Zuhaib
King Of Fools
Premium,ExMod 2001
join:2000-06-29
San Francisco, CA
clubs: 
|  Found New Security Flaw in Cingular VM
I dont know if anyone else found this yet or not, but here are my findings. I did a google search and dont find anything on this flaw. So i am RFC on the topic and see if other can reproduce it.
Recently Cingular upgrade its Voice Mail to a new AT&T style of VM, which i think has better quality.
But one thing i noticed was that you dont need to enter in your pass-code to check your Voice Mail when your dialing from your cell phone. It just passes you thru. One might think that Cingular has limited this to just people from within the Cingular network. No.
Its Caller ID Based, which, if you have a PBX and/or VOIP can be faked very EASILY.
What i did was first take note of the voice mail number, you can find by dialing *#67# or just by looking at the phones settings.
Next i went to my Asterisk PBX and setup the system to present others with the caller ID of my cell phone in ten digit. Very easy, and if you have Asterisk or used any type of PBX you know its not that hard to do.
Then i dial the number to the voice mail, and it asks you to enter in the ten digit phone number followed by the * key to access the voice mail.
Once i did that, boom i am inside my Voice mail.
No pass-code, NOTHING.
Now if you try this while having the caller ID to a different number, it will prompt you for a pass-code.
This is a pretty big flaw, and is not something new. For a long time people have known that caller id spoofing is very simple in this day and age of VOIP, and to base a person Voice Mail security on Caller ID is just stupid. This is very bad for people who use there Cingular cell phones (like myself) for business, and Cingular should take steps to fix it.
Fixes:
None that i know of, i am still pretty new to the new VM system, but i *hope* there is a setting to force pass-code regardless of Caller ID. And even so, this should be an opt-in system as your 99% of people will never think twice about it and assume its limited to just there cell phone.
--
I am Pakistani And No! I do not own a 7/11! And my NAME is not Apu! |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | I still need to enter my PIN when accessing my vm from my cingular cell phone. |
|
Zuhaib
King Of Fools
Premium,ExMod 2001
join:2000-06-29
San Francisco, CA
clubs:
| Well it could mean you have not been upgrade, since, as it seems to me and others the new Cingular VM which was upgrade last week does not need a PIN code to get in.
--
I am Pakistani And No! I do not own a 7/11! And my NAME is not Apu! |
|
adamt56
join:2005-06-21
Saint Petersburg, FL | reply to Zuhaib
I think most cell phone voice mail systems are set up this way.
Call Cingular and see if they have the option of always using your pin to access VM. |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | reply to Zuhaib
I'm on the ATT side of this whole mess and I have always have had to enter my pin number even on my cell phone. |
|
DSL_Steve
Premium
join:2003-11-28
Woodbury, CT | reply to Zuhaib
[Cingular VM]
I just tried mine and I still need a PIN. Possibly something in your phone config? |
|
whiteybulger
join:2003-03-11
Belmont, MA | reply to trparky
Same here. |
|
Zuhaib
King Of Fools
Premium,ExMod 2001
join:2000-06-29
San Francisco, CA
clubs:
edit:
October 26th, @11:46AM
| reply to Zuhaib
said by Ryan Kim »sfgate.com/cgi-bin/article.cgi?f···ype=tech : If subscribers subsequently checked their voice-mail from their cell phone, which is how most users do it, they would bypass the password prompt and go directly into their voice-mail account, one of the new features being offered on the upgrade voice-mail system. It is part of the upgrade to the new VM, which, i am going to assume is not 100% done (it just started last week).
Edit:
It seems you can actually turn on or off the passcode setting if you press option 4 and go to password settings. But i feel it should be left on by default and let the use set if he wants to use it or not.
I will test with my parents Cingular phones when i see them.
--
I am Pakistani And No! I do not own a 7/11! And my NAME is not Apu! |
|
ImCanadian
@sfldmi.ameritech | reply to Zuhaib
T-Mobile also does not require PIN if calling VM from cell phone. |
|
owlyn
join:2004-06-05
Newtown, PA
clubs: | reply to Zuhaib
Just go into options and turn on passcode. |
|
MrBradTX
join:2001-05-23
Carrollton, TX | reply to Zuhaib
Original Dallas-area Cingular account (not AT+T). Just checked my VM. Pilot number is a Waco TX exchange. Passcode still required. |
|
Zuhaib
King Of Fools
Premium,ExMod 2001
join:2000-06-29
San Francisco, CA
clubs:
| reply to ImCanadian
said by ImCanadian :
T-Mobile also does not require PIN if calling VM from cell phone.
Yes, but i would not put it past them that its also just caller id based security which is very weak. As example above, its not hard to get around it.
--
I am Pakistani And No! I do not own a 7/11! And my NAME is not Apu! |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to ImCanadian
said by ImCanadian :
T-Mobile also does not require PIN if calling VM from cell phone.
it is optional with t-mobile...you can set it up to require the passcode or not very easily in the options; one of the first things i do wih a nw tmobile phone is require the passcode for vm (and set it NOT to send my caller id when i call someone, which is on by default). i believe the OP will find that is true of cingular as well, even with the new system, and he just doesn't have it turned on in his phone, but he is right that it probably sould be on by default and then the user can choose to turn it off.
often, companies err on the side of convenience rather than security; that's something we all know and complain about  .
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
visormiser
Premium
join:2004-02-10
Alexandria, VA
 ·Cox HSI
| reply to Zuhaib
Sprint, Cingular and T-Mobile I believe are all vulnerable to VM caller ID spoofing.
See: »blogs.washingtonpost.com/securit···lie.html |
|
dddane
join:2002-01-10
Chicago, IL
| reply to Zuhaib
are you sure its based off of caller id, and not ANI? AFAIK, ANI isn't as easy to fake...
btw, I am an AT&T customer who was been rolled in to Cingular... i still have to enter my passcode to get my VM... maybe its an option if i tool around in the menu? |
|
