SlideShare uma empresa Scribd logo

Compromising online accounts by cracking voicemail systems

Martin Vigo
Martin Vigo

Voicemail systems have been with us since the 80s. They played a big role in the earlier hacking scene and re-reading those e-zines, articles and tutorials paints an interesting picture. Not much has changed. Not in the technology nor in the attack vectors. Can we leverage the last 30 years innovations to further compromise voicemail systems? And what is the real impact today of pwning these? In this talk I will cover voicemail systems, it's security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the broader impact of gaining unauthorized access to voicemail systems today and introduce a new tool that automates the process.

Tecnologia
1 de 46
Baixar para ler offline
Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com
Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
History back to ezines
Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard “Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
A Tutorial of Aspen Voice Mailbox Systems, by Slycath “Defaults For ASPEN Are:   (E.G. Box is 888) …. Use Normal Hacking Techniques:   -------------------------------   i.e.   1111     |   |/   9999   1234   4321”
Hacking Answering Machines 1990 by Predat0r “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
Voicemail security in the ‘80s • Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing sending multiple passwords at once • The greeting message is an attack vector
Voicemail security today checklist time!
Voicemail security today Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 111111 • T-Mobile • Last 4 digits of the phone number • Sprint • Last 7 digit of the phone number • Verizon • Last 4 digits of the phone number
Voicemail security today Default passwords Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector 2012 Research study by Data Genetics http://www.datagenetics.com/blog/september32012
Voicemail security today Default passwords Common passwords Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 4 to 10 digits • T-Mobile • 4 to 7 digits • Sprint • 4 to 10 digits • Verizon • 4 to 6 digits
Voicemail security today Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • Can try multiple pins at a time • 0000#1111#2222# • Without waiting for prompt • or error messages
voicemailcracker.py bruteforcing voicemails fast, cheap, easy, efficiently and undetected
voicemailcracker.py • Fast • Uses Twilio’s APIs to make hundreds of calls at a time • Cheap • Entire 4 digits keyspace for $40 • A 50% chance of correctly guessing a 4 digit PIN for $5 • Check 1000 phone numbers for default PIN for $13 • Easy • Fully automated • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc.
Undetected
Straight to voicemail • Multiple calls at the same time • It’s how slydial service works in reality • Call when phone is offline • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • HLR database • Queryable global GSM database • Provides mobile device information including connection status • Use backdoor voicemail numbers • No need to dial victim’s number! • AT&T: 408-307-5049 • Verizon: 301-802-6245 • T-Mobile: 805-637-7243 • Sprint: 513-225-6245
voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • All 4 digits keyspace under $10 • Easy • Enter victim’s phone number and wait for the PIN • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc. •Undetected •Supports backdoor voicemail numbers
Demo bruteforcing voicemail systems with voicemailcracker.py
Impact so what?
What happens if you don’t pick up?
Voicemail takes the call and records it!
Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR) 3. Start password reset process using “Call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this automatically
Demo compromising WhatsApp
We done? Not yet…
User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
Can we beat this recommended protection?
Hint
Another hint Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once The greeting message is an attack vector
We can record DTMF tones as the greeting message!
Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR) 4. Start password reset process using “Call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this automatically
Demo compromising Paypal
Vulnerable services small subset
Password reset
2FA
Verification
Consent
Open source
voicemailautomator.py • No bruteforcing • Support for 1 carrier only • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: github.com/martinvigo/voicemailautomator
Recommendations
Recommendations for online services • Don’t use automated calls for security purposes • nor SMS (check out my recent BSidesLV talk: “Ransombile, yet another reason to ditch SMS”) • If not possible, detect answering machine and fail • Require user interaction before providing the secret • with the hope that carriers ban DTMF tones from greeting messages
Recommendations for carriers • Ban DTMF tones from greeting messages • Eliminate backdoor voicemail services • or don’t allow access to login prompt from them • Voicemail disabled by default • and can only be activated from the actual phone or online • No default PIN • Don’t allow common PINs • Detect abuse and bruteforce attempts • Don’t process multiple PINs at once
Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless required • or it’s the only way to get 2FA • use a virtual number to prevent OSINT and SIM swapping • Use 2FA apps only
TL;DR Automated phone calls are a common solution for password reset, 2FA and verification services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification | Consent over phone call Military grade crypto end to end Lots of cyber
THANK YOU! @martin_vigo martinvigo.com martinvigo@gmail.com linkedin.com/in/martinvigo github.com/martinvigo youtube.com/martinvigo

