Compromising online services by cracking voicemail systems

Video thumbnail (Frame 0) Video thumbnail (Frame 2462) Video thumbnail (Frame 4022) Video thumbnail (Frame 5362) Video thumbnail (Frame 10352) Video thumbnail (Frame 13632) Video thumbnail (Frame 14163) Video thumbnail (Frame 15765) Video thumbnail (Frame 19480) Video thumbnail (Frame 20967) Video thumbnail (Frame 22367) Video thumbnail (Frame 22806) Video thumbnail (Frame 24637) Video thumbnail (Frame 27812) Video thumbnail (Frame 29736)
Video in TIB AV-Portal: Compromising online services by cracking voicemail systems

Formal Metadata

Title
Compromising online services by cracking voicemail systems
Alternative Title
Compromising Online Accounts by Cracking Voicemail Systems
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Voicemail systems have been with us since the 80s. They played a big role in the earlier hacking scene and re-reading those e-zines, articles and tutorials paints an interesting picture. Not much has changed. Not in the technology nor in the attack vectors. Can we leverage the last 30 years innovations to further compromise voicemail systems? And what is the real impact today of pwning these? In this talk I will cover voicemail systems, it's security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the broader impact of gaining unauthorized access to voicemail systems today and introduce a new tool that automates the process.
Numerical digit Virtual machine Combinational logic Product (business) Number Sequence Hacker (term) Information security Physical system Personal identification number Key (cryptography) Decimal Digitizing Content (media) Internet service provider Sequence Number Personal digital assistant String (computer science) System programming Codec Right angle Reading (process) Resultant Spacetime
PC Card Group action System call Numerical digit Multiplication sign 1 (number) Checklist Number Normal (geometry) Message passing Information security Error message Physical system Default (computer science) Personal identification number Default (computer science) Inheritance (object-oriented programming) Digitizing Sound effect Line (geometry) Measurement System call Checklist Proof theory Message passing Error message Vector space Password Charge carrier Right angle Natural language Hacker (term) Information security
Slide rule Multiplication sign Mobile Web Demo (music) 1 (number) Real-time operating system Parameter (computer programming) Login Number Hacker (term) Software testing Metropolitan area network Backdoor (computing) Form (programming) Physical system Personal identification number Default (computer science) Raw image format Key (cryptography) Demo (music) Forcing (mathematics) Digitizing Planning Denial-of-service attack Volume (thermodynamics) Bit Database Line (geometry) System call Boltzmann constant Uniform resource locator Word Message passing Tower Internet service provider Password Order (biology) Charge carrier Natural language Backdoor (computing) Row (database) Spacetime Computer worm
Personal identification number Demo (music) Inheritance (object-oriented programming) Multiplication sign Forcing (mathematics) Demo (music) Streaming media System call Lattice (order) 2 (number) Number Type theory Process (computing) Personal digital assistant Computer configuration Charge carrier Right angle Backdoor (computing) Computer worm
Message passing Password Formal verification Code Right angle Chord (peer-to-peer) System call
Raw image format Email System call Code Code Password System call Number Message passing Process (computing) Vector space Password Vector space Message passing Physical system Backdoor (computing) Physical system Row (database)
Mobile app Group action Code Demo (music) Computer simulation Audio file format Web browser Plastikkarte Frame problem Number Emulator Message passing Uniform resource locator Computer configuration Personal digital assistant Information retrieval Right angle Information security Asynchronous Transfer Mode Physical system
Slide rule Mapping Code Internet service provider Demo (music) Interactive television Code System call
Covering space Spezielle orthogonale Gruppe Key (cryptography) Multiplication sign Demo (music) Interactive television Checklist System call Host Identity Protocol Frequency Message passing Latent heat Vector space Hacker (term) Single-precision floating-point format Vector space Right angle Row (database) Physical system Spacetime
Email Code Personal digital assistant Demo (music) Right angle
System call Open source Ferry Corsten Code Codierung <Programmierung> Real number Multiplication sign Boom (sailing) Parameter (computer programming) Number Subset Computer configuration Charge carrier Formal verification Software repository Message passing Information security Scripting language Dependent and independent variables Demo (music) Gradient Interactive television Internet service provider Bit System call Virtual machine Mathematics Message passing Uniform resource locator Online service provider Personal digital assistant Software repository Password Internet service provider Charge carrier Information security Curve fitting
Purchasing Ocean current Slide rule Mobile app Personal identification number System call Link (knot theory) Gradient Password Login Number Gaussian elimination Medical imaging Mathematics Cryptography Charge carrier Formal verification Process (computing) Message passing Backdoor (computing) Vulnerability (computing) Physical system Default (computer science) Personal identification number Default (computer science) Multiplication Link (knot theory) Internet service provider Login System call Checklist Process (computing) Internet service provider Password System programming Charge carrier Video game Formal verification Simulation YouTube Reading (process) Electric current
