dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3745

Zuhaib
King Of Fools

join:2000-06-29
San Francisco, CA

Zuhaib

Found New Security Flaw in Cingular VM

I dont know if anyone else found this yet or not, but here are my findings. I did a google search and dont find anything on this flaw. So i am RFC on the topic and see if other can reproduce it.

Recently Cingular upgrade its Voice Mail to a new AT&T style of VM, which i think has better quality.
But one thing i noticed was that you dont need to enter in your pass-code to check your Voice Mail when your dialing from your cell phone. It just passes you thru. One might think that Cingular has limited this to just people from within the Cingular network. No.

Its Caller ID Based, which, if you have a PBX and/or VOIP can be faked very EASILY.

What i did was first take note of the voice mail number, you can find by dialing *#67# or just by looking at the phones settings.
Next i went to my Asterisk PBX and setup the system to present others with the caller ID of my cell phone in ten digit. Very easy, and if you have Asterisk or used any type of PBX you know its not that hard to do.
Then i dial the number to the voice mail, and it asks you to enter in the ten digit phone number followed by the * key to access the voice mail.
Once i did that, boom i am inside my Voice mail.
No pass-code, NOTHING.

Now if you try this while having the caller ID to a different number, it will prompt you for a pass-code.

This is a pretty big flaw, and is not something new. For a long time people have known that caller id spoofing is very simple in this day and age of VOIP, and to base a person Voice Mail security on Caller ID is just stupid. This is very bad for people who use there Cingular cell phones (like myself) for business, and Cingular should take steps to fix it.

Fixes:
None that i know of, i am still pretty new to the new VM system, but i *hope* there is a setting to force pass-code regardless of Caller ID. And even so, this should be an opt-in system as your 99% of people will never think twice about it and assume its limited to just there cell phone.

Epyon9283
Premium Member
join:2001-12-26
Trenton, NJ

Epyon9283

Premium Member

I still need to enter my PIN when accessing my vm from my cingular cell phone.

Zuhaib
King Of Fools

join:2000-06-29
San Francisco, CA

Zuhaib

Well it could mean you have not been upgrade, since, as it seems to me and others the new Cingular VM which was upgrade last week does not need a PIN code to get in.
adamt56
join:2005-06-21
Saint Petersburg, FL

adamt56 to Zuhaib

Member

to Zuhaib
I think most cell phone voice mail systems are set up this way.

Call Cingular and see if they have the option of always using your pin to access VM.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky to Zuhaib

Premium Member

to Zuhaib
I'm on the ATT side of this whole mess and I have always have had to enter my pin number even on my cell phone.

SirSteve
Premium Member
join:2003-11-28
Woodbury, CT

SirSteve to Zuhaib

Premium Member

to Zuhaib
[Cingular VM]
I just tried mine and I still need a PIN. Possibly something in your phone config?
whiteybulger
join:2003-03-11
Belmont, MA

whiteybulger to trparky

Member

to trparky
Same here.

Zuhaib
King Of Fools

join:2000-06-29
San Francisco, CA

1 edit

Zuhaib

said by Ryan Kim »sfgate.com/cgi-bin/artic ··· ype=tech :

If subscribers subsequently checked their voice-mail from their cell phone, which is how most users do it, they would bypass the password prompt and go directly into their voice-mail account, one of the new features being offered on the upgrade voice-mail system.
It is part of the upgrade to the new VM, which, i am going to assume is not 100% done (it just started last week).
Edit:
It seems you can actually turn on or off the passcode setting if you press option 4 and go to password settings. But i feel it should be left on by default and let the use set if he wants to use it or not.
I will test with my parents Cingular phones when i see them.

ImCanadian
@dsl.sfldmi.ameritech

ImCanadian to Zuhaib

Anon

to Zuhaib
T-Mobile also does not require PIN if calling VM from cell phone.

owlyn
MVM
join:2004-06-05
Newtown, PA

owlyn to Zuhaib

MVM

to Zuhaib
Just go into options and turn on passcode.

MrBradTX
join:2001-05-23
Carrollton, TX

MrBradTX to Zuhaib

Member

to Zuhaib
Original Dallas-area Cingular account (not AT+T). Just checked my VM. Pilot number is a Waco TX exchange. Passcode still required.

Zuhaib
King Of Fools

join:2000-06-29
San Francisco, CA

Zuhaib to ImCanadian

to ImCanadian
said by ImCanadian :

T-Mobile also does not require PIN if calling VM from cell phone.
Yes, but i would not put it past them that its also just caller id based security which is very weak. As example above, its not hard to get around it.

gracie7
Geek Goddess
Premium Member
join:2003-07-15
confusion

gracie7 to ImCanadian

Premium Member

to ImCanadian
said by ImCanadian :

T-Mobile also does not require PIN if calling VM from cell phone.
it is optional with t-mobile...you can set it up to require the passcode or not very easily in the options; one of the first things i do wih a nw tmobile phone is require the passcode for vm (and set it NOT to send my caller id when i call someone, which is on by default). i believe the OP will find that is true of cingular as well, even with the new system, and he just doesn't have it turned on in his phone, but he is right that it probably sould be on by default and then the user can choose to turn it off.

often, companies err on the side of convenience rather than security; that's something we all know and complain about .
visormiser
Premium Member
join:2004-02-10
Alexandria, VA

visormiser to Zuhaib

Premium Member

to Zuhaib
Sprint, Cingular and T-Mobile I believe are all vulnerable to VM caller ID spoofing.

See: »blogs.washingtonpost.com ··· lie.html

dddane
join:2002-01-10
Chicago, IL

dddane to Zuhaib

Member

to Zuhaib
are you sure its based off of caller id, and not ANI? AFAIK, ANI isn't as easy to fake...

btw, I am an AT&T customer who was been rolled in to Cingular... i still have to enter my passcode to get my VM... maybe its an option if i tool around in the menu?