35C3 preroll music
Herald Angel: We start the next talk. It's
by Martin Vigo. He stands here. He is a
product security lead and researcher and
he's responsible for mobile security,
identity, and authentication. So he helps
people design and secure systems and
applications. And he has worked on stuff
like breaking password managers or
exploiting Apple's FaceTime to create a
spy... yeah, a spy program. So give him a
warm applause for his talk.
Applause
Martin Vigo: Thank you for joining me in
this talk. I'm super excited to be here.
It's actually my second year at the
conference, so super super excited that
the first year I was sitting there, and
the second year I'm sitting here. This is
me, but an introduction was already made.
Just pointing out that this is me, 9 year
old, with an Amstrad CPC 6128. You had
this machine before? I see only one hand?
I think this was sold in Europe, but I was
playing here La Abadía del crímen, which
is the best video game ever written. If
you guys like abandonware, you should
definitely check it out. So like any good
research we have to start by looking at
previous art, right? We can learn a lot
from researchers that did stuff in the
past. And in this case I went all the way
back to the 80s to understand how freakers
of the time, when the hacking thing
started, we're doing to actually hack into
voicemail systems. I condensed everything
I learned in five different paragraphs of
five different essences, that I actually
got from frac website, which is an amazing
resource. So, here from the Hacking
Telephone Answering Machines, the
paragraph that I extracted was that "You
can just enter all 2-digit combinations
until you get the right one", "A more
sophisticated and fast way to do this is
to take advantage of the fact that such
machines typically do not read two numbers
at a time, and discard them, but just look
for the correct sequence". What is this
about? In older voicemail systems if you
will enter like 1234 for the 2-digit PIN,
it will not process 12 and 34 to to verify
the PIN, but it will also process 23,
which is very interesting. In fact, in
Hacking AT&T Answering Machines, again,
this is amazing from their 90s or 80s, we
actually get the correct sequence to cover
the entire 2-digit key space. So, if you
enter all these, you are basically brute
forcing the entire key space, without
having to enter in the entire thing that
covers it. I also learned, from A Tutorial
of Aspen Voice Mailbox Systems, that in
the 80s there was default passwords.
Surprise, surprise! But also that as
humans, we actually have patterns when we
choose PINs. And so we have the classics:
1111, 9999, 1234. And another thing that I
learned in Hacking Answering Machines in
the 90s, was that "There is also the old
'change the message' secret to make it say
something to the effect of this line
accepts all toll charges so you can bill
third party calls to that number". This is
basically a trick used by inmates to get
free calls. Basically, they would record
in the voicemail a greeting message "yes,
yes, yes", so when the automated system
comes in and asks "Do you want to accept
the toll charges from the call from the
penitentiary, it will go and they will be
able to do free calls. So, condensing
everything and summarizing what what I
learned from looking at what previous
hackers did in the 80s: we know that the
voicemail system security looked like...
there was default PINs, there was common
PINs, there was bruteforceable PINs, there
was efficient bruteforcing because we can
enter multiple PINs at the same time, that
the greeting message is actually an attack
vector. So let's play a game. Let's do
checklist and let's look at the voicemail
security today. So, I looked at the
American carriers because I live in the
US, but because I was invited to talk in
Germany, I took some friends to give me
some SIM cards and I actually wanted to
put about German carriers as well. So,
checklist time, default PINs: all American
carriers do have default PINs and
unfortunately they are really not a secret
because most of them is actually the last
digits of your phone number. When it comes
to German carriers it's actually a much
better state, for example Vodaphone it's
the last 4 digits of the client number
which you don't know. I mean, you know as
the customer, not others, it's a secret.
Or if it comes to the CallYa, that is the
card that I got, it's the last 4 digits of
the PUK. For Telekom it's the last 4
digits of the card number, which is the
card you get with the SIM card. For O2,
unfortunately, there is a default PIN,
which is 8705, which is the only PIN you
can't set, when you choose to set one.