Recomendados

Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
Martin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Spoofing
Spoofing Spoofing
Spoofing
paulina villanueva
 
Lenovo
LenovoLenovo
Lenovo
fbivirusalert
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofing
MattChapman50
 
Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2
George Wahome
 
Email phising and spoofing hurting your business
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your business
Mithi SkyConnect
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
PECB
 

Recomendados

Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
Martin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Spoofing
Spoofing Spoofing
Spoofing
paulina villanueva
 
Lenovo
LenovoLenovo
Lenovo
fbivirusalert
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofing
MattChapman50
 
Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2Voip (In)Security - AfricaHackOn v2
Voip (In)Security - AfricaHackOn v2
George Wahome
 
Email phising and spoofing hurting your business
Email phising and spoofing hurting your businessEmail phising and spoofing hurting your business
Email phising and spoofing hurting your business
Mithi SkyConnect
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
PECB
 
Block numbers on any i phone simple process
Block numbers on any i phone simple processBlock numbers on any i phone simple process
Block numbers on any i phone simple process
sagar_raj
 
S01.L06 - Internet Security
S01.L06 - Internet SecurityS01.L06 - Internet Security
S01.L06 - Internet Security
selcukca84
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Nuzhat Memon
 
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherSpoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
Pankaj Dubey
 
Enhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time PasswordEnhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time Password
Chandrapriya Rediex
 
Spoofing
SpoofingSpoofing
Spoofing
Greater Noida Institute Of Technology
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Priyanka Aash
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
Brian Pichman
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers Safe
AVG Technologies AU
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1
rayborg
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
zaimorkai
 
Internet security
Internet securityInternet security
Internet security
Antony Mathew
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
Flavio Eduardo de Andrade Goncalves
 
Csc kit-strong-password-ppt-en
Csc kit-strong-password-ppt-enCsc kit-strong-password-ppt-en
Csc kit-strong-password-ppt-en
Julien Marteel
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
Gabor Szathmari
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
Alan Percy
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
TelcoBridges Inc.
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
Jeremy Quadri
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (6)

Block numbers on any i phone simple process
Block numbers on any i phone simple processBlock numbers on any i phone simple process
Block numbers on any i phone simple process
 
S01.L06 - Internet Security
S01.L06 - Internet SecurityS01.L06 - Internet Security
S01.L06 - Internet Security
 
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
Std 12 Computer Chapter 5 Introduction to Mcommerce (Part 2)
 
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherSpoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
 
Enhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time PasswordEnhanced adaptive security system for SMS – based One Time Password
Enhanced adaptive security system for SMS – based One Time Password
 
Spoofing
SpoofingSpoofing
Spoofing
 

Semelhante a Compromising online accounts by cracking voicemail systems

Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Priyanka Aash
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
Alan Percy
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
TelcoBridges Inc.
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 

Semelhante a Compromising online accounts by cracking voicemail systems (20)

Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers Safe
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Cybersecurity cyberlab1
Cybersecurity cyberlab1Cybersecurity cyberlab1
Cybersecurity cyberlab1
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
Internet security
Internet securityInternet security
Internet security
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
Csc kit-strong-password-ppt-en
Csc kit-strong-password-ppt-enCsc kit-strong-password-ppt-en
Csc kit-strong-password-ppt-en
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
 
How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS Attacks
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
 
Encryption for Everyone
Encryption for EveryoneEncryption for Everyone
Encryption for Everyone
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Aes jul-upload
Aes jul-uploadAes jul-upload
Aes jul-upload
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 

Mais de Martin Vigo

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 

Mais de Martin Vigo (11)

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Compromising online accounts by cracking voicemail systems

