compromising online accounts by cracking voicemail systems
play

Compromising online accounts by cracking voicemail systems Martin - PowerPoint PPT Presentation

Oct 28, 2023 •187 likes •768 views

Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com 8 2 1 6 C P C d n a e m r r c t l e d s a d m a b A A a L g n i y a l p e l i h w d

  1. Compromising online accounts by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com

  2. 8 2 1 6 C P C d ” n a e m í r r c t l e d s a í d m a b A A a L “ g n i y a l p e l i h w d e r u t p a C Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com

  3. History back to ezines

  4. “You can just enter all 2-digit combinations until you get the right one” … “A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence” Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm

  5. “Quickly Enter the following string: 123456789876543213579246864297314741933669944885522775395 96372582838491817161511026203040506070809001 (this is the shortest string for entering every possible 2-digit combo.)” Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard

  6. “Defaults For ASPEN Are: (E.G. Box is 888) …. Use Normal Hacking Techniques: ------------------------------- i.e. 1111 | \|/ 9999 1234 4321” A Tutorial of Aspen Voice Mailbox Systems, by Slycath

  7. “There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number” Hacking Answering Machines 1990 by Predat0r

  8. Voicemail security in the ‘80s • Default PINs • Common PINs • Bruteforceable PINs • E ffi cient bruteforcing sending multiple PINs at once • The greeting message is an attack vector

  9. Voicemail security today checklist time!

  10. Voicemail security today Default PINs • Common PINs • AT&T • Vodafone • 111111 • Bruteforceable PINs • 4 last digits of client number • T-Mobile • 4 last digits of PUK for CallYa • E ffi cient bruteforcing • Last 4 digits of the phone number by entering multiple • Telekom PINs at once • Sprint • 4 last digits of card number • Last 7 digit of the phone number • The greeting • O2 message is an attack • Verizon vector • 8705 • Last 4 digits of the phone number

  11. Voicemail security today 2012 Research study by Data Genetics https://www.datagenetics.com/blog/september32012 Default PINs Common PINs • Bruteforceable PINs • E ffi cient bruteforcing by entering multiple PINs at once • The greeting message is an attack vector

  12. Voicemail security today Default PINs • Vodafone Common PINs • AT&T • 4 to 10 digits Bruteforceable PINs • 4 to 7 digits • T-Mobile • E ffi cient bruteforcing • Telekom • 4 to 7 digits by entering multiple PINs at once • Sprint • 4 to 10 digits • 4 to 10 digits • The greeting • O2 message is an attack • Verizon vector • 4 to 10 digits • 4 to 6 digits

  13. Voicemail security today Default PINs Common PINs • Supports multiple pins at a time Bruteforceable PINs E ffi cient bruteforcing • 0000#1111#2222# by entering multiple PINs at once • Without waiting for prompt • The greeting • or error messages message is an attack vector

  14. voicemailcracker.py bruteforcing voicemails fast, cheap, easy, e ffi ciently and undetected

  15. voicemailcracker.py • Fast • Easy • Fully automated • Uses Twilio’s APIs to make hundreds of calls at a time • Configured with specific payloads for major carriers • Cheap • E ffi cient • Entire 4 digits keyspace for $40 • Optimizes bruteforcing • A 50% chance of correctly guessing a 4 digit PIN for $5 • Tries multiple PINs in the same call • Check 1000 phone numbers for • Uses existing research to prioritize default default PIN for $13 PINs, common PINs, patterns, etc.