let's get it started Matt NPO give it a big hand let's go hello thanks everyone for for coming to this talk it was supposed to be a 45 minutes talk so I can only be 20 and gotta go super super fast because I really want to cover the entire content so my name is Martin Vigo and i work as a product security lead I'm from Galicia Spain we got the best surfer in the world if you don't believe me come over there to try it I like results I like scuba and I don't like that we skate like gin tonics in case you want to come last questions later you know how to draw my attention so let's talk about history so we're going to talk about voicemail systems I like to move and they don't have a wireless thing about a watchman systems how to compromise them right and the first thing when you do research is you look up previous art and in this case it was really cool because I just went back to the 80s when the voicemail systems become popular and I started to read articles in essence from the first hackers and freaker's it was really really good so I condensed everything that I learned in five quotes of five different essence so here we can see that it says you can just enter all two-digit combinations until you get the right one a more sophisticated sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time and discard them but just look for the correct sequence actually in this one in hacking I TNT answering machines quick and dirty we can see the actual sequence that you can enter and it would actually be the entire to ping two digit ping key space because if you enter one two three four it will actually parse two three as well to look if it's the correct pin in a
tutorial for a spin voicemail systems what we learn is that was actually a default passwords and there was actually common parents that people use as pins and in the last one when we learn is that there is also the old changed the message secret to make it say something to the effect of this line assess all tall charges so you can build a third party calls to that number what that means is you will basically record as the greedy measures yes I accepted them from the penitentiary you will get basically free calls so Bosman security in there is we can sum up us there was default passwords come as well group forcible passwords efficient ways to brute-force the path passwords and the greeting message was an attack vector how about we play checklist fast forward to today voicemail security today let's do a checklist default passwords check according to the public documentation in the four major carriers of the United States in the website AT&T is three six ones t-mobile the last four digits of the phone number Sprint is the last seven Verizon is the last four common
passwords according to a fantastic research from 2012 from data genetics there is a number of conclusions that they got to but basically some of the important was that you have a 22 percent chance of guessing a four digit ping by destroying the top 20 pens of the 10,000 possible so that means that Wang have a fourth victim that you try by just trying 2020 pens you will actually get the right one other conclusions include that most of the pins start by one nine and that's because people tend to use the birth year as a PIN number bloop forcible passwords AT&T t-mobile Sprint Verizon they all allow four-digit pin codes efficient proof forcing it actually allows to enter three pins at a time by using the pound to concatenate it which is kind of like a return in a voicemail system and you don't even have to wait for pront of error messages if the pin was wrong so with all this in
mind that I learned from the amazing hackers from the 80s in my test today on the voicemail systems I decided that I should write a tool that actually takes advantage of that and allows you to brute-force voicemails a fast cheap easy efficiently and undetected so let's look how fast I use Twilio which is a basically a VoIP service that allows you programmatically to make phone calls to make hundreds of cup of calls to the victim and to try different pins it's cheap the entire four digit key space for less than 40 bucks or if you want to have a 50% chance of actually guessing the correct ping in a four digit one it cost you less than five but we can take a different approach why don't we try the default pins that we mentioned before on thousand different numbers remember the phone number is actually the pin code so that costs you 13 bucks it's easy it's fully out of you pretty much provide the the victims volume of a phone number and some other parameters and that's it I already configured their specific payloads for the for the carriers and it sufficiently optimizes brute-forcing tries three pins at a time and he uses the existing ratios to the research from data genetics to favor the ones that are more common to favor the ones of birth gears and stuff like that but the most important thing is detection because if you think about it if I as an attacker would not want to interact with your voicemail I need to call you because if you don't pick everything I can interact with your voicemail so that really sucks because I need to detect when your phone is offline so what is the ways to that I can go straight to your voicemail with my tool when I started to look into this one of the things that I try was to do several calls at the same time to kind of flood the line and we will work and go straight to the voicemail it's actually kinda like slide our words which is a service for scammers and marketers to basically go directly to your voicemail you can call when the phone is online and you can use all sense techniques for finding out when someone has the form of line everyone likes to tweet when they take the plane who goes to Burning Man in two weeks you're a new better guy stay till the end of the talk you have a home a home location records which it's a global it's a database that you can query if you pay a little bit of money but among other things what it provides you it's actually if the phone is connected to a tower I tried it it's not very reliable not very real time so I had to find a way that was really good in order to go straight to your voicemail and that's when I found the concept of backdoor Boltzmann numbers so it turns out the courier's think it's a good idea to have a system that you can dialing put the number you want to leave a message to and then you leave the message so I don't have to call you I call that service and provide your phone number but you know when you press Start you access the login problem and so that's actually what the tool uses in order to not have to have your phone offline and be able to brute force passwords so now boy smell cracker is undetected because I'm not even called your phone but the thing is it doesn't have only that advantage turns out that during my test when I was calling directly to the victim every 4/5 collie will fail because he can only take that many calls and the tool like retry again but when I try with voice with back to Royce monomers because they are meant to be used by everyone what happens this is the literally hundreds of call and never never felt let's do the first demo and in this demo what I want to do is basically show you how the
