothing on offer that goes beyond utility company for your communication needs.

And even this not being done very well.

6
0
Silver badge

Re: haha

Yep! If you take out a SIM-only contract with "unlimited" text messages, stick your SIM into something loike an OpenVox G400E and start sending text messages, you will soon find out just how unlimited "unlimited" really means .....

0
0
Silver badge

Come on, it's not hard

On the BT landline network, you are definitely only allowed to use caller IDs that belong to you. I happen to know this because we once had two ISDN30s; and due to an administrative cock-up, they were ordered in two different names. So the presentation number ranges we had paid for were effectively locked to one or other of the line groups.

So our Asterisk was asking for what should have been a permitted ident; but if the call happened to get routed over the wrong line, then the ident got silently dropped, with the call coming through as anonymous.

This was, as you can imagine, a 'mare to troubleshoot. It only even became obvious when we started running afoul of anonymous call barring services even despite supposedly setting an ident on every outgoing call .....

3
0

Re: Come on, it's not hard

I haven't worked in telecomms for a good few years but I remember that, in the UK at least, it was actually illegal for a subscriber to change their CLI. A Telco could do it as long as the new number was within their assigned numbers range. Whichever VoIP to POTS provider they used should have just rejected the changed cli

0
2
Anonymous Coward

Re: Come on, it's not hard

BT don't allow it and I doubt any of the other major operators do.

Be aware though that there's a difference between Presentation Number - a legitimate product, and spoofed CLI which is always illegitimate. Presentation number is used to display a switchboard or main office number on outbound calls where the 'real' CLI would be unreachable or inappropriate, but the actual CLI contained in the signalling and call record is correct and identifies the line. In a call centre, for example, direct dialing inbound to an agent is forbidden and so using the real CLI would just give a number that can't be reached. Showing the switchboard number solves the problem. Spoofing actually involves putting knowingly false data in the signalling message.

The problem is that you only need one operator who will allow it. Since the end of Ofcom licensing anyone can set up a telco and there's little 'threat' of having your licence removed for bad behaviour, though the telcos will refuse to interconnect if you persistently misbehave.

Spoofed CLIs often originate internationally however. They might pass through three or four or five networks before they reach the UK. Until recently BT and others treated CLIs that came from call aggregator routes as 'untrusted' and showed 'INTERNATIONAL' or 'UNAVAILABLE' in the CLI field. They'd only trust the CLI if they trusted the operator sending them the calls - a dedicated France Telecom route for example that only has 'own network' calls on it. The problem with that approach is that very few incoming international calls to the UK actually touch BT or Virgin's networks. Foreign telcos buy international routes on a spot market, calls are aggregated and eventually end up in somewhere like Paul Street in London, a private international exchange, and calls are handed to the national network. No-one, not even the aggregator, has any idea where those calls came from. They only know which network gave them the call, which almost certainly won't be the network the call originated on.

That situation is changing and I believe there's been lots of pressure for the UK telcos to now show the CLIs where they are present - but it does mean that spoofed CLIs will have an open door. My best guess is that UK switches are now inspecting the CLI and rejecting calls from what appear to be international routes but giving a UK CLI. I don't think the mobile operators can do that though - it breaks roaming - so this may be at the heart of the problem. Any attempt at policing will cause call rejection of calls made by UK mobiles abroad on a non-home network. Making your PIN mandatory might be the only way of ensuring security.

The current telephone signalling and addressing system was designed in an era when the telcos knew each other and trust between them was implicit. That's been blown apart but the system (CCITT SS7) can't easily be changed without upgrading every single telephone exchange in the world. All the time a single operator, anywhere in the world, allows CLI faking on an interconnect, this problem won't go away.

3
0
Silver badge

Re: Come on, it's not hard

Even back to the days of DASS2 it was possible to present any number in your valid DDI range to the exchange on call set-up. If you had a 2-digit DDI in the range 00-49 then you could claim to be from any of those numbers, but if you tried to give it a number in the range 50-99 it would ignore you and default to the presentation number you'd chosen for your range. Of course, it helped that back then BT already knew what you were allowed to use and range-checked it. Interestingly, if you received a call from such a DDI number on a digital line you'd find the incoming CLI had an X in it immediately before the DDI digits, which was BT's way of informing the called party that they couldn't vouch for the digits after the X. This didn't happen with analogue CLI, although I wasn't in a position to check whether it was being sent but the CLI box (official BT one) was quietly eating the X.

4
0
Silver badge

Re: Come on, it's not hard

"On the BT landline network, you are definitely only allowed to use caller IDs that belong to you"

That's a recent change. When I tested the premise that CLI was freely spoofable over ISDN in 2004 it would accept any old cruft.

2
1

Re: CLI freely spoofable on ISDN

Whereas that wasn't the case for me. Did you test more than one ISDN circuit ?? If not, it might have been misconfigured at the exchange (By BT ?? Shurely not !!)

1
1
Silver badge

Re: Come on, it's not hard

When you have an ISDN30 (thirty B-channels and a D-channel), you get 30 numbers with it; but those numbers are not locked to individual B-channels. Anyone else who dials any one of those numbers will send a call up some available B-channel, and you can identify a call going down any one of those 30 B-channels as any one of those 30 numbers.

You change your CLI by means of D-channel messages (in Asterisk, the dialplan command is Set(CALLERID(num)=.....)), but BT will only let you identify as a number that actually belongs to you.

I have never actually worked with ISDN2 lines, but would imagine it is at least broadly similar.

An analogue line doesn't give you any access to the D-channel (and there is no in-band signalling anymore; it was the advent of ISDN that finally put an end to the Blue Box), so you can't change the CLI.

0
0
Bronze badge

Re: Come on, it's not hard

With any ISDN lines channels and DDI's are seperate. I have a block of 200 DDI's delivered to my switch. To the best of my knowledge per circuit you can have 5 blocks of DDI's of any size.

As of 2007 you could also present any number as the CLI- as part of an office move I have set:-

1) My mobile number

2) geographic numbers on a different exchange (ie; the new office DDI's while at the old office)

3) non geographic numbers

All of which presented correctly.

1
0

It's not just 3 or EE you need to badger

Who made the HLR and Voicemail systems - I suspect they're made by someone completely different, and specced to "competitive" prices. I agree that it's shoddy by today's standards to not have these security features, but I wonder how old the current kit is and if there is budget to replace it (as, if it's quite old, chances are the firm that made it has been bought by someone else and EOL'd, so no more s/w upgrades).

Ask 'em who provided the kit, and then go knocking on their doors. Ask them for their feature list & roadmap to find out if the operator is being tight and not paying for optional features, or needs to fork out for a new platform cos the old one won't ever get a s/w upgrade.

I've disabled by voicemail, so no worries about hacking there :)

1
0

This might not entirely be the fault of the voicemail providers.

The originating line switch which accepted the access connection (from your VOIP line - but could as easily have been a Basic Rate ISDN or a Primary Rate PBX interface) should be marking the originating line identify as *untrusted* (user provided not screened) That is, unless it has gone through screening in which case it can become trusted.

If the originating service provider isn't doing things properly then when the call is being passed to the voicemail provider (terminating exchange) they could be acting on the incorrectly marked fields.

Another number to use is the Network Number. In the UK, at least, this should always be provided by the originating service provider and be trusted (public can't change it). Ideally this is the number that should be used for voicemail access/validation, where possible (but there are other complications with this).

Either way, EE and 3 should not allow non-PIN authentication if originating CLI can't be trusted to be network screened/provided. Shame on the *Test Teams* within Three and EE for not picking up on this. O2 and Vodafone proved it can be done right, so why can't YOU?

1
4

A voip provider unless its a very small one is highly unlikely to be using ISDN connections. Most likely they are using a SS7 interconnect so the voip provider is able to provide whatever network number and callerid they wish when placing the outbound call.

There are services such as skype which allow a mobile number to be used as the callerid but these are always first validated. There is an ofcom guideline NICC ND1016 which states that a callerid which is set by the carrier should be correct so that a call made back to that number should reach the original caller. So whatever telco the register used for this testing was technically in breach of this regulation. They probably got permission to provide the particular number in their testing but the fact remains whichever telco is allowing other to hack voicemail using this method could get into trouble.

0
1

"There is an ofcom guideline NICC ND1016 which states that a callerid which is set by the carrier should be correct so that a call made back to that number should reach the original caller."

Which is of course honoured far more in the breach than the observance.

You ever tried calling back a silent direct marketing call ?? Or one of those with a UK number that are clearly coming from a sweatshop call centre in Mumbai/Durban/etc ?

4
0
Anonymous Coward

"There is an ofcom guideline NICC ND1016 which states that a callerid which is set by the carrier should be correct "

Ofcom only have jurisdiction in the UK. Most of the spoofing is happening outside of the UK.

1
0
Thumb Up

Nothing like a busty Welsh songstress to brighten up a technical article about the inner working of the UK phone network, for illustrative purposes of course.

16
0
Silver badge
FAIL

"First and foremost it’s illegal to access a voicemail account without the owner’s permission."

Doesn't mean that the teleco is not negligent in leaving the front door wide open.

"If any customer has concerns about voicemail security we would advise them to follow a few simple steps on their device and set up PIN entry."

That is promptly ignored by their yoghurt pot-and-string systems. The right advice would be disabling voicemail altogether until they sort it out, but that means they lose out on the incoming call revenue.

6
0
ACZ

Consumer convenience v security

Just set up voicemail on a new mobile on EE, and it does give you the option of requiring a PIN every time you call the voicemail number, even from your own phone. It seems from the page on the 3 website linked to by the article that they have the same option.

That said, the marketing droids could have actually given a direct answer to the question/issues raised, rather than the usual tripe that they seem to churn out.

I guess that ultimately this might come down to the mobile phone companies providing the mass-market convenient option of not having to enter a PIN when calling from a number that appears to be your own, whilst providing the "always on" PIN requirement for those who want some security.

CLI spoofing has been an easy option for many years, so the fact that it provides a way to get into people's voicemail doesn't surprise me. Oh well...

1
0
Anonymous Coward

Three: "The advice we've always given customers"

Er, no they haven't. Just because it is buried away on a website if you wanted to specifically search for it does not mean it is advice they always give customers. That would require them stating that the device will always require a PIN unless they choose to turn it off when connecting from their own handset and then giving appropriate warnings if they do.

1
0
FAIL

EE and Security, dont make me laugh

I left Orange as it was a few years ago and one of the reasons was the call centre droid telling me my full password which was visible to him and stored in plain text along with all my bank details etc etc.

Orange/EE have been aware of the CLI spoofing flaw for years and have done nothing about it, this is not a new revelation but they won't do anything about it as that would involve investment.

Useless bunch

1
0

Page:

This topic is closed for new posts.