  16. Undetected

  17. Straight to voicemail • Use backdoor voicemail • Multiple calls at the same time • It’s how slydial service works in reality numbers • Call when phone is o ffl ine • No need to call the victim! • OSINT • Airplane, movie theater, remote trip, Do Not Disturb • Query HLR database AT&T: 408-307-5049 Vodafone: XXX-55-XXXXXXXX • Online services like realphonevalidation.com Verizon: 301-802-6245 Telekom: XXX-13-XXXXXXXX • Class 0 SMS T-Mobile: 805-637-7243 O2: XXX-33-XXXXXXXX Sprint: 513-225-6245 • Reports back if it was displayed

  18. voicemailcracker.py • Fast • Easy • Fully automated • Uses Twilio’s APIs to make hundreds • Configured with specific payloads for major carriers of calls at a time • E ffi cient • Cheap • Optimizes bruteforcing • Entire 4 digits keyspace for $40 • Tries multiple PINs in the same call • A 50% chance of correctly guessing a • Uses existing research to prioritize default PINs, common PINs, patterns, etc. 4 digit PIN for $5 • Undetected • Check 1000 phone numbers for • Supports backdoor voicemail numbers default PIN for $13

  19. Bruteforce protections

  20. Different flavors in Germany Vodafone Telekom O2 Blocks the Caller ID from Resets to a 6 digit PIN Connects directly to accessing mailbox and sends it over SMS customer help-line or even leaving messages

  21. Caller IDs are cheap Vodafone Resets to a 6 digit PIN and sends it over SMS Telekom Blocks the Caller ID from accessing mailbox or even leaving messages O2 Connects directly to customer help-line

  22. voicemailcracker.py • Easy • Fast • Fully automated • Uses Twilio’s APIs to make hundreds • Configured with specific payloads for major carriers of calls at a time • E ffi cient • Cheap • Optimizes bruteforcing • Tries multiple PINs in the same call • Entire 4 digits keyspace for $40 • Uses existing research to prioritize default PINs, common PINs, patterns, etc. • A 50% chance of correctly guessing a • Undetected 4 digit PIN for $5 • Supports backdoor voicemail numbers • Bruteforce protection bypass • Check 1000 phone numbers for default PIN for $13 • Supports Caller ID randomization

  23. Demo bruteforcing voicemail systems with voicemailcracker.py

  25. Impact so what?

  27. What happens if you don’t pick up?

  28. Voicemail takes the call and records it!

  29. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Ensure calls go straight to voicemail (call flooding, OSINT, etc.) 3. Start password reset process using “Call me” feature 4. Listen to the recorded message containing the secret code 5. Profit! voicemailcracker.py can do all this automatically

  30. Demo compromising WhatsApp

  32. We done? Not yet…

  33. User interaction based protection Please press any key to hear the code… Please press [ARANDOMKEY] to hear the code… Please enter the code…

  34. Can we beat this recommended protection?

  35. Hint

  36. Another hint Default PINs Common PINs Bruteforceable PINs E ffi cient bruteforcing by entering multiple PINs at once The greeting message is an attack vector

  37. We can record DTMF tones as the greeting message!

  38. Attack vector 1. Bruteforce voicemail system, ideally using backdoor numbers 2. Update greeting message according to the account to be hacked 3. Ensure calls go straight to voicemail (call flooding, OSINT, etc.) 4. Start password reset process using “Call me” feature 5. Listen to the recorded message containing the secret code 6. Profit! voicemailcracker.py can do all this automatically

  39. Demo compromising Paypal

  41. Vulnerable services small subset

  42. Password reset

  43. 2FA

  44. Verification

  45. Physical security

  46. Consent

  48. Open source

  49. voicemailautomator.py • No bruteforcing • Limited to 1 carrier • Change greeting message with specially crafted payloads • Retrieve messages containing the secret temp codes Git repo: github.com/martinvigo/voicemailautomator

  50. Recommendations

  51. Still…do I care? if (carriersSetDefaultPins == TRUE) if (testingForDefaultPinsCheapFastUndetectedAutomatable == TRUE) if (updatingGreetingMessageAutomatable == TRUE) if (retrievingNewestMessageAutomatable == TRUE) if (speechToTextTranscription == TRUE) if (accountCompromiseIsAutomatable == TRUE) print “Yes, I should care”

  52. Recommendations for online services • Don’t use automated calls for security purposes • If not possible, detect answering machine and fail • Require user interaction before providing the secret • with the hope that carriers ban DTMF tones from greeting messages

