Reg probe bombshell: How we HACKED mobile voicemail without a PIN

My voicemail

If anyone wants to hear Flo down the road grumbling that she wants me to get her a pint of milk then they are welcome to that. The only other voicemail I get is from my missus asking where the fuh I am. The Sunday Sun are welcome to it too

VM PIN vs CLI

The idea of using the incoming IMEI and/or billing number ID will be hard to do. Yes those numbers are presented to the mobile operator network, but into a much different part of the network (billing system vs. call processing), and at a much different stage of the call setup. CLI may be handled in real-time, while billing records are not exactly handled in real-time.

The network has to allow you to dial in from remotely for the cases when you are roaming and your call to yourself would come in from outside the operator. This seems to be a convention the GSM-based carriers have arranged, as others have stated there are many networks where PIN is mandatory for every access.

About the only solution that I could see happening quickly is that if you are authenticated on the network (like home network, or home operator) that you could get straight into your voicemail. The other cases where the call comes from outside the network, would require a PIN for voicemail access. (Conceptuallly very similar to port tagging on the inbound trunks.) This will create lots of fun and confusion for all of the people (me included) who set a VM PIN years ago, but then find they can't get into their voicemail from the road the first time after this is enabled.

Well, my voicemail is certainly unhackable - I don't have one. I immediately turned it off (as basically does everyone else I know) simply because leaving it on is widely considered extremely bad form around here since it costs a caller money once the voicemail picks up, even though the call was practically a bust. We don't really see any point in leaving a message if the called party is not reachable; by the time he/she gets it, the point will likely be moot. If not, the missed call indication is generally enough and therefore a call-back is expected anyway.

Phew

Glad I'm on Vodafone.

Here's Bruce Schneier in 2006:

"It's also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox."

https://www.schneier.com/blog/archives/2006/03/caller_id_spoof.html

Kafkaesque nonsense from Three and EE

So you presented evidence to them that it's possible to access other people's voicemail without a PIN...

...and their reply is "we tell customers to set up a PIN."

Have they even understood what you've just told them? Or is it a case of heads-in-the-sand?

Switch to Hullomail

I use Hullomail. Secure and effective. I am a customer and not an employee before anyone asks! The beauty is it pushes the messages to your phone using a data connection and if you pay £6 a year it forwards them to your email. If you do choose to dial in you must provide a PIN.

How do those conversations with the mobile network go?

Is it something like this:

El Reg: Hey PhoneCoPR we found a security hole in your voicemail system that lets us listen to anyones voicemail even if they set a pin

Phoneco: Oh, its you from that techynerd site. Well, our custoemrs are safe as long as they set a pin

El Reg: Thats the thing, we can do it without a pin

Phoneco: so they should set a pin

El Reg: Did you want to give a staetment that actually makes you look inteligent?

The level of ignorance...

...in the Telcos of their own systems is astounding. I think it has a lot of to with the global game of chasing down salaries and outsourcing of their most competent techs....

VOIP is the problem

This is the tip of the iceberg. Analogue phone networks are pretty secure, but once you add VOIP you are open to any sort of hacking in the same may as any email can be hacked. I believe the US is in the process of converting its entire wired phone network to an open VOIP system, unlike the UK where at the moment BT's 21CN core is IP, but not externally visible as such . This will cause chaos.

giffgaff?

Do the same security holes or lack of exist in the virtual networks? I.e. is giffgaff ok because it's on O2?

I Tweeted @ThreeUK and linked to this article.

They linked back to their standard "Setting up a PIN" page.

I have pointed out that this article shows PIN is bypassed.

Fecking idiots.

***

ThreeUK: @DaddyHoggy We offer the following advice to anyone who is concerned about security: po.st/BfQEdr

Original Message:

http://twitter.com/ThreeUK/status/459664401872986112

Inconceivable!

Wait... An El Reg staffer -- a staffer named Simon, of all things:

- made a bet

- of a technical nature

- with a co-worker

- involving a technical topic

- in a pub

And he didn't wager at least a few pints, a few quid, or a shift on the helldesk? Come on!

Almost on sidebar of shame (but not quite)

Well done, you're on the front page of Daily Mail online: http://www.dailymail.co.uk/sciencetech/article-2613258/Are-voicemails-STILL-risk-hacked-Investigation-reveals-easy-access-inboxes-without-PINs.html

I knew that is how it worked. I just thought that it had been fixed by now.

The networks should have had the liability due to the measures being so insufficient.

It sounds like

It's all gone to POTS

So O2 have got it right have they?

How come every 2 or 3 months I suddenly find that they have removed my PIN from my voicemail?

Sometimes I get a text telling me I have a message and all the message is, is O2 telling me to set my PIN because I haven't. But I first set it when I had an analogue phone and I am still with the same provider, sort of as I started with BT Cellnet. And every time they tell me I haven't set it, I do.

So I set a PIN and then a bit later they remove it.

Why?