Tool Works so what you see on the left
is there is the victims number and I'm trying to see where to make this so it's the victims number on the right you see the tooling in this case I'm using the brute force option and as you can see I provide the victim number the type of carrier because it has a specific payloads and the caller ID which actually Twilio provides to you and then I use the option of backdoor number right so it doesn't call the victim and if you see the last option is top pins so I'm trying based on the pure research the top 20 most common pins of course the ping is 1983 that's the DEF CON stream so what is doing now it's making those calls I mean it can do hundreds of them but for demos purposes I wanted to make just the top 20 I just trying those pins is interacting with the voicemail so because it tries to three at a time you will find that first it will give you the possibly one of those three is the ping and then it will try individually those pins just to find out what is the right one and I wanted to fast forward this demo I will the other two that I have but I wanted to give you the the feeling of how long it takes and the truth is its it feels that it takes too long for for just 20 pins but think that in reality how do I find out if the ping is correct people thought that I that I use sound processing just to figure out if your errors out but I do Matt I'm very lazy so I do it much better in what I do is they called duration right if you enter three pins wrong the call will hang out so that gives me actually a parent of the duration of the call so with truly I instructed to actually wait 10 extra seconds so all I got to do is wait for for a for the thing to login if it's the ping is correct it will wait 10 extra seconds so because of the duration of the call I know that that ping is correct so that's what it's doing right now that's why it takes a little longer but when they obviously when they when you don't have the right ping it will be much faster and in three two one you should tell start the peeing is 1983 I should have the demo shorter there we go cool so we see now thank you okay all right so we
saw that they we have a tool that we can use thousands of chords very cheeping all that but what's the impact right why am I sitting here with this who cares about boys mums right anyway all the messages you guys probably have is from marketers and scammers so why am I here
well the truth is there is much more to it right a lot of people doesn't realize that you can reset passwords due to FA or verification over automated phone calls so my question to you is what
happens if I have your email go instead of the password reset of a phone call so that it sends you that code that usually it sends you over SMS and you don't pick up the voicemail will pick up and will start recording so now that I can compromise your voicemail all I have to do is to initiate password resets and I will be able to listen how the recording spells out the code so the attack vector looks like the first thing you gotta do is brute-force the voicemail system ideally using backdoors as I mentioned then for this one you need to ensure that the phone is self lying and the reason is because when I do the password reset paper will call the victim not the backdoor number but it's only for this single call and you can use a saint or call floating or whatever you want you start the password reset process you listen to the recorded messaging and you got it and the tool can do all of this for you automatically let's compromise what's up
okay so what you have on the left is the victims number is the victims phone and what you have on the right I actually did it with a simulator it is not even actually a phone I downloaded the apk and put it in under it in the emulator so I open the app and it tells me hey do you want to register well no one has a user name in what's up right you do that with your phone number so I entered the victim's phone number and so what it's going to do is going to send the text to the victim so you're gonna see on the victims a phone number that I'm gonna put it in airplane mode and that's to simulate that the victim is offline because whatsapp is obviously going to try to call it but in the case of specifically of what's up the first thing it does is to send the text so I'm not interested in that so I'm going to fast forward here because it basically waits a minute and gives you the option to call and so as you can see I press now they call me so now what's up is just basically calling the victim who is offline so the voicemail will pick up and now what I'm doing is I'm using mature with the option of message and message he basically interacts with the voicemail system to retrieve the newest message so you don't even have to do it it's automatically and you see that because I brute-force it before the pang now I provided as an option so it can log in the this option that we have here and so here as fast forwarding is basically interacting with the voicemail its retrieving it and it will give you a URL and all you got to do is put that in a browser and you get an audio file we are following you now so I'm loading that he gives you an audio file and it should be the newest message three victim has now it's interacting with the voicemail system new message code is three encoded and that's it so now I'm gonna put the victim not in here frame out that's all it takes and I want to mention that whatsapp has really really strong security so I'm not claiming I mean there is things like you won't be able to see the previous groups but you can hold on till someone writes and then you will be able to interact and there is also the fingerprinting all the stuff but this is a big problem because you literally hijack that person's what's up
so let's go back to the slides
and okay gotta go really fast we don't