  53. Recommendations for carriers • Ban DTMF tones from greeting messages • No default PIN • Eliminate backdoor voicemail services • Don’t allow common PINs • or at least no access to login • Detect and prevent bruteforce attempts prompt from them • Voicemail disabled by default • Don’t process multiple PINs at once • and can only be activated from the actual phone or online

  54. Recommendations for you • Disable voicemail • or use longest possible, random PIN • Don’t provide phone number to online services unless required • or it’s the only way to get 2FA • use a virtual number to prevent OSINT and SIM swapping • Use 2FA apps only

Recommend

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay

Cracking the code Cracking the code Houston, we have a problem. Consanguineous Marriage Tay Brain T2-Hyperintensity Sachs Stem Pelizaeus- B12 Metabolism U-Fibres Merzbacher Hypomyelination T1-Hypointensity CSF Salla LEUKODYSTROPHY

918 views • 62 slides
IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code:

IAPF TRUSTEE NETWORK EVENT CRACKING THE DC CODE: VALUE FOR MONEY WELCOME Cracking the DC Code: Value for Money Rickard Mills Council Member, IAPF THANK YOU SPONSOR Cracking the DC Code: Value for Money HOUSEKEEPING Cracking the DC Code:

1.04k views • 54 slides
MOVING INTO AND THROUGH PRISON: IMPROVED WELLBEING THROUGH THE SPARC AND PRISON VOICEMAIL

MOVING INTO AND THROUGH PRISON: IMPROVED WELLBEING THROUGH THE SPARC AND PRISON VOICEMAIL

MOVING INTO AND THROUGH PRISON: IMPROVED WELLBEING THROUGH THE SPARC AND PRISON VOICEMAIL INITIATIVES Lauren Mumby Supervised by Todd Hogue and Amanda Roberts ICPA, Montreal, 23 rd October 2018 IMAGINE Youve been locked in a room No

574 views • 21 slides
MMFCU Bill Pay Business Accounts Bill Pay for Businesses Businesses can sign up for Online Bill

MMFCU Bill Pay Business Accounts Bill Pay for Businesses Businesses can sign up for Online Bill

MMFCU Bill Pay Business Accounts Bill Pay for Businesses Businesses can sign up for Online Bill Pay and streamline the back office functions of their business. Features include: -Pay bills and view payment activity online anytime. - Delegate

414 views • 6 slides
Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/ mgk25/ CHES 2005, Edinburgh Compromising emanations 1914: German army valve amplifiers for eavesdropping ground return signals of

732 views • 29 slides
Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT

Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT

Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT Dependable Systems and Networks, June 29 th , 2017 Joint work with Saurabh Amin, MIT Pengfei Sun and Saman Zonouz, Rutgers 1 Focus of the talk Economic

470 views • 32 slides
twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

twenty six diagonal cracking shear f c http://www.bam.de concrete construction:

A RCHITECTURAL S TRUCTURES : Concrete in Compression F ORM, B EHAVIOR, AND D ESIGN ARCH 331 crushing D R. A NNE N ICHOLS vertical cracking S PRING 2018 tension lecture twenty six diagonal cracking shear f c

137 views • 3 slides
FROM VSmart TM the Product Captures & records... Calls Voicemail Text I.M. Mobile

FROM VSmart TM the Product Captures & records... Calls Voicemail Text I.M. Mobile

FROM VSmart TM the Product Captures & records... Calls Voicemail Text I.M. Mobile carrier & Patent protected, award handset agnostic winning* technology *Banking Technology 2015 Best Governance, Risk and Compliance Product or

286 views • 7 slides
DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger

DATABASE CRACKING: Fancy Scan, not Poor Mans Sort! Hardware Folks Cracking Folks Don Holger Pirk Eleni Petraki Strato Idreos Stefan Manegold Martin Kersten EVALUATING RANGE PREDICATES COMPLEXITY ON PAPER Scanning: O(n) Sorting:

910 views • 43 slides
Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of

Cracking Wireless Ryan Curtin LUG@GT Ryan Curtin Cracking Wireless - p. 1 Goals By the end of this presentation (if you stay awake), you will: Goals Setting Up Checking Injection Understand the different types of wireless keys

