Exploit Cingular Voicemail Vulnerability via Caller ID Spoofing

by Nitesh Dhanjani

image
image

<Update>
I would have contacted Cingular about this, and given them time to fix this before talking about this publicly, but Cingular has already gained negative press about this for MONTHS (see http://www.google.com/search?q=cingular+voice+mail+spoofing.) People have been exploiting this vulnerability since a while now. The aim of this post is to help those who are Cingular customers protect themselves from this issue (see last paragraph), and possibly help contribute noise into this problem so someone at Cingular escalates this issue. This should have been fixed months ago.
</Update>

I purchased Spoofcard credit last night. Spoofcard (and many other services like it) allow you to spoof your Caller-ID information. In addition, Spoofcard also allows you to change your voice, and record conversations. I tried calling a few friends to make sure it worked, and it did. They were quite surprised and confused at first, but got a kick out of it when I revealed my identity (after joking around for a few minutes.)

This morning, I called a friend who has a cell-phone from Cingular. I used Spoofcard to spoof his own Caller ID. He wasn't around to pick up the call, so I was forwarded to his voice mail. The Cingular voice mail system trusted the Caller ID information - it assumed it was my friend (using his handset) checking his own voicemail, and allowed me to access all his voice mail messages. I was quite alarmed, and immediately notified my friend. I also tried this with a co-workers cell phone (with his permission), and it worked.

Gaining access to cell phone voice mails via Caller ID spoofing is nothing new. Many voice mail systems have been known to be vulnerable to this. For example, a few months ago, when I was setting up my T-Mobile voice mail, I had to dig around for the right option in the voice mail system to force it to ask my for my password when I call the voicemail system from my phone. T-Mobile recently upgraded their voice mail system to encourage this behavior. However, I am alarmed Cingular has not patched this.

This doesn't work with T-Mobile and Sprint. Their voice mail systems seem to have intelligence in place to recognize that the call is originating from an external gateway.

That said, if you are a Cingular customer, you might want to call your voicemail, and configure it to ask for a password even when you call the voicemail system from your handset. This should fix the vulnerability for you.

17 Comments

smallinov
2006-02-01 13:46:26
WTF?
The only thing worse than Cingular being open to this huge security hole is you posting about it the day you find this out. Why not contact Cingular and let them know about the issue first giving them time to fix it before prompting every damn script kid in the world to go buy one of these cards and hack Cingular's voicemail. I am sure the sellers of the card will appreciate the sales boost...but come on? What are you thinking?


-Ryan Smallegan
http://www.smallegan.com/blog

niteshd
2006-02-01 13:50:08
Please do some research before accusing me
As I said in my posting, this is nothing new. Cingular has had MONTHS to fix this. They have been informed by people numerous times. Try Googling for "cingular voice mail spoofing." This shouldn't be news to Cingular - they have gained negative press about this for months. I'm trying to help make more noise out of this, so someone at Cingular get their act together and fix this. Actually, I'm HELPING OUT.
smallinov
2006-02-01 14:53:06
Please do some research before accusing me
So you think you are HELPING OUT by spreading the word via Oreilly? Would you use this same philosophy in other situations? It is like saying that instead of trying to inform the authorities of the growing graffiti problem in your city, you would instead hand out free cans of spraypaint, therefore adding to the problem in order to gain the attention the issue needs to be taken seriously? Interesting, well I am sorry for sounding a bit harsh in my first post but I just don't with the "meaning" to your "madness".


-Ryan

niteshd
2006-02-01 15:02:38
Please do some research before accusing me
Do I believe I'm helping out? ABSOLUTELY. This is one of the typical approaches taken by the security community: Give the vendor enough time to fix their vulnerbility. If the vendor does not respond in a resonable amount of time - it is quite ethical to make noise about it so 1) The end uers (victims) are aware 2) The vendor gets their act to-gether and fixes the issue.


You seem to have a different view point on this - and thats that. However, yes, to answer your question, I do believe I'm helping out.

SanguineO
2006-02-01 15:05:45
Full disclosure sucks rocks!
I agree with Ryan, shame on you Nitesh. The more the mainstream press talks about this the sooner Cingular will fix the issue and I won't be able to find out whose leaving messages on my ex-girlfriend's phone. Right now she's totally unaware that I'm doing this, but imagine her surprise when she reads this blog post (she is a regular O'reilly reader). Thanks a bunch! Now I'll probably get hit with a TRO from a judge.


On the other hand, maybe Ryan should pull his head out of the sand. This is KNOWN information in the "underground" of the internet, Cingular has known about it and has not attended to the vulnerability. Whose to know why not: cost? ambivalence? conceit? Companies don't like to spend dollars to do something unless they have to. Maybe if this post gets mentioned on CNN.com it will result in some action. Or maybe if enough shocked Cingular customers call the support line Cingular will fix the issue.

niteshd
2006-02-01 15:09:47
Full disclosure sucks rocks!
Well put - thankyou.
thehotness
2006-02-01 15:10:09
Please do some research before accusing me
"It is like saying that instead of trying to inform the authorities of the growing graffiti problem in your city, you would instead hand out free cans of spraypaint, therefore adding to the problem in order to gain the attention the issue needs to be taken seriously?"


That is the worst damn simily I have ever heard. If you are going to compare apples to orange's at least make sure it's the same fruit. The equivilient of what he is doing, is going to the town meeting hall and saying that there is a graffiti problem. I hate people that constantly say exploits should never be talked about publicaly, or else people will exploit them. Sure people are going to exploit them, but people are going to exploit them regardless. At least by talking about it, you get PEOPLE TALKING about it, which leads to a solution.


GO READ A BOOK.

myc18
2006-02-01 16:14:41
Full disclosure, and thank you Nitesh
Nitesh, thank you for the information. I for one support your security disclosure. Yes, security disclosure is a really rough issue. Good intent, bad intent, it doesn't matter --you are looked at as the bad guy. You are doing a lot of people a favor. The one who looks like an ass right now is Cingular, and they are notorious for not getting their act together. If someone, or something, does not get their shit together, then you might as well make some noise. Remember, a major (security) mistake that many companies make is pretending and hoping that the problem will go away. Security breaches are everywhere, publicized and unpublicized. But remember, the first line of defense is to defend and protect yourself and your systems.
bphiett
2006-02-02 05:05:34
Please do some research before accusing me
This moral dilemna is actually very straightforward in this case.
Ryan, you're wrong. Nitesh your right.
Simple as that.
frankxiv
2006-02-05 21:54:07
Please do some research before accusing me
I guess you missed the part of the post where he told users how to protect themselves from this issue. I think he is helping out in two ways:
  1. Making noise about the issue and hopefully causing Cingular to fix the problem.

  2. Giving the user community a work around solution so that they don't fall victim to the problem.

sridom
2006-03-28 21:15:50
Please do some research before accusing me
Nice work Nitesh !
rkamun1
2006-04-25 10:57:38
wow
wow....Ryan....are you serious?? Do you live in the same world we live in? Ignorance is not bliss in the internet world buddy, for everything you don't know, someone knows about it and is exploiting it...
Jason
2006-08-08 13:44:30
I am pretty sure it works with TMobile Too...... Found out about this many many months ago demonstrating a call from Spooftel.com


here's another one too


Send a text gram with option of caller id spoofing. Type and message and it plays the message over the phone in a synthesiszed voice

TZG
2007-06-01 10:02:49
here is another site that boasts caller id service. The reason I mention here is that as least this one is hosted outside jurisdiction, so it's a little more private
Mike Deals
2007-06-01 10:04:07
I like http://www.thezerogroup.com the best because I can change my voice during the call in real time
PDXUSA
2007-06-19 19:38:18
We have a solution that goes further than caller ID, we actually verify & validate ANI (the billing telephone number) used to make that call so you know for sure who called.


Our website is:


http://www.pdxusa.net


Once you scan through the details, it will become obvious that our solution is solid, tested and guaranteed.


PDXUSA, a telecommunications provider.


Google pdxusa


Theresa
2007-07-12 06:56:31
I am a 60 year old victim of ANI Spoofing, Can I press legal charges ?