Compromising online services by cracking voicemail systems
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39714 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 26263 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
Internet service providerSystem programmingDecimalNumberNumerical digitSequenceString (computer science)DigitizingSequenceKey (cryptography)NumberProduct (business)Combinational logicReading (process)SpacetimePhysical systemInformation securityVirtual machineContent (media)CASE <Informatik>Personal identification numberResultantRight angleCodecHacker (term)
01:38
Hacker (term)Normal (geometry)Default (computer science)System callMessage passingPC CardInformation securityChecklistDigitizingDefault (computer science)Pattern languageChecklistVector spaceRootPasswordMessage passingInformation securitySound effectForcing (mathematics)Charge carrierMathematics1 (number)Physical systemGroup actionInheritance (object-oriented programming)System callMeasurementNumberLine (geometry)
02:41
Information securityNumerical digitError messageMessage passingPersonal identification numberPhysical systemError messageRootNumberMultiplication signDigitizingRight anglePasswordNatural languageProof theorySource code
03:34
Raw image formatMobile WebBackdoor (computing)Message passingNatural languagePlanningTowerPhysical systemComputer wormCharge carrierNumberForcing (mathematics)Backdoor (computing)Demo (music)Internet service providerBitSystem callPersonal identification numberDatabaseOrder (biology)1 (number)Default (computer science)Denial-of-service attackUniform resource locatorSpacetimeMultiplication signSoftware testingMetropolitan area networkHacker (term)PasswordLoginParameter (computer programming)Boltzmann constantVolume (thermodynamics)WordSlide ruleLine (geometry)Key (cryptography)Row (database)Real-time operating systemDigitizingForm (programming)
06:54
Demo (music)Lattice (order)Personal identification numberBackdoor (computing)2 (number)Demo (music)System callComputer configurationPattern languageError messageForcing (mathematics)Type theoryRight angleProcess (computing)Streaming mediaComputer wormCharge carrierCASE <Informatik>NumberMultiplication signInheritance (object-oriented programming)
09:05
Demo (music)Right angleMessage passingChord (peer-to-peer)
09:27
CodeRaw image formatMessage passingVector spaceSystem callPasswordPhysical systemSystem callFormal verificationPasswordCodeProcess (computing)Row (database)EmailMessage passingPhysical systemVector spaceNumberBackdoor (computing)Forcing (mathematics)Denial-of-service attackProgram flowchart
10:31
Demo (music)PlastikkarteMessage passingComputer configurationInformation securityCodeGroup actionCASE <Informatik>NumberFrame problemMobile appEmulatorPhysical systemAudio file formatAsynchronous Transfer ModeWeb browserUniform resource locatorInformation retrievalComputer simulationRight angleAndroid (robot)Source code
12:59
Demo (music)Level (video gaming)CodeSlide ruleCodeInternet service providerSystem callGame theoryInteractive televisionJSON
13:59
Host Identity ProtocolVector spaceMessage passingRow (database)CodeInteractive televisionChecklistPhysical systemMultiplication signVector spaceCovering spaceHacker (term)Spezielle orthogonale GruppeSystem callRight angleKey (cryptography)Single-precision floating-point formatLatent heatFrequency
14:55
Demo (music)SpacetimeEmailRight angleJSONComputer animationSource code
15:12
CodeCASE <Informatik>PasswordSystem callDemo (music)Message passingBitBoom (sailing)Parameter (computer programming)Computer configurationMathematicsSource codeJSON
16:25
Software repositoryMathematicsCurve fittingMessage passingCodierung <Programmierung>Information securitySystem callVirtual machineInternet service providerCharge carrierNumberSubsetUniform resource locatorReal numberSystem callFormal verificationPasswordInternet service providerGradientMultiplication signCharge carrierOpen sourceMessage passingOnline service providerScripting languageSoftware repositoryCodeDependent and independent variablesInteractive televisionFerry CorstenInformation securityVirtualizationGoodness of fitForcing (mathematics)
18:32
Process (computing)Message passingInternet service providerDefault (computer science)Personal identification numberCharge carrierLoginSimulationPasswordSystem callFormal verificationGradientCryptographyChecklistElectric currentLink (knot theory)System programmingOcean currentProcess (computing)Physical systemLoginSlide ruleMessage passingDefault (computer science)Charge carrierFormal verificationNumberPasswordSystem callSimulationBackdoor (computing)MultiplicationVulnerability (computing)Gaussian eliminationInternet service providerForcing (mathematics)Link (knot theory)Video gameMobile appReading (process)Personal identification numberMathematicsPurchasingMedical imaging
19:49
YouTube
Transcript: English(auto-generated)
00:00
Let's get it started! Martin Vigo, give it a big hand! Let's go! Hello, thanks everyone for coming to this talk. It was supposed to be a 45-minute talk, so I can only be 20. I'm going to go super, super fast because I really want to cover the entire content. My name is Martin Vigo. I work as a product security lead.