447 views • 13 slides
Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts

Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts

Charity Accounts Questions and Answers Ken Brew Webinar 26 March 2014 Charity Accounts Reporting Framework and SoRP Development Your questions and answers Some principles of charity accounting Published online information

984 views • 31 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Student Accounts Presentation Student Accounts Student Accounts Our mission: Operate

Student Accounts Presentation Student Accounts Student Accounts Our mission: Operate

Student Accounts Presentation Student Accounts Student Accounts Our mission: Operate efficiently to provide excellent Bouillon Hall 110 customer service for students, parents, (509) 963-3546 university departments, and third parties.

676 views • 33 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Pedagogy in Virtual Classrooms Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by: Jayems Dhingra SIM University, Singapore Pedagogy in Virtual Classrooms Without Compromising the Quality of the

593 views • 15 slides
Agenda Phone Overview Layout Display Keys Working with Calls

Agenda Phone Overview Layout Display Keys Working with Calls

Agenda Phone Overview Layout Display Keys Working with Calls Answering Your Phone Forwarding Calls Place on Hold Transfer Working with Voicemail Setting up voicemail Listening

276 views • 12 slides
Designing for durability and strength Cracking & durability Local studies on corrosion &

Designing for durability and strength Cracking & durability Local studies on corrosion &

Designing for durability and strength Cracking & durability Local studies on corrosion & cracking Other aspects Presented by: Professor Mark Alexander Concrete Materials and Structural Integrity Research Unit (CoMSIRU)

718 views • 29 slides
Accounts & Audit Books of accounts to be kept by a company Definition: Books of Accounts

Accounts & Audit Books of accounts to be kept by a company Definition: Books of Accounts

Section 9 Accounts & Audit Books of accounts to be kept by a company Definition: Books of Accounts [Section 2(11)] Include records maintained in respect of all sums of money received and expended by a company and matters in relation to

462 views • 20 slides
Ohios ABLE Plan Juliana Crist Director, STABLE Accounts stableaccount.com STABLE Basics

Ohios ABLE Plan Juliana Crist Director, STABLE Accounts stableaccount.com STABLE Basics

Ohios ABLE Plan Juliana Crist Director, STABLE Accounts stableaccount.com STABLE Basics June 1st: First in the Nation! Available to all states Online accounts Paperless Process Contributions and withdrawals all electronic

567 views • 7 slides
1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

Health Psychology, 6 th edition Shelley E. Taylor Chapter Five: Health-Compromising Behaviors Characteristics of Health-Compromising Behavior Many of these behaviors share a window of vulnerability in adolescence Drinking to excess

419 views • 15 slides
PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom

PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom

PicoCrack: The Art of Efficient Cracking FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on uncovering

606 views • 47 slides
Distributed GPU password cracking Alexander Kasabov & Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov & Jochem van Kerkwijk System and

Distributed GPU password cracking Alexander Kasabov & Jochem van Kerkwijk System and Network Engineering { akasabov | jkerkwijk } @os3.nl February 2, 2011 Outline Introduction Password cracking Graphics processing unit Distributed

501 views • 16 slides
DOE Phase II SBIR Project: Diagnostics of Chlorine Induced Stress Corrosion Cracking Using Laser

DOE Phase II SBIR Project: Diagnostics of Chlorine Induced Stress Corrosion Cracking Using Laser

DOE Phase II SBIR Project: Diagnostics of Chlorine Induced Stress Corrosion Cracking Using Laser Ultrasonics SFWST Working Group Meeting May 22-24, 2018 Max Wiedmann and Marvin Klein Intelligent Optical Systems Torrance, CA 90505

584 views • 22 slides
Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking

Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking

Physical and Metallurgical Analysis Aids in Understanding Recovery Boiler Tube Cracking November, 2014 PdM Technology Infrared Thermography Gas Find IR Example of LNG Leak Safety Minute Economizer Tube Cracking Assessment

447 views • 18 slides

More recommend