It’s easy to access someone else’s voicemail by spoofing the caller ID. This isn’t new; what is new is that many people now have easy access to caller ID spoofing.
The spoofing only works for voicemail accounts that don’t have a password set up, but AT&T has no password as the default.
Clive Robinson • July 14, 2010 7:47 AM
@ BF Skinner,
“Is there a 3rd alternative?”
Two spring to mind,
1, Change your service provider.
2, Move to another country.
After due consideration you might find the latter,
A, easier to do
B, has considerably more benifits.
Louis • July 14, 2010 8:22 AM
Long live the free phone.
The carrier’s assumption of a secured (for carrier purposes) device is no longer valid
To paraphrase Gandalf, “This is but a taste of the terror that Android will unleash”.
Is it me, or does AT&T have some serious security engineering issues? Maybe they need a Ross Anderson presentation with book to read at the end…
BF Skinner • July 14, 2010 8:29 AM
@Clive “Change your service provider.”
Well these are more in the nature of mitigations not statements of “how the client screwed up their design again”; but reading the slashdot article my first question was do the other telecoms do the same thing?
Authenticate to a public string.
It wouldn’t be the first class wide problem we’ve seen. I could see the business logic applying to all carriers. More passwords means more helpdesk calls and if “people don’t care about security” why interfere with their service use? Decreases revenue (which is measurable.)
After all, my carrier REDACTED has never asked me for a password for my voicemail.
Option 2 is part of exit strategy D codenamed the Gauguin Run. I hear Bali has broadband.
David • July 14, 2010 8:34 AM
This problem isn’t just confined to AT&T. The last time I checked Verizon did too. Described here:(http://sharpesecurity.blogspot.com/2010/02/espionage-on-budget.html).
Stephen Morley • July 14, 2010 9:30 AM
It’s a little tangential to the story, but I notice that the Slashdot story URL is based on the HTML-escaped title, and hence AT&T becomes ATampT. I suppose it’s better to be overzealous with escaping than to omit it when required.
Clive Robinson • July 14, 2010 9:58 AM
@ BF Skinner,
“Option 2 is part of exit strategy D codenamed the Gauguin Run. I hear Bali has broadband”
Have a look at the Turks and Cacos islands before you make your mind up they sure have some real advantages, not least the whole Gov there is reputed to be “corupt” by the likes of Gordon Brown (ex PM) because they don’t like having the finances of their “residents” looked into in any way. Especially by incompetent and moraly bankrupt politicos from other juresdictions who’s populas does not want to pay the ransom.
Brian • July 14, 2010 10:27 AM
I didn’t know about this problem until I started fiddling around with VoIP. I found a provider that allowed me to change my caller ID, and connect an ‘asterisk’ box to it. I had programmed the asterisk machine to automatically change the outgoing caller ID to a number that I was dialing. All this was just to freak out the recipients of my calls. Suddenly getting into people’s voicemails was rather amusing, but kinda scary.
Isn’t the better solution just to enforce caller ID at the network? Prevent the phone from changing it? I don’t know the system well enough to even know if thats possible, but it would seem to fix that, for more reasons then just getting into voicemail.
Why are they using caller ID as an authentication mechanism in the first place? This is a telephone company. They have access to the ANI value, which cannot be spoofed.
Kerry • July 14, 2010 11:03 AM
As an iPhone owner, I ignored the AT&T instructions that the Slashdot article links to. Instead, on the phone I used Settings -> Phone -> Change Voicemail Password. (Turns out that I already had set a password; the phone was sending it for me.)
kashmarek • July 14, 2010 11:16 AM
Isn’t this capability available to anyone that has VOIP, like Vonnage?
alreadyonthelist • July 14, 2010 11:56 AM
ATT Security is too busy monkeying around with wiretaps and elevating background noise for echelon dictionary contractor fraud games to mess around with customer security questions.
moo • July 14, 2010 6:02 PM
@Brian: A big part of the problem is that there are situations for which nobody but the caller actually knows appropriate caller ID information. But CID was infinitely spoofable anyway, when only physical phones were involved.
Scenario to consider: You have Skype and you’re making a call from some IP address over the Internet, through some Skype exchange, to a real phone somewhere. Now what name and address should Skype give to the phone network to present to the recipient? Geolocation aside, a call coming from some IP address could be coming from anywhere. I think their solution was that you provide your name and address to Skype and they use that to fill in the caller ID info for your call. Of course there’s not much to prevent you from supplying bogus information.
Note that landline phone networks have another system, ANI (Automatic Number Identification) which reports name and address info and is much harder to spoof or block or interfere with. That info is maintained by the phone companies from their billing info, and (for example) when you dial 911 then the ANI information is available to the 911 operator who handles your call. But again, if you have a skype account… what does their system really know about your call? Just that it originates from some big exchange somewhere, owned or leased by Skype. ANI also presents issues for the cell phone companies. There’s a million and one cell phone companies out there, some of them quite small. If you are a shady business (a telemarketer for example), how hard is it to find a small phone company that will let you put whatever you want in the outbound CID and ANI information?
Mark R • July 16, 2010 7:47 AM
@Kerry:
I realize I’m rather late to the party here, but I had been operating under the lazy “nobody wants my voicemails” assumption, which turns out to be a bad one since the voicemail system can be used to send mesasges. But anyway, this story finally nudged me to set a password.
However, if you go into the AT&T voicemail menu and simply set a password, this is not sufficient! The voicemail system will still just authenticate you by caller ID.
You must select another menu option on the password menu to activate the password. My first time through the system, I didn’t listen long enough since that option comes after the more obvious “set a password” option.
Long story short, if the voicemail system is not prompting you to enter your password on your keypad, even though you’ve set one, make sure the password is actually turned on!
Adam • July 16, 2010 8:51 AM
@Mark R, Kerry
Mark is correct, you have to call into your voicemail and “turn on” your password.
What a badly designed system.
Curt Sampson • July 16, 2010 10:01 PM
I’m also quite surprised that AT&T is using caller-id rather than ANI.
However, as has been pointed out in the comments, even ANI isn’t all that secure, given that you need to trust every company through whose equipment the call is routed. There’s an enormous amount of trust and very little security within the telephone network. I don’t trust it any more than I trust the Internet.
Billy • July 17, 2010 3:27 AM
Yeah this issue is 4 years old -> 1. http://www.dhanjani.com/blog/2007/07/iphone-users-at.html 2. http://dhanjani.com/archives/2006/02/exploit_cingular_voicemail_vul.html
tony • July 19, 2010 7:44 AM
Most places here in Europe require a password if the call originates outside the home network (inc roaming). (I have myself configured several networks to do this)
android developers • October 7, 2010 10:14 AM
Now the android phones have come up with the security system for their data and he device. One of the security technique which is been used is the Encryption system. This encryption system is very effective and with it unauthorized user wont be able to access the data and the device.
Amazon Klantenservice Nederland • July 4, 2020 3:15 AM
Hi….
Caller ID Spoofing on the Android. It’s easy to access someone else’s voicemail by spoofing the caller ID. This isn’t new; what is new is that many people now have easy access to caller ID spoofing. The spoofing only works for voicemail accounts that don’t have a password set up, but AT&T has no password as the default.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
BF Skinner • July 14, 2010 7:18 AM
Open by default for “fast access”. There’s an AT&T page too http://www.wireless.att.com/learn/popups/voicemail-security.jsp, that explicitly tells how to set the password (it’s not bad). But where does the consumer get briefed on this vulnerability? Is it buried in a FAQ, a link off terms and conditions, passed by voice by a busy counter clerk in a AT&T storefront or mall kiosk?
Did they make a business decision “Most people won’t a) care or b) be at risk most of the time.” Or did they design the system and then find out ‘hey people can spoof callerID.’
The former is lame but at least there is some form of reasoning there while the latter would be some engineering incompetence–a SA-8 fail.
Is there a 3rd alternative?