Yeah. So, voicemail security today when it
comes to common PINs: according to like a
fantastic research from Data Genetics,
this is actually about people choosing
PINs for their credit cards, but there was
a lot of conclusions that I learned from
this research and basically, to summarize
the most important regarding this work, is
that for example by trying the top 20 most
common PINs, you have a 22 percent chance
of getting the right one. What this means
in other words is for every fourth victim
that I tried to brute force the PIN from
their voicemail system, I will get it
right every fourth person. There are other
conclusions that are very interesting
like, the PINs mostly start by 19. Who has
an idea why is that? Birth year, right? Is
very common to set as your birth year.
Most of us were born in the 20th
century... to set it as a PIN.
Bruteforceable PINs. Same thing in Germany
and in the US, it accepts 4-digit PINs
which, we will see later, is just not
enough key space. Efficient bruteforcing
all the carriers accept concatenation of
payload. So, in this case I use it to try
different PINs and I don't even have to
wait for error messages. I just use the
pound as kind of like an enter in a
voicemail system and I can try three PINs
at a time. Usually carriers will hang up
when you enter three PINs wrong, for
security purposes, but we will take
advantage of that. So with everything that
I learned from the 80s, I verified that it
was still a problem today. I decided to
write a tool that allows you to brute
force voicemail system fast, cheap,
easily, efficiently, and undetected. So,
fast: I used Twilio... who is familiar
with Twilio here? Some of you? So a Twilio
is basically an online services that
allows you to programmatically interact
with phone calls. You can make phone
calls, interact with them, and all that.
So I use it to launch hundreds and
hundreds of calls at the same time in
order to brute force PINs. It's cheap! The
entire 4-digit keyspace costs 40 dollars.
So if I want to have a 100 percent chance
of getting your 4-digit PIN, I only have
to pay 40 bucks. A 50 percent chance,
according to the research from Data
Genetics, it will cost me five dollars. So
once every two victims, I will get the
PIN. Actually, if I want to take a
different approach and instead of just
trying to brute force only yours, I want
to brute force the PIN from everyone here,
according to Data Genetics, and in this
case, according to the fact that that is
default PINs... I'm not going to ask how
many of you have O2, now that they know
that there is a default PIN to their
voicemail system. It will be more
interesting to actually try a thousand
phone numbers for that default PIN for O2
customers, only for 13 dollars. It's easy:
fully automated, the tool does everything
for you, you just have to provide the
victim number, the carrier, and couple
other parameters and it's efficient! It
optimizes brute forcing, I use the
research from Data Genetics to favor the
PINs that are most common, and obviously
it tries different PINs and all that
stuff. But the most important here is
detection, because think about it. In
order for me to interact with your
voicemail system I need to call you and
you cannot pick up, because if not, it
doesn't go to the voicemail system. So I
was trying to find ways, because I need
to, in the end, make a lot of calls,
trying different PINs. How can I interact
directly with your voicemail? I try call
flooding like basically doing three calls
at a time, because the line gets flooded
just with three calls, it goes directly to
the voicemail, but it wasn't very
reliable. You can use OSINT techniques, a
lot of people likes to tweet that they,
you know, they go on a trip, they are
about to board a plane, so it goes into
airplane mode, or you go in a remote area,
or you are in a movie theater, or at night
you put in Do Not Disturb. Those are all
situations in which calls go directly to
the voicemail. You can use HLR database to
find out if mobile devices are
disconnected or the SIM cards have been
discarded, but they are still assigned to
an account. And you can use online
services like realphonevalidation.com
which I actually reached out and they
provide services that allow you to know if
a phone is acutally connected to a tower
at the moment, so it's basically
available, so you could use that too. You
can also use class 0 SMS, which gives you
feedback. It's basically a type of SMS
that will... it has more priority and will
basically display on the screen and you'll
get the feedback if it was displayed. So,
that's a nice trick to find out if the
phone actually connected to a tower. But
in reality, I wanted a bullet proof way to
do this and in the U.S. I found that there
is this concept of backdoor voice mail systems.
