Voicemail Security against Caller-ID Spoofing
by Rich Pasco On Wednesday evening, April 18, 2007, I got a call on my cell phone, apparently from a telemarketer. He gave his name as "David" and said he was calling from the "American Grant Information Center" and that my number was randomly selected by computer from among all US residents and that I was eligible to receive free grant money. [Yeah, sure!] For this call, my caller-ID indicator displayed as the calling number my own cell phone number! Obviously, I was not calling myself, so his computer was falsifying its caller ID through a technique known as "Caller-ID Spoofing." When placing a call with the right equipment and software, it is relatively easy to forge any number you wish to be displayed as the caller. In this case "David" was setting a fictitious calling number matching the actual called number (mine). Find more about Caller-ID Spoofing in Google and Wikipedia Furthermore, he was calling me in violation of the fact that my cell phone number was listed on the National Do Not Call Registry. I asked "David" for his company's phone number "so that I can call you back" but he refused to divulge it, insisting on sticking to his own patter about free grant money for me. I told him that I was on the Do Not Call registry and that his phone call was illegal unless he fully identified his company and their phone number. Actually, it was illegal regardless, but I wanted as much information as I could get to file with my complaint. He wouldn't tell me any more so I hung up. Next I visited the National Do Not Call Registry and filed a complaint, giving the name of the company as "American Grant Information Center" with unknown phone number. Not much for them to go on, but better than nothing, I suppose. But here's the most important part, and it's really scary:Suppose I had not answered the call? My cell phone service (Cingular) forwards all calls which are not answered directly into their voicemail system. By default, when that system recognizes the caller ID as matching the phone number whose mailbox is being called, it automatically logs the caller in with the full authority to control the system (play incoming messages, set personal options, record new greetings, etc.). Therefore, if I hadn't answered, "David" would have had full control over my voicemail system! Closing this exposure was simple: I just needed to configure my voicemail system to always ask for my password regardless of the caller ID. On Cingular's system this is called "Turn off 'Skip Password'" and is implemented by logging into voicemail and pressing these keys: 4 - Options If you have a non-Cingular system your exact keys may vary, but the principle is the same. Now I'm wondering whether "David" really was a telemarketer, or if perhaps his "free grant money" patter was really a cover for his real purpose of looking for unsecured voicemail systems he could hack into, perhaps for purposes of harvesting personal information for nefarious purposes. The moral of this story is: If your voicemail system doesn't always ask you for your password, I strongly recommend that you reconfigure it so that it does. Otherwise, a hacker, easily spoofing your own number as their own, could call right in and take over your voicemail system, playing and deleting your messages, changing your settings, and more. Further ResearchI did some further resarch. It turns out that I'm not the first one to discover this vulnerability. Here are some articles which describe it:
About the "American Grant Information Center"
If you have any questions feel free to e-mail me. Copyright © 2001-2007 Richard C. Pasco. All rights reserved. |