00:23
I'm from Galicia, Spain. We've got the best shiffer in the world. If you don't believe me, come over there to try it. I like research, I like scuba, and I don't like that whiskey. In case you want to ask questions later, you know how to draw my attention. So, let's talk about history. We're going to talk about voicemail systems. I like to move and they don't have a wireless thing.
00:42
About voicemail systems, how to compromise them. The first thing when you do research is you look at previous art. In this case, it was really cool because I just went back to the 80s when the voicemail systems became popular, and I started to read articles and essays from the first hackers and freakers. It was really, really good.
01:01
So, I condensed everything that I learned in five quotes of five different isms. So, here we can see that it says, you can just enter all two digit combinations until you get the right one. A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time and discard them,
01:20
but just look for the correct sequence. Actually, in this one, in hacking AT&T answering machines quick and dirty, we can see the actual sequence that you can enter and it will actually be the entire two-digit ping key space because if you enter 1234, it will actually parse 23 as well to look if it's the correct ping. In a tutorial for us in voicemail systems,
01:42
what we learned is that it was actually default passwords and there was actually common patterns that people use as pins. And in the last one, what we learned is that there is also the old change the message secret to make it say something to the effect of this line, access all toll charges so you can build a third party calls to that number.
02:01
What that means is you will basically record as the greeting message, yes, I accept and then from a penitentiary, you will get basically free calls. So, voicemail security in the 80s, we can sum up as there was default passwords, common passwords, root forcible passwords, efficient ways to root force the passwords and the greeting message was an attack vector.
02:22
How about we play checklist? Fast forward to today, voicemail security today, let's do a checklist. Default passwords check according to the public documentation in the four major carriers of the United States in their website. AT&T is six ones, T-Mobile the last four digits of the phone number, Sprint is the last seven, Verizon is the last four.
02:41
Common passwords, according to a fantastic research from 2012 from data genetics, there is a number of conclusions that they got to but basically some of the important was that you have a 22% chance of guessing a four-digit PIN by just trying the top 20 PINs of the 10,000 that are possible.
03:01
So that means that one in every fourth victim that you try by just trying 20 PINs, you will actually get the right one. Other conclusions include that most of the PINs start by one nine and that's because people tend to use their birth year as a PIN number. Root forcible passwords, AT&T, T-Mobile, Sprint, Verizon, they all allow four-digit PIN codes.
03:22
Efficient brute forcing, it actually allows to enter three PINs at a time by using the pound to concatenate it, which is kind of like a return in a voicemail system and you don't even have to wait for prompt of error messages if the PIN was wrong. So with all this in mind that I learned from the amazing hackers from the 80s and my tests today on the voicemail systems,
03:43
I decided that I should write a tool that actually takes advantage of that and allows you to brute force voicemails fast, cheap, easy, efficiently and undetected. So let's look how. Fast, I use Twilio, which is basically a voice service that allows you programmatically to make phone calls, to make hundreds of calls to the victim and to try different PINs.
04:04
It's cheap, the entire four-digit key space for less than 40 bucks, or if you want to have a 50% chance of actually guessing the correct PIN in a four-digit one, it costs you less than five. But we can take a different approach. Why don't we try the default PINs that we mentioned before on thousand different numbers?