So instead of me calling you, I'm going to
call one of these services that you guys
have listed here for every carrier and
there I enter the number, in this case the
number of the victim from the voicemail I
want to interact to. And of course it
allows you to access to the logging
prompt. Actually in Germany I find it
interesting that you guys have it as a
service, because in the US it's more a
secret that I had to found using Google,
but here... Basically if I dial your phone
number and when it comes to Vodafone
between the area code and the rest of the
number I put 55, or for Telekom 13, or for
O2 33, I directly go to the voicemail, you
won't ring your phone. So I can use that.
Who was aware of this, that is from
Germany? OK, many of you. So that's what I
thought. Like here it's not really like
something you guys care too much about. In
the U.S. it's actually used a lot for
scammers or to leave directly voicemail
messages from spammers as well. So,
voicemailcracker actually takes advantage
of backdoor numbers, so it allows you to
be undetected. I don't need to call you, I
don't need to wait till you are flying, I
can do that. And for example for the U.S.
it's great, because when I launch that
many calls, the line gets flooded even if
you are offline. But when I use these
backdoor voicemail systems, because they
are meant to be used by everyone, those
don't get flooded. So I literally make
hundreds and hundreds of calls and it
never fails.So, but you know like
carriers, or some of them, add a brute
force protections, right? So that you
can't actually launch brute forcing
attacks. And I looked at the German
carriers and for example Vodafone, I saw
that it resets the 6 digit PIN and sends
it over SMS. So, I guess I can flood your
phone with text but who cares, that's not
a big deal, but I think it's actually a
pretty effective measure against
voicemail... against brute forcing.
Telekom blocks the Caller ID from
accessing the mailbox or even leaving
messages. I tried and after six times that
it's wrong every time, I call it says
"Hey, you can't do anything", and it hangs
up. And for O2 it connects directly to the
customer help-line, but someone started
talking German and my German is not that
good. So brute force, I wanted to be able
to bypass this writing and so if you look
at telecom I mentioned that it blocks the
caller I.D. but it turns out that Twilio
you can actually buy caller IDs you can,
well, you can buy phone numbers, right?
and they are really cheap. So it's very
easy for me to do randomization of caller
I.D.s for very very cheap and bypass
telecom's brute force protection. So
voicemailcracker also supports that. It
supports caller ID randomization. So let's
make the first demo. So as you can see
here on the left is the victim's mobile
device, and on the right is the tool. And
in this case I'm going to use the brute
force option. The brute force option
allows me to basically brute force the
pin. It makes hundreds of calls as I
explain and I'll try to guess it. And
there is a number of parameters like the
victim number, the carrier... the carrier
is important because they put their
specific payloads for every single carrier
because all the voicemail systems are
different, how you interact with them, and
in this case are using a backdoor number
because he's more efficient. And then
there is no detection. And in this case I
did the option of top pin. So this is
basically trying the top 20 pins according
to the research for four digits. So as you
can see it's trying actually three pins at
a time as I mentioned before rather than
one. So we have to do a third of the of
the of the calls, right? And how did you
think that I'm detecting if the pin was
correct or not? Any ideas?
Unintelligible suggestion from audience
M.V.: OK. So the disconnect and hang up.
That's what I heard. And that's exactly
right. If you think about it I can look at
the call duration because when I tried
three pins and it hangs up it's always the
same call duration. For T-Mobile in this
case it's like 18 seconds. So I instruct
Twilio to after dialing and putting the
payload to interact with the voicemail
system trying the pins to wait 10 extra
seconds. So all I got to do, I don't need
any sound processing to try to guess what
the voicemail voice is telling me if it's
correct or not. I just use the call
duration. So if the call duration is ten
times longer then I know that's the right
pin because because it locked in. So as
you can see it found out one of those
three is actually the correct one: in this
case it's 1983. So in order to give you
the exact one because at that time it
tried the three of them, now it's trying
one by one and it may look like it's
taking longer than it should for only 20
pins but remember failing pins is very
very quick. It's just that because in the
top 20 found already the right pin it
takes longer than it should, and there you
go. We got that it's 1983. Awesome. So
what is the impact really why am I here
talking to you at CCC that has such
amazing talks, right? And this is really
the thing about this. No one cares about
the voicemail. Probably if I ask here, who
knows his own voicemail pin?
laughter
M.V.: Nice. That's what I was expecting.
Probably less hands here. So some of them
are lying but that's the thing, right? We
don't care about the voicemail. We don't
even use it, which is the crazy thing
here. We have we have an open door for
discussing an issue that we don't even
know about or we don't even remember. So
many people is not familiar with the fact
that you can a reset passwords over phone
call. We are familiar with resetting
passwords over e-mail. You get a unique
link maybe over SMS you get a code that
you that you then have to enter in the UI.
But a lot of people cannot receive SMS, or
that's what services claim. So they allow
you to provide that temporary code over a
phone call, and that's exactly what we
take advantage of, because I ask you what
what happens if you don't pick up the
phone if basically I go to a service,
enter your e-mail or your phone number and
reset a password, and everyone can do
that. Anyone can reset it, initiate the
reset password process, and I know that
you are not going to pick up the phone. I
know that thanks to my tool I got access
to your voicemail system. So basically the
voicemail system will pick up the call and
it will start recording, so it will record
the voice spelling out the code that I
need to basically reset your account and
get access to it. So -- oops! -- and I
press play here.
Static
M.V.: Okay, so, what does the attack
vector look like? You brute force the
voicemail system using the tool ideally
using backdoor numbers. For that
particular call -- that is, the call that
the victim will receive once you initiate
the password reset -- that one it cannot
go through the backdoor number, right?,
because it's gonna-- PayPal is gonna
directly call the victim. So for that one
you need to make sure that the victim is
not connected to a tower through all the
methods that I showed before. You start
the password reset process using the
economy feature. You listen to the
recorded message, secret code and profit.
You hijacked that account, and
Voicemailcracker can do all that for you.
Let's compromise Whatsapp. So on the left
you see my number, right?, with a secret
lover group, and a secret group, and all
that stuff. On the right notice that I'm
not even using an actual device. It's an
android emulator that I installed, an APK.
And there is some sound to this, and you
are gonna see -- so again on your left
it's the victims number. On the right is
an emulator of the attacker. So you'll see
that I'm going to use my tool with the
message payload, with the message option.
So in this case what I'm doing is I'm
setting the victim's phone to airplane
mode, simulating that it's now offline for
some reason, and I detected that. So if
you see, WhatsApp allows sends you a text
to actually register as a WhatsApp user,
but if you don't reply in a minute it
allows you-- it gives you an option to
call, to call me, right? And that's
exactly what I click. So now WhatsApp is
basically calling the victim which is
again in airplane mode, because he went on
a remote trip or on a plane, and so I'm
using Voicemailcracker with the option
"message" to automatically retrieve that
newest message. So the tool is gonna
provide me as you can see the last option
is the pin, because I brute forced it
before. So it's going to give me a URL
with the recording of the newest message,
which, hopefully -- it's a recorded demo
-- hopefully contains actually the code.
So let's see... I got the URL.
Phone alert sound
Computerized phone voice: New Message! --
M.V.: It's interacting with the voicemail
system right now.
Phone voice: -- your verification code is:
3 6 5 9 1 5. Your verification code is: 3
6 5 9 1 5. Your ver--
M.V.: And that simple. We just hijacked
that person's WhatsApp, and I -- here I'm
fast forwarding just to show you--
Applause
M.V: --that you get actually that. Thank
you. I do want to point out that WhatsApp
is super secure, it like-- end to end
encryption all that -- and there is a
number of things that you can notice this
attack. For example you wouldn't be able
to see the previous messages that were
there but you can just hold on and ask
people, right? The groups will pop up. So
you hijacked that WhatsApp account. There
is also fingerprinting. But who really
pays attention to the fingerprinting when
someone changes the device, right? So are
we done? Not yet. Because the truth is,
some researchers talked about this in the
past then and actually services tried to
slowly pick up. So that is actually
something that I found in several
services. That is what I call the user
interaction based protection. So when you
received that phone call that provides you
with the temporary code in reality it's
not giving it away. You have to press a
key. It comes in three different flavors
from what I found from my tests. Please
press any key to hear the code, so when
you get the call, you have to press, and
then it will tell you the code; please
press a random key so specifically please
press 1, please press 2, or please enter
the code. PayPal does that, and instead of
you having to press a key to hear the code
when you reset the password you will see a
four digits code that you have to enter
when you receive the call and then it will
reset the password. So I'm going to get
the help from all of you guys. Can we beat
this currently recommended protection what
is nowadays recommended to prevent these
kind of attacks? And we're going to play a
game. I'm going to give you two hints.