not yet because it turns out that some people knows this and and so what they did and what is recommended is to provide user interaction base protection what does that mean so the automatic call will not just spill the code but it will say press please press any key or press press a random key or please enter the code it will show you in the UI this paper does this it will show you in the UI a code and you will have to enter it in the keypad when you receive the call so can we beat this recommended protection this is what is recommended today when you read the articles and we're gonna play again we're gonna guess it together and I give you the first hint everyone probably what this is so this generates some really nice DTMF kind of tones that was used by John Draper if we're doing good stuff in the 80s and this is the
second one I actually cheated when I looked at the at the checklist right I told you we're gonna cover them all but we didn't cover that the greeting message something we'll learn from the 80s is actually an attack vector so when people this is why it's so important for you hackers you guys are amazing because we want and we want understand how the system works right if you ask someone what is to explain to you this user interaction protection will tell you all you have to press the key know the system is waiting to hear a specific frequency of a specific DTMF tone not that you physically press a key and that's the thing so what we can do is we can record DTMF tones that represent the calls that it's expecting the automatic O's as the greeting message and it works every single time attack vector exactly the same we just thought now as a second step that you update the greeting message with the DTF and tones and again the tool will do all this automatically
for you let's compromise space paper
okay you see on the left that AI brute-force at the ping on the right you see that I need the email so I will just start the password reset and in this
case it will actually show me a code
that I'm supposed to enter when I received the phone call right and just basically picking here that I wanted to reach the password of an automated phone call and as you can see on the left I'm gonna use the option of greeting and this is what allows you to change the greeting message and I may be very very well in this case for the demo so you see the last parameter is PayPal called so all I have to do is to put this six three five three there and the tool will interact with the voicemail change the greeting message put the TM TF tones that represent 66 three five three and if everything works I mean the demo is recorded then we should see that actually we compromise PayPal so we are gonna so actually PayPal is already making the call but I don't care because it takes a little bit to change the greedy message I just click call me again right so we fast forward a little bit I got five minutes okay I can do this and in three two one boom there it is we just compromised PayPal thank you [Applause]
okay very quick what services are you need to pay attention and gonna run over this this is a small subset I'll exit top 100 not favoring or anything but password reason for paypal Instagram Netflix eBay Linkedin to FA the big for Apple Google Microsoft Yahoo verification what's up signal Swilley is a good one because truly allows you to verify a caller ID so I can literally own your caller ID I make calls on behalf of you Google Voice is used for scamming but you need to tied it to a real phone number so I can get unlimited will run phone numbers which is verifying someone else's phone but the best one is consent when we think about consent we think about lawyers about signing papers it turns out the locations mark which was in the news four months ago I think because a Brian Krebs wrote an amazing article about it it's basically a service that has agreements with the carriers to be able to track you for 24/7 if you provide consent by pressing one open source so the truth is I obviously did responsible disclosure and carriers are slow to catch up some of them didn't answer I also talked to the services so releasing this tool will only be a script kiddie tool but at the same time I don't want to claim stuff here that you can't verify so basically what I do is a voicemail automated instead so I'm gonna publish this code on Monday because the weekend is I'm gonna celebrate so it's basically I remove the brute-forcing why because this way I didn't give you code to compromise any anyone's a voicemail number but you will be able to try it on your voicemail number what I'm claiming here and you can go to the github repo recommendations very quick for online services don't use automatic calls for security purposes nor SMS feel free to check out a besides talk I gave that is kind of related to this but for SMS if not possible well the technical answering machine is tough but require user interaction I just showed you how to bypass that but that is with the whole the carrier's lacing and Dan DTMF tones from the gradient message this is
the most important life for carriers out there ban DTMF tones from the grid image such eliminate backdoor voicemail systems or at least do not allow access to the login prompt by purchase pressing star boys math should be disabled by default and can only be activated from the phone itself I was able to activate phone numbers by activating the victim never the victim the person that allowed me to test it I was able to set a password for them no default paying Darnell common pains detect abuse is this being recorded it's too late now none of us bloopers attempts and don't process multiple pins at once I got two minutes recommendations for you guys disable voicemail or at least use the long as possible ping don't provide the phone number unless obviously it's the only way to get to a PHA but you can use a virtual number because you can you know get rid of things like us and to figure out your phone or like SIM swapping and you would use to a PHA try to use apps I like always to put a slide just to kind of do too long didn't read because somewhere rifle eight or whatever that says automated phone calls are a common solution for password resets to FA and verification services and consent this can be compromised by leveraging all weaknesses in current technology to exploit the weakest link for small systems thank you so much
[Applause] [Applause]
Feedback