04:20
Remember, the phone number is actually the PIN code, so that costs you 13 bucks. It's easy. It's fully automated. You pretty much provide the victim's phone number and some other parameters, and that's it. I already configured the specific payloads for the carriers, and it's efficient. It optimizes brute forcing, tries three PINs at a time,
04:42
and it uses existing research from data genetics to favor the ones that are more common, to favor the ones of birth years and stuff like that. But the most important thing is detection. Because if you think about it, if I, as an attacker, want to interact with your voicemail, I need to call you, because if you don't pick up, then I can interact with your voicemail.
05:02
So that really sucks, because I need to detect when your phone is offline. So what are the ways that I can go straight to your voicemail with my tool? When I started to look into this, one of the things that I tried was to do several calls at the same time to kind of flood the line, and we will work and go straight to the voicemail. It's actually kind of like Slide Dial Works, which is a service for scammers and marketers
05:23
to basically go directly to your voicemail. You can call when the phone is online, and you can use OSCEN's techniques for finding out when someone has the phone offline. Everyone likes to tweet when they take the plane. Who goes to Burning Man in two weeks? Yeah, you better, guys, stay till the end of the talk. You have a home location record, which it's a database that you can query if you pay a little bit of money,
05:47
but among other things, what it provides you is actually if the phone is connected to a tower. I tried it, it's not very reliable, not very real-time, so I had to find a way that was really good in order to go straight to your voicemail, and that's when I found the concept of backdoor voicemail numbers.
06:02
So it turns out that carriers think it's a good idea to have a system that you can dial in, put the number you want to leave a message to, and then you leave the message. So I don't have to call you, I call that service and provide your phone number. But you know, when you press start, you access the login prompt. And so that's actually what the tool uses in order to not have to have your phone offline
06:22
and be able to brute force passwords. So now Voicemail Cracker is undetected because I'm not even calling your phone. But the thing is, it doesn't have only that advantage. Turns out that during my test, when I was calling directly to the victim, every four-fifths call it will fail because it can only take that many calls. And the tool retries again.
06:41
But when I try with backdoor voicemail numbers, because they are meant to be used by everyone, what happens is that literally hundreds of calls and it never, never failed. Let's do the first demo. And in this demo, what I want to do is basically show you how the tool works.
07:01
So what you see on the left is the victim's number, and I'm trying to see where to make this. So it's the victim's number, and on the right you see the tool. And in this case, I'm using the brute force option. And as you can see, I provide the victim number, the type of carrier, because it has specific payloads, and the caller ID, which actually Twilio provides to you. And then I use the option of backdoor number, right?
07:22
So it doesn't call the victim. And if you see, the last option is top pins. So I'm trying, based on the peer research, the top 20 most common pins. Of course, the pin is 1983. That's the DevCon's theme. So what it's doing now, it's making those calls. I mean, it can do hundreds of them, but for demos purposes, I wanted to make just the top 20.
07:42
I'm just trying those pins. It's interacting with the voicemail. So because it tries three at a time, you will find that first it will give you, that possibly one of those three is the pin, and then it will try individually those pins just to find out what is the right one. And I wanted to fast-forward this demo. I will the other two that I have.
08:02
But I wanted to give you the feeling of how long it takes. And the truth is, it feels that it takes too long for just 20 pins, but think that in reality, how do I find out if the pin is correct? People thought that I use sound processing just to figure out if your error is out, but I'm very lazy, so I do it much better.
08:22
And what I do is the call duration, right? If you enter three pins wrong, the call will hang up. So that gives me actually a pattern of the duration of the call. So with Twilio, I instructed to actually wait 10 extra seconds. So all I got to do is wait for the thing to log in. If the pin is correct, it will wait 10 extra seconds.
08:40
So because of the duration of the call, I know that that pin is correct. So that's what it's doing right now. That's why it takes a little longer. But obviously, when you don't have the right pin, it will be much faster. And in 3.2.1, it should tell us that the pin is 1983. I should have the demo shorter.
09:01
There we go. Cool. So we see now. Thank you. Okay. All right. So we saw that we have a tool that we can use thousands of calls, very cheap and all that. But what's the impact, right? Why am I sitting here with this? Who cares about voicemails, right?
09:21
Anyway, all the messages you guys probably have is from marketers and scammers. So why am I here? Well, the truth is there is much more to it, right? A lot of people doesn't realize that you can reset passwords due to FA or verification over automated phone calls. So my question to you is what happens if I have your email go and start the password reset over phone call
09:42
so that it sends you that code that usually sends you over SMS and you don't pick up? The voicemail will pick up and will start recording. So now that I can compromise your voicemail, all I have to do is to initiate password resets and I will be able to listen how the recording spills out the code. So the attack vector looks like the first thing you got to do is brute force the voicemail system,
10:04
ideally using backdoors, as I mentioned. Then for this one, you need to ensure that the phone is offline. And the reason is because when I do the password reset, PayPal will call the victim, not the vector number. But it's only for this single call. And you can use OSINT or call flooding or whatever you want. You start the password reset process, you listen to the recorded messaging, and you got it.
10:23
And the tool can do all of this for you automatically. Let's compromise WhatsApp. Close this.
10:40
So what you have on the left is the victim's phone. And what you have on the right, I actually did it with a simulator. It's not even actually a phone. I downloaded the APK and put it in Android in the emulator. So I open the app and it tells me, hey, do you want to register? Well, no one has a username in WhatsApp, right? You do that with your phone number. So I entered the victim's phone number.
11:00
And so what it's going to do is it's going to send a text to the victim. So you're going to see on the victim's phone number that I'm going to put it in airplane mode. And that's to simulate that the victim is offline because WhatsApp is obviously going to try to call him. But in the case specifically of WhatsApp, the first thing it does is to send the text. So I'm not interested in that, so I'm going to fast forward here
11:20
because it basically waits a minute and gives you the option to call. And so as you can see, I press now the call me. So now WhatsApp is just basically calling the victim who is offline so the voicemail will pick up. And now what I'm doing is I'm using my tool with the option of message. And message basically interacts with the voicemail system to retrieve the newest message.
11:42
So you don't even have to do it. It's automatically. And you see that because I brute forced it before the ping, now I provide it as an option so it can log in this option that we have here. And so here it's fast forwarding. It's basically interacting with the voicemail. It's retrieving it and it will give you a URL. And all you got to do is put that in a browser and you get an audio file.
12:05
We have audio now. So I'm loading that, it gives you an audio file and it should be the newest message that the victim has. Now it's interacting with the voicemail system.
12:36
And that's it. So now I'm going to put the victim not in airplane mode and that's all it takes.
12:42
And I want to mention that WhatsApp has really, really strong security so I'm not claiming, I mean, there is things like you won't be able to see the previous groups but you can hold on until someone writes and then you will be able to interact. And there is also the fingerprinting, all that stuff. But this is a big problem because you literally hijack that person's WhatsApp.
13:01
So let's go back to the slides. Okay. Got to go really fast. We don't? Not yet. Because it turns out that some people know this and so what they did and what is recommended is to provide user interaction-based protection. What does that mean? So the automated call will not just fill the code
13:21
but it will say please press any key or please press a random key or please enter the code. It will show you in the UI this PayPal does this. It will show you in the UI a code and you will have to enter it in the keypad when you receive the call. So can we beat this recommended protection? This is what is recommended today when you read the articles.
13:41
And we're going to play a game. We're going to guess it together. And I give you the first hint. Everyone probably what this is. So this generates some really nice DTMF kind of tones that was used by John Draper for doing good stuff in the 80s. And this is the second one.
14:00
I actually cheated when I looked at the checklist. I told you we're going to cover them all but we didn't cover the greeting message. Something we learned from the 80s is actually an attack vector. So when people, this is why it's so important for you hackers, you guys are amazing because we want to understand how the system works. If you ask someone to explain to you this user interaction protection,
14:22
it will tell you, oh, you have to press a key. No, the system is waiting to hear a specific frequency, a specific DTMF tone. Not that you physically press a key. And that's the thing. So what we can do is we can record DTMF tones that represent the codes that it's expecting, the automatic codes,
14:41
as the greeting message. And it works every single time. Attack vector, exactly the same. We just add now as a second step that you update the greeting message with the DTMF tones. And again, the tool will do all this automatically for you. Let's compromise PayPal.
15:05
Okay, you see on the left that I brute forced the ping. On the right, you see that I need the email. So I will just start the password reset. And in this case, it will actually show me a code that I'm supposed to enter when I receive the phone call, right?
15:20
I'm just basically picking here that I want to reset the password over the automated phone call. And as you can see on the left, I'm going to use the option of greeting. And this is what allows you to change the greeting message. And I made it very verbose in this case for the demo. So you see the last parameter is PayPal code. So all I have to do is to put the 6353 there
15:44
and the tool will interact with the voicemail, change the greeting message, put the DMTF tones that represent 6353, and if everything works, I mean the demo is recorded, then we should see that actually we compromised PayPal.
16:01
So actually PayPal is already making the call, but I don't care because it takes a little bit to change the greeting message. I just click call me again, right? So we fast forward a little bit. I got five minutes. Okay, I can do this. And in three, two, one, boom, there it is. We just compromised PayPal.
16:21
Thank you. Okay, very quick. What services are you going to need to pay attention? I'm going to run over this. This is a small subset, Alexa, top 100, not favoring or anything, but password reset for PayPal, Instagram, Netflix, eBay, LinkedIn, 2FA, the big four, Apple, Google, Microsoft, Yahoo,
16:42
verification, WhatsApp, Signal. Twilio is a good one because Twilio allows you to verify a caller ID. So I can literally own your caller ID and make calls on behalf of you. Google Voice is used for scamming, but you need to tie it to a real phone number. So I can get unlimited virtual phone numbers by just verifying someone else's phone. But the best one is consent.
17:01
When we think about consent, we think about lawyers, about signing papers. It turns out that LocationSmart, which was in the news four months ago, I think, because Brian Krebs wrote an amazing article about it. It's basically a service that has agreements with the carriers to be able to track you 24-7 if you provide consent by pressing 1.
17:25
Open source. So the truth is, I obviously did a responsible disclosure, and carriers are slow to catch up. Some of them didn't answer. I also talked to the services. So releasing this tool will only be a script kidded tool,
17:42
but at the same time, I don't want to claim stuff here that you can't verify. So basically what I do is a voicemail automated instead. So I'm going to publish this code on Monday because the weekend is, I'm going to celebrate. So it's basically I remove the brute forcing. Why? Because this way, I didn't give you code to compromise anyone's voicemail number,
18:03
but you will be able to try on your voicemail number what I'm claiming here. And you can go to the GitHub repo. Recommendations. Very quick. For online services, don't use automated calls for security purposes, not SMS. Feel free to check out a besides talk I gave that is kind of related to this, but for SMS.
18:21
If not possible, well, detecting the answering machine is tough, but require user interaction. I just showed you how to bypass that, but that is with the hope that carriers listen and ban DTMF tones from the greeting message. This is the most important slide for carriers out there. Ban DTMF tones from the greeting message. Eliminate backdoor voicemail systems
18:40
or at least do not allow access to the login prompt by just pressing start. Voicemail should be disabled by default and can only be activated from the phone itself. I was able to activate phone numbers. By activating the victim, never the victim, the person that allowed me to test it.
19:00
I was able to set a password for them. No default ping, don't allow common pings, detect abuse. Is this being recorded? It's too late now. Don't abuse brute force attempts and don't process multiple pings at once. I got two minutes. Recommendations for you guys, disable voicemail or at least use the longest possible ping. Don't provide the phone number unless obviously it's the only way to get 2FA,
19:22
but you can use a virtual number because you can get rid of things like OSINT to figure out your phone or SIM swapping. When you use 2FA, try to use apps. I like always to put a slide just to kind of do a too long you didn't read it because someone arrived late or whatever that says automated phone calls are a common solution for password reset,
19:41
2FA and verification services and consent. This can be compromised by leveraging all weaknesses in current technology to exploit the weakest link, voicemail systems. Thank you so much for attending.
Recommendations
Series of 11 media