This is the first one. So, you probably
guys are familiar with this, but Captain
Crunch. Again we go back today it is we
can learn so much from them, use this to
generate specific sounds at a specific
frequency to basically -- you can go and
read it -- to get free international
calls. So he will create that sound and
the system will process it on the on the
line. And the second one is that I
cheated. When we did the checklist, I
actually skipped one , which was the
greeting message is an attack vector. So I
ask you guys how can we bypass the
protection that requires user interaction
in order to get the code recorded on the
voicemail system?
Inaudible suggestion from audience
M.V.: What was that?... Exactly. Record
DTMF tones as the greeting message. We own
the voice mail system so we can alter the
greeting message. So this is exactly how
it works: We just alter the greeting
message we call the DTMF that the system
is expecting and it works every single
time. The best thing of this is what
really is so awesome about about all of us
that really care about technology. We want
to have a deep understanding because when
I was asking people when when you know I
wanted to show them this I was asking them
how does this protection really work. And
they will say well you have to press a key
and then you know it will give you the
code. But that's not really true. That's
what you have to do is to provide a
specific sound that the system is
expecting. That is different than saying
you have to press a key, because if you
say I have to press a key that requires
physical access. If you say I have to
provide a sound, now we know it doesn't
require physical access. That is why
hackers are so cool, because we really
want to understand what is happening
backstage, and we take advantage of that.
So how does the attack vector look like?
Bruteforcing voicemail systems as before.
So basically we have an extra step which
is update the greeting message according
to the account to be hacked in voicemail.
Cracker can do that for you. Let's
compromise PayPal.
Laughter
M.V.: So on the left side you see that as
before I brute force the pin of the voice
mail. And in this case on the right side
I'm going to start a password reset for
that account. So I do that and I choose
"please call me with a temporary code".
But in this case PayPal works differently
because it will show me a four digits code
that I need to enter when I receive the
call in order to reset the password. So
you see that here I'm using the greeting
option. So the greeting is going to allow
me to enter a payload that I want to
record as the greeting message. In this
case is 6 3 5 3. So I may be very very
verbose for this demo. There you see
the last option use PayPal code and I
enter 6 3 5 3. Now the tool is going to
use the pin to log into the voicemail
system, interact with it, change the
greeting message, record the DTMF tones
according to 6 3 5 3 and then it should be
able to fool the call. In this case I'm
asking to call again, because it didn't
have enough time to do that. And in 3 2 1
we should get that we actually compromise
PayPal's account, and there we go. We can
now set our own password.
Applause
M.V.: Thank you. So, I showed you some
vulnerable servers. Let's go very quick
about it because I'm I'm concerned I'm
running out of time. So, I'm just
mentioning Alexa top 100 types of
services, no favoring anything, but... so
for password reset that supports over
phone call: PayPal, Instagram-- no,
Snapchat-- Netflix, Ebay, LinkdIn. I'm
still on Facebook. What can I say? 2FA for
all they major forms so 2FA over phone
call for Apple, Google, Microsoft,
Yahoo... Verification: So basically you
don't register with a username and
password on on WhatsApp or Signal you
actually use directly the phone number,
right? As we saw before and you register
through a phone call or SMS. So you can
compromise this too. Twilio, the own
service that I use for these is actually
really cool because you can own a caller
I.D. by verifying it by getting a phone
call so I can actually own your caller ID
and make calls on your behalf, send texts,
and these all legitimately, right?,
because you've pressed one. Google Voice,
it's actually another interesting service
because it's used a lot by scammers,
right? And this is the same thing: you
have to verify ownership so you can do
those phone calls and you can fool it as
well with this, but I found I was looking
like what other services really take
advantage of this? And this is super
common in San Francisco, where I live. You
can buzz in people like when they want to
enter, right?, they enter your house
number, and then your phone rings and you
press any key to open the door. So we are
talking about physical security now. And
I've seen this in offices as well. They
all work this way, basically because they
want to be able -- for tenants, that you
know, come and go -- be able to switch
that very quickly. So it works just
through the phone that you buzz people in.
