0:00:00.000,0:00:17.790
<i>35C3 preroll music</i>

0:00:17.790,0:00:25.360
Herald Angel: We start the next talk. It's[br]by Martin Vigo. He stands here. He is a

0:00:25.360,0:00:32.500
product security lead and researcher and[br]he's responsible for mobile security,

0:00:32.500,0:00:39.860
identity, and authentication. So he helps[br]people design and secure systems and

0:00:39.860,0:00:46.710
applications. And he has worked on stuff[br]like breaking password managers or

0:00:46.710,0:00:57.500
exploiting Apple's FaceTime to create a[br]spy... yeah, a spy program. So give him a

0:00:57.500,0:01:09.360
warm applause for his talk.[br]<i>Applause</i>

0:01:09.360,0:01:12.650
Martin Vigo: Thank you for joining me in[br]this talk. I'm super excited to be here.

0:01:12.650,0:01:16.500
It's actually my second year at the[br]conference, so super super excited that

0:01:16.500,0:01:20.490
the first year I was sitting there, and[br]the second year I'm sitting here. This is

0:01:20.490,0:01:24.980
me, but an introduction was already made.[br]Just pointing out that this is me, 9 year

0:01:24.980,0:01:32.640
old, with an Amstrad CPC 6128. You had[br]this machine before? I see only one hand?

0:01:32.640,0:01:36.480
I think this was sold in Europe, but I was[br]playing here La Abadía del crímen, which

0:01:36.480,0:01:40.770
is the best video game ever written. If[br]you guys like abandonware, you should

0:01:40.770,0:01:45.410
definitely check it out. So like any good[br]research we have to start by looking at

0:01:45.410,0:01:49.860
previous art, right? We can learn a lot[br]from researchers that did stuff in the

0:01:49.860,0:01:55.800
past. And in this case I went all the way[br]back to the 80s to understand how freakers

0:01:55.800,0:01:59.590
of the time, when the hacking thing[br]started, we're doing to actually hack into

0:01:59.590,0:02:06.110
voicemail systems. I condensed everything[br]I learned in five different paragraphs of

0:02:06.110,0:02:11.670
five different essences, that I actually[br]got from frac website, which is an amazing

0:02:11.670,0:02:16.870
resource. So, here from the Hacking[br]Telephone Answering Machines, the

0:02:16.870,0:02:20.840
paragraph that I extracted was that "You[br]can just enter all 2-digit combinations

0:02:20.840,0:02:25.240
until you get the right one", "A more[br]sophisticated and fast way to do this is

0:02:25.240,0:02:29.200
to take advantage of the fact that such[br]machines typically do not read two numbers

0:02:29.200,0:02:33.330
at a time, and discard them, but just look[br]for the correct sequence". What is this

0:02:33.330,0:02:41.650
about? In older voicemail systems if you[br]will enter like 1234 for the 2-digit PIN,

0:02:41.650,0:02:47.770
it will not process 12 and 34 to to verify[br]the PIN, but it will also process 23,

0:02:47.770,0:02:52.280
which is very interesting. In fact, in[br]Hacking AT&amp;T Answering Machines, again,

0:02:52.280,0:02:56.960
this is amazing from their 90s or 80s, we[br]actually get the correct sequence to cover

0:02:56.960,0:03:01.230
the entire 2-digit key space. So, if you[br]enter all these, you are basically brute

0:03:01.230,0:03:05.770
forcing the entire key space, without[br]having to enter in the entire thing that

0:03:05.770,0:03:11.541
covers it. I also learned, from A Tutorial[br]of Aspen Voice Mailbox Systems, that in

0:03:11.541,0:03:16.319
the 80s there was default passwords.[br]Surprise, surprise! But also that as

0:03:16.319,0:03:21.660
humans, we actually have patterns when we[br]choose PINs. And so we have the classics:

0:03:21.660,0:03:28.230
1111, 9999, 1234. And another thing that I[br]learