When Hackers Call : The Voicemail Vulnerability
How hackers can use your voicemail against you and how to mitigate the risk.
Disclaimer
Let me start by saying that this article is for educational purposes only. The knowledge you will gain from this article could be used to do very illegal things and land you in federal prison. Even worse, it could be used to ruin someone else’s life. Someone more innocent than you.
Further more, I do not endorse, condone or otherwise warrant breaking the law or invading the privacy of others. You alone are fully responsible for what you do with this information.
In other words, ‘Don’t be a jerk!’
That said, stay thirsty my friends!
Foreword
In today’s world, when we think about protecting ourselves from hackers a number of obvious things come to mind.
We know the dangers of using public WiFi, weak passwords, and having poor firewall security. We also know better than to click on suspicious links or mount random USB drives that we happen to find lying around.
Hell, some of us might even take precautions like always using a VPN, 2Factor authentication, and even reaching out to our cell phone providers to put protocols in place that prevent SIM Jacking.
Let’s face it, though. With all our smart devices, social media accounts, and the internet of things; there are endless avenues a hacker can take if they really want to try and hack us.
We certainly can’t spend all day worrying about everywhere we might be vulnerable, and for the most part, we don’t have to. We tend to rest our heads on the shoulders of giants, ‘knowing’ that big companies like Google, Amazon, Facebook, Verizon and the like have the best of the best working hard to safeguard us and our data.
For the most part, this is a fairly safe bet, but even the brightest often overlook things that can leave us with our pants down.
By this point, I am sure you are quite keen as to what I’m about to tell you, but here it comes anyway:
“Your Voicemail is leaving your derriere exposed to the harsh winter breeze and {dramatic pause} Hackers!!!”
The Threat
You are probably thinking,
“What’s the big deal? Are you going to tell me that hackers can listen to my voicemail? Who cares?! All they‘ll hear are messages from telemarketers, anyway. Let them have at it!”
If you are at all like me, you might even scoff,
“Jokes on you, my friend! I didn’t even set up voicemail on my phone. Voicemail, HAH! Who even uses that anymore?”
Addressing the latter first, let me say one thing: Just because you didn’t set up voicemail, doesn’t mean that you don’t have a voicemail. Most cellular providers automatically give you a voicemail account with your service and if you didn’t set it up, you are likely even more vulnerable to what I am about to tell you.
Moving back to the first question, the short answer is “yes!” Hackers can listen to your voicemail and while you may think there is no value in your voice messages, there most certainly is. In fact, they can use these messages to hijack many of your online profiles and accounts and I am about to show you how.
Shall We Play a Game?
For the remainder of this article, we are going to pretend to be evil hackers. The Dark Army has tasked us with hacking an individual by the name Roger Pebble. Ditching our morals in favor of not being killed by the Dark Army, we accept the task, grab a cup of coffee, and get to it.
Our initial recon yielded a few possible phone numbers and online identities including social media accounts, Gmail, and even online banking. Unfortunately, we don’t really have much else to go on.
How we got this info is a topic for another day but I encourage you to follow me here for when that day comes!
The big fruit here is obviously Roger’s online banking, but we don’t know his password and we certainly don’t want to try brute forcing a bank. It’s too noisy and will likely get us caught. Roger’s email is pretty much the same story, so all we’re left with are a few phone numbers.
Step 1 : Phone Info Gathering
The first thing we decide to do is run these phone numbers through a python3 script called PhoneInfoga which can be found on Git Hub by clicking here.
PhoneInfoga is essentially an automation script that can be used to rummage through the internet and find valuable information about a given number.
Our main purpose for using this script is to first verify that they are indeed real numbers and to see if we can quickly identify the numbers as either mobile or landlines. Below are a few sample outputs from running ‘phoneinfoga.py’ on various numbers.
Judging by the output, we can see that the numbers are in fact real numbers, and one of them is likely a mobile number with Verizon. The second number shows up as a possible landline, but in yellow we can see that there is always a margin of error.
Step 2 : Confirm and Verify
What we need to do now is see if voicemail is set up on these phone numbers. For doing this, there is a great tool used by social engineers all the time, called SpoofCard.
SpoofCard is a mobile app that social engineers typically use to fake the number they are calling from when performing phone phishing attempts. It allows the caller to make any number they want appear on the caller ID of the victim’s phone. It also allows for the disguising of their voice, adding fake background noise, recording the phone call and even going straight to voicemail, although we won’t be needing any of those extra fancy features.
Instead, we are going to keep this quite simple. We will try using SpoofCard to merely call our victim’s numbers while pretending to be calling from the very same number. What happens when we call our own number from the same number, you may ask? Well, we go straight to voicemail.
Let me be crystal clear here. We don’t get dropped into the user’s voicemail greeting,
“Hey I’m ignoring you! Please leave a message..”
No, we get dropped straight into the user’s voicemail menu. Now, a couple different scenarios could play out here.
- The user hasn’t set up their voicemail yet.
This is the ideal situation for us. It means we will be greeted with a message telling us that our voicemail hasn’t been set up yet, but offering us a numeric option to “set it up now.” Sweet, we can just go ahead and set up the voicemail for our victim, setting their PIN to whatever our little hacker hearts desire. - The user set their voicemail up, but improperly.
For whatever reason, some cellular providers allow their customers to select an option that allows for them to access their voicemail without a PIN, when calling from the same number. Hey, that’s what we are about to do. I have to take back everything I just said in the first bullet, this is the real ideal. If this is the case we will skip right over authentication. - The user set up the voicemail correctly.
This is mostly likely our worst case scenario. It means we will be greeted with a message telling us to enter our PIN.
Ok, so let’s give it a try.
Making sure we put our victim’s number in both fields, we simply hit the call button, and listen… (Actual Recording Found Here)
Damn, it’s the worst case scenario! It’s prompting us for a PIN!
Note: SpoofCard isn’t exactly free, but it is really cheap. Also, at the time of writing this, the app seems to have been taken down from at least the Google Play store. The company has stated that it will be back up shortly, but you can still find the app if you know where to look.
Step 3 : Brute Forcing The Pin
While some might be discouraged by our victim’s apparent skills in setting up their voicemail, we know all is not lost. Try harder is always the hacker motto.
Typically, cellular providers require their customers to secure their voicemail with a mere 4–8 digit PIN. They also tend to stress the importance of making your PIN something easy to remember. Taking that suggestion into consideration, I bet you can guess how many digits the majority of people’s PINs are. If you guessed the minimum required, you are correct!
People are predictable. A quick Google search will yield you a list of the Top Ten 4-digit PIN combinations and you’ll find 15% of the population using them. What’s more, is that most providers don’t implement any “max attempt” security on their voicemail systems. So even if our victim is not in the 15% of users guilty of using one of the Top Ten, the permutations are rather trivial in the world of scripting. In fact, another quick Google will show you that someone has likely already written a script for you.
Step 4 : Pivot
Luckily for us, we guessed our victim’s PIN on our first attempt, ‘0000.’
Great, we know our victim’s voicemail passcode, but now what? We could rummage through their messages or we could change their greeting. That would make for a good laugh, but I don’t think that is quite what the Dark Army had in mind.
Looking back at our initial recon, we know that Roger has an online banking presence. A quick glance at his bank’s ‘Forgot your password?’ page, reveals that in the event of a forgotten password, the bank emails their customers a password reset link.
It just so happens that Roger’s email works in a similar manner, but allows for us to get password help over the phone via either a text message or automated phone call, the key words here being ‘automated phone call.’
This likely means a computer will call and give us a code that we can then use to authorize a password reset. Sounds great if we can somehow get that computer to go straight to voicemail.
If only we had a swallow (ласточка), capable of luring Roger into a restaurant with no cellular service, or maybe just a means to get him to simply turn off his phone. Hmm..
Wait a minute, I know exactly what to do. There is this whole subculture of people out there, who make it their mission to weed out phone scammers and flood their call centers until they have to shut down. I love these phreaks! Certainly one of them has written a script for this too.
Once again, Google comes to the rescue with a DIY Call Flooder. Ok I’ll admit that this might be a little overkill. Maybe we could just wait until the late night hours and keep calling Roger from different numbers until he gets frustrated and just turns his phone off. We’ll know the trap as been sprung when he stops picking up and yelling obscenities at us and instead it goes straight to voicemail.
From here, it is smooth sailing. We trigger a password reset with his email, check the voicemail to retrieve the code, change his email password and bubble our way all the way up to his bank.
Roger is owned.
The Takeaway
First of all, I have to admit that the scenario laid out above was quite fanciful! It just so happened to be a perfect storm and obviously not all voicemail services are the same. Certainly your bank and likely your email provider also have better authentication practices in place, at least we hope so.
The intent was to keep you entertained while illustrating how the simple things that often get overlooked, are exactly what hackers are looking to exploit.
Be it leaving your router or security camera in its out-of-the-box configuration, or not properly setting up your voicemail when you get a new cellular provider, your minor oversight can quickly be forgotten by you and found later by The Dark Army.
How to Mitigate
- At the very minimum, make sure you have set up your voicemail and given it a PIN that is not found on the Top Ten.
- Double check all your voicemail settings. As mentioned, some providers have an option that bypasses authentication when calling from the same number. Make sure that is disabled!
- Always delete your voicemail messages in a timely manner. We really don’t need anyone getting wind of any nicknames mom might have for us.
- Consider disabling your voicemail altogether. This likely will require you calling your provider. While you have them on the phone you might as well make sure they have good SIM jacking prevention in place. Ask them to put a note on your account that a new SIM card can only be mailed to your billing address or picked up in person with a valid photo ID.
The End
One more thing, Epstein Didn’t Kill Himself. :)
