Security Sentinel: Voicemail Vulnerabilities

By Toni McConnel, Contributing Editor,
iApplianceWeb
(01/06/03, 01:25:41 PM EDT)

Hacking voicemail is not new. I can find references to voicemail hackingas far back as the early '90s. But lately there seems to be an increasein not only the number of occurrences, but also in the degree of economic loss connected with it. As Voice over Internet Protocols (VoIP) proliferates the problem is going to get worse, since voicemail will then be vulnerable to all the same hacks that data channels are subject to now.

My attention was called to growing concerns about this form of hacking by a press release from AT&T warning consumers of a new form of fraud in which hackers compromise voicemail systems in order to make collect, third-party or direct-dial calls.

The press release goes on to advise voicemail users to always change the default password provided by the voicemail vendor; choose a complex voicemail password of at least six digits so it will be difficult for a hacker to guess; don't use obvious passwords such as an address, birth date or phone number; change your voicemail password often; check your announcement regularly to ensure the greeting is indeed yours; and disable the auto-attendant, call-forwarding and out-paging capabilities of voicemail if these features are not used-all the usual precautions we never bother to read, much less observe, in the directions that come from the phone company and/or with your new phone.

Why AT&T chooses to call this form of hacking “new” is anybody's guess, but why AT&T has issued a press release about it at this time becomes clear when you know that hackers placed $30,000 worth of unauthorized calls through the East Palo Alto City Hall phone system over a five-day period in July of 2002. Currently, AT&T is involved in a dispute with East Palo Alto over who should pay for the calls, and this type of dispute between victim and phone company is becoming more common.

Voicemail fraud is now thought to be perpetrated by organized rings that sell cheap long distance services, and is becoming increasingly common, with damage in the billions of dollars a year, according to one news story. The hack is usually accomplished by gaining access to a voicemail box pass code. The hacker then manipulates the system to make long distance calls from the line.

The easiest hack is to simply call a number and try any one of a number of default passcodes that the phone company assigns to new voicemail customers. Many users never bother to change those codes. These are the most vulnerable to attacks. But that's for amateurs. It took me less than five minutes to find a site on the Web that offers detailed instructions and code for creating programs that generate random passcodes specifically for voicemail systems.

As with many such sites, the host is a purported reformed hacker who gets away with disseminating this kind of information by stating that the info is offered so that companies can “take steps to protect themselves from hackers”. He is also a paid security consultant for some large firms, where of course he can gather information about their security systems to his heart's content if he so desires. I also found a note on a message board from someone who said he would tell anybody how to hack a voicemail if they send him an e-mail requesting the info. I sent off a note saying “Hey, sounds like fun, I'm really interested...” but I haven't heard from him yet.

So far I don't know of any surefire protection against this kind of hack. Passcodes obviously are not adequate safeguards; clearly a more sophisticated way to identify legitimate users is needed. How about voiceprints? The savings in fraudulent charges every year would more than pay for implementing the technology.

Meantime, until better security is available, what both businesses and individuals need to do is to monitor their long distance charges carefully, check bills on-line between regular billings if your carrier offers that service, follow AT&T's guidelines for safe practices, and report anything at all unusual that you notice about your voicemail system to your provider. Don't wait to be certain; AT&T advises that if you have any doubts at all about any change you notice in sound or activity on your voicemail, report it.