  • 1. Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com
  • 2. Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing “La Abadía del crímen”
  • 4. Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence”
  • 5. Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard “Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.)”
  • 6. A Tutorial of Aspen Voice Mailbox Systems, by Slycath “Defaults For ASPEN Are:   (E.G. Box is 888) …. Use Normal Hacking Techniques:   -------------------------------   i.e.   1111     |   |/   9999   1234   4321”
  • 7. Hacking Answering Machines 1990 by Predat0r “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number”
  • 8. Voicemail security in the ‘80s • Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing sending multiple passwords at once • The greeting message is an attack vector
  • 10. Voicemail security today Default passwords • Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 111111 • T-Mobile • Last 4 digits of the phone number • Sprint • Last 7 digit of the phone number • Verizon • Last 4 digits of the phone number
  • 11. Voicemail security today Default passwords Common passwords • Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector 2012 Research study by Data Genetics http://www.datagenetics.com/blog/september32012
  • 12. Voicemail security today Default passwords Common passwords Bruteforceable passwords • Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • AT&T • 4 to 10 digits • T-Mobile • 4 to 7 digits • Sprint • 4 to 10 digits • Verizon • 4 to 6 digits
  • 13. Voicemail security today Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once • The greeting message is an attack vector • Can try multiple pins at a time • 0000#1111#2222# • Without waiting for prompt • or error messages
  • 14. voicemailcracker.py bruteforcing voicemails fast, cheap, easy, efficiently and undetected
  • 15. voicemailcracker.py • Fast • Uses Twilio’s APIs to make hundreds of calls at a time • Cheap • Entire 4 digits keyspace for $40 • A 50% chance of correctly guessing a 4 digit PIN for $5 • Check 1000 phone numbers for default PIN for $13 • Easy • Fully automated • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc.
  • 17. Straight to voicemail • Multiple calls at the same time • It’s how slydial service works in reality • Call when phone is offline • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • HLR database • Queryable global GSM database • Provides mobile device information including connection status • Use backdoor voicemail numbers • No need to dial victim’s number! • AT&T: 408-307-5049 • Verizon: 301-802-6245 • T-Mobile: 805-637-7243 • Sprint: 513-225-6245
  • 18. voicemailcracker.py • Fast • Uses Twilio’s services to make hundreds of calls at a time • Cheap • All 4 digits keyspace under $10 • Easy • Enter victim’s phone number and wait for the PIN • Configured with specific payloads for major carriers • Efficient • Optimizes bruteforcing • Tries multiple PINs in the same call • Uses existing research to prioritize default PINs, common PINs, patterns, etc. •Undetected •Supports backdoor voicemail numbers
  • 19. Demo bruteforcing voicemail systems with voicemailcracker.py
  • 21.
  • 22. What happens if you don’t pick up?
  • 23. Voicemail takes the call and records it!
  • 24. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, HLR) 3. Start password reset process using “Call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this automatically
  • 26. We done? Not yet…
  • 27. User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…
  • 28. Can we beat this recommended protection?
  • 29. Hint
  • 30. Another hint Default passwords Common passwords Bruteforceable passwords Efficient bruteforcing by entering multiple passwords at once The greeting message is an attack vector
  • 31. We can record DTMF tones as the greeting message!
  • 32. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, HLR) 4. Start password reset process using “Call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this automatically
  • 36. 2FA
  • 40. voicemailautomator.py • No bruteforcing • Support for 1 carrier only • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: github.com/martinvigo/voicemailautomator
  • 42. Recommendations for online services • Don’t use automated calls for security purposes • nor SMS (check out my recent BSidesLV talk: “Ransombile, yet another reason to ditch SMS”) • If not possible, detect answering machine and fail • Require user interaction before providing the secret • with the hope that carriers ban DTMF tones from greeting messages
  • 43. Recommendations for carriers • Ban DTMF tones from greeting messages • Eliminate backdoor voicemail services • or don’t allow access to login prompt from them • Voicemail disabled by default • and can only be activated from the actual phone or online • No default PIN • Don’t allow common PINs • Detect abuse and bruteforce attempts • Don’t process multiple PINs at once
  • 44. Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless required • or it’s the only way to get 2FA • use a virtual number to prevent OSINT and SIM swapping • Use 2FA apps only
  • 45. TL;DR Automated phone calls are a common solution for password reset, 2FA and verification services. These can be compromised by leveraging old weaknesses and current technology to exploit the weakest link, voicemail systems Strong password policy 2FA enforced A+ in OWASP Top 10 checklist Abuse/Bruteforce prevention Password reset | 2FA | Verification | Consent over phone call Military grade crypto end to end Lots of cyber