But my favorite is consent, because when
we think about consent we think about
lawyers and we think about signing papers
and we think about all of these difficult
things. And I find out about these
location smart service that is not anymore
there and you will see why... But this was
recently in the news because, basically
Brian Krebs wrote a really great article
about it. But I'm going to let you hear
then their YouTube channel, how Location
Smart works.
LS vid speaker 1: The screen that you're
showing, that you're seeing right now is a
demo that we have on our Web site it's at
location smart.com/pride, and I've entered
my name, my email, my mobile phone number,
and it's again going to get my permission
by calling my phone, and then it'll
locate. So let's go ahead and, I clicked
the box to say yes I agree, click the
locate, and the screen now shows that it's
going to call my device to get my
permission.
vid speaker's phone vibrates, sounds like an airhorn in video
LS vid speaker 2: Heh, that's a nice ring
tone --
M.V.: No, it's not--
LS vid speaker 1's phone: To log into
Location Smart Services, press 1 or say
'Yes'. To repeat, press 2 or say 'Repeat'.
LSVS1: Yes
Phone: Congratulations. You have been
opted in to Location Smart Services.
Goodbye
M.V.: So as you see, this service, this
Web site had a free demo, had a free demo
that allow you to put out a phone number
-- yours, of course -- and you will get a
phone call and then you will give
permission by pressing one. So someone
could locate you and keep tracking -- I
mean, I checked with them -- for up to 30
days, real time. So now you know why they
don't exist anymore!
Applause
M.V.: Open source..
More Applause
M.V: Open source. So, and this was with
the permission of the carriers. This was
not some fishy thing. This was actually a
service. So I wanted to release code,
because I want you guys to verify that
what I mentioned is true and have code to
hopefully help push the industry forward
to make a voice mail systems more secure,
right?. We want to push carriers to do so.
A but I didn't want to provide on tool
that works out of the box and anyone can
very easily as we saw like just start to
bruteforce pins, especially because I saw
that there is so many people with the
default PINs out there. So I just removed
the brute forcing, so the tool allows you
to test it on your own. You can test, you
know, you can test the greeting message
you can test the retreiving messages
compromising the services and all that. So
the tool allows you to test on your own
device. I won't give you code to brute
force someone else's device. And feel free
to go to my github repo. So now like all
the talks comes the recommendations, but I
know what you guys are thinking, right?
When someone comes with all this paranoia
and stuff you still think "yeah but you
know still like no one is gonna come after
me. I don't have anything to hide" or
anything like that. So I wanted to give
you reasons why you should still care
about this, and why we need to do better.
Because do carriers set default PINs? Yes,
we saw that. Is testing for default pins
cheap, fast, undetected, and automatable?
Yes it is. Is updating reading the message
automatable? Yes it is. Is retrieving you
the newest message automatable? Yes it is.
Is there speech to text description, so
that I can get the sound that I played
before with the code and get it in text?
Yeah. Twilio gives you that as well. So
can the account compromise process be
automatable? Of course you can use
selenium if you want to automate the UI.
Or you can use a Web proxy and look at the
APIs and do it yourself. So it is only a
matter of time that someone actually does
all these steps that I showed you step by
step and just makes it all straight and
starts to go over phone numbers trying the
default PINs, and just automatically
compromising services like WhatsApp like
PayPal and all that. You can do basically,
not a worm, but, you know, you can
compromise a lot of devices without doing
anything. Recommendations for online
services. Don't use automated calls for
security purposes. if not possible detect
answering machines and fail. I mean this
is not very accurate and you can still
trick it. Require user interaction before
providing the secret. I just show you how
to bypass that, but that's with hope that
carriers ban DTMF tones from the greeting
message. I don't see why that should be
supported, right? Recommendations for
carriers. The most important thing: Ban
DTMF tones from the greeting message,
eliminate backdoor mobile services, or at
least a give no access to the login
prompt, right? There is no reason why you
should be able to access your voicemail
directly to leave a message. But then I
can access the login prompt by pressing
star. Voicemail disabled by default. This
is very important and can only be
activated from the actual phone, or
online maybe with a special code. Oh great
I have time for questions. No default
pins. Learn from the German carriers:
don't allow common pins, detect and
prevent brute force attempts, don't
process multiple pins at once.
Recommendations for you which, is in the
end, very important here. disable the
voice mail if you don't use it. I found
though that some carriers you're still
through the backdoor voicemail numbers you
are unable to activate it again. So kind
of sucks. So I guess use the longest
possible random pin. Don't provide phone
numbers to online services unless
required, or is the only way to get 2FA.
2FA is more important. Use a virtual
number to prevent OSINT like a Google
Voice number so no one can you know learn
about your phone number digits by
resetting the password or do SIM swapping.
Use 2FA apps only. And I always like to
finish my talk with ones like that kind of
summarizes everything. Automated phone
calls are a common solution for password
reset, 2FA, verification, and other
services. These can be compromised by
leveraging old weaknesses and current
technology to exploit the weakest link
voicemail systems. Thank you so much.
Danke Schön, CCC!
Applause
Herald Angel: Thank you, Martin. We have
time for questions, so if you have any
questions or if someone in the Internet
has questions just go to these
microphones. Where is the microphone?
You've got it. Yes. You were black and the
microphone too. So maybe you start and we
take the question from the Internet.
Q: Yes I have a question. You mentioned
that the phone needed to be offline. Would
a call like a sim teen's call to the phone
that it would be in what is called in
english - besetzt?- like occupied so let's
say I already called the victim. So the
caller gets, yeah, the line's occupied
that would then go to voicemail, wouldn't
it?
M.V.: So that's a great question. I think
the question is if you are on a call and
someone else calls you, so your attack
will be: I somehow make up a story to keep
the person on the phone call while I
launch other calls... that will work. I
tried that but the problem is usually to
force, I mean that will not be too big of
a deal I guess but it supports two calls
right. They will warn you all there is
another incoming call. But I guess you
could keep doing more. So that's what I
meant a partly with a call flooding. In
that case what I tried was just launching
all of them at the same time. And if the
person picks up I don't care but it's
somewhat related to what you mentioned and
that's definitely possible.
Questioner: Okay. Thank you.
M.V.: Yeah.
Herald: Question from the internet please
Signal Angel: Does this work with the
phone calls that start talking
immediately, will the new code being
recorded then?
M.V.: if I understood the question
correctly it's that when the voicemail
picks up like basically the automated
system that spits out the code already
started to talk. I believe that's the
question.
Herald: We don't know it's from the
Internet.
M.V.: OK so if that is the question I
found actually that, because usually
greeting messages last like 15 seconds so
by the time it starts recording you
already finish the recording that gives
you the code, but you own the greeting
message so you make it as short as one
second. And I never found a problem with
that. You actually recorded DTMF tones for
like two seconds.
Herald: Ladies first let me take your
question.
Q: You talked about how you learned all of
that through reading e-zines. How are they
called, and how do I find them?
M.V: That's the best question I've ever
heard and it deserves an applause,
seriously. I like that because you also
want to learn about it. So that's that's
really fantastic. So the Phrack Web site
is the best resource you can get. I guess
everyone will agree here. So you just look
up google for phrack magazine and there is
a lot a lot of interesting stuff that we
can learn there still today.
Q: Are there any others?
M.V.: Yeah I mean you can then follow the
classic. I mean I like Twitter to get my
security news because it's very concise so
I kind of get like you know the 140
characters version.. if I'm interested
then I will read it. So I think you can
google for like top security people to
follow. Brian Krebs is great. It depends
also on your technical depth. There is
different people for that. And if not just
you know specialized blogs in magazines.
Q: All right. Thanks.
M.V.: Thank you.
Herald: And your question please.
Q: Hi. And so for me the solution is
obvious: I just turn off my voicemail. But
thinking about some relatives which are
maybe too lazy or don't really care and
still use two factor authentication. I was
thinking about could I easily adapt your
script to automatically turn off voice
boxes or generate random pins?
M.V.: You can automate it to turn off the pin. Like
for example on Vodaphone I don't know why
that allows you to turn off the pin. To turn
off the voicemail... I don't... I haven't
tested that. I think you may have to call
the IT department but you know what. It
would be really great to do that. It would
be really awesome. Great question. I guess
if you can turn it off then you can turn
it on as well. Yeah.
Herald: Your question please.
Q: Did Twilio ban you or did they find out
what you did?
M.V.:I got some emails I got some emails
but they were really cool. I have to say
that. I explained to them what I was
coming from, I gave them my identity...
like I wasn't hiding anything. Actually I
had to pay quite some money and because of
all the calls that I was doing while I was
doing the research, so I do think hide my
identity at all. So, they did detect tact
that I was doing many calls and stuff like
that. So there is I guess at the high
volumes there is some detection, but
Twilio is not the only service. So again
you can switch between services, space it
out, change caller I.D.s, a number of
things.
Herald: And one more question here.
Q: Hi. You talked about being undetected
when making all these calls by going
directly to these direct access numbers.
In Germany it's very common that if
someone calls your voicemail you get an
SMS text even if they don't leave a
message. But I suspect there's some kind
of undocumented API to actually turn that
off through the menus. Have you looked
into that?
M.V.: No I haven't looked into that
specifically. The question is that usually
in Germany for the carriers you'll get an
SMS when you when you get a call. I
wonder... the test that I did on the
German carriers, I was getting a text if I
was leaving a message, not if someone was
calling there. I guess you are talking
about a missed call, that kind of
notification. I'm not sure about it. What
I do want to point out is remember that a
you can do these while the person is
offline maybe on a long trip so you can
time it, and that will be a good probation
I guess to just not launch at any, you
know, at any point in time, but you can
just always time it, and by the time the
person gets a million text it's too late.
Q: Thanks.
M.V.: Yeah.
Herald: One more question over here
please.
Q: Thank you. On apple phones you can
activate with some care the, what they
call visual voicemail. Would that prevent
your attack to work, or..?
M.V.: No there is actually, I believe he
was an Australian researcher, that looked
into the visual voicemail and he was able
to find that in reality uses the IMAP, If
I remember correctly, protocol, and for
some carriers he was able to to launch
brute force attacks because the
authentication wasn't with the same pin as
you get when you dial in. But he found at
least one carrier in Australia I believe
that was vulnerable through visual
voice mail protocol. And I check for
German carriers. I did that, I actually
follow the steps that he did, to see if
that was worth mentioned in here. I didn't
find it to be vulnerable, but that doesn't
mean that that's not the case.
Herald: One more last question.
Q: Thank you for the talk. What is your
recommendation to American carriers to
protect themselves against this attack?
M.V.: I put a slight slide there. Like for
me I guess the most important thing is
really look at what some German carriers
are doing I really like that in the recent
past where it sends it to you over SMS as
soon as it detects that someone dialed,
tried six times the wrong pin. I mean if
you have physical access to a locked
device you could claim that if someone has
the preview turned on the device you could
still see the pin, you know when you get
it so. But then it wouldn't be like a
remote attack anymore, so definitely
detect brute forcing and shut down. I mean
we know that with the caller I.D. is not
working so well for a Telecom, because I
was able to bypass it. But I know that,
because I did some test with HLR records
that you can actually tell the type of
device that it is, if it's a virtual
number. So if carriers could actually look
at the type of phone that is trying to
call in. I think if it's a virtual number,
you know, red flag. If it's not I don't
think someone is going to have... I guess
the government could like, you know have
3333 devices because you try one pin for
the 10000 keyspace, you know. You try 3
pins at a time and just have 3333 SIM
cards and so it will come from real
devices. But then at least it will quite
significantly mitigate it. And then like
again like if you ban DTMF tones from the
greeting message that will help as well.
Herald: Thank you Martin. I have never
provided any telephone number to any
platform and now thanks to you I know why.
Warm applause for Martin Vigo please.
M.V.: Thank you
applause
35c3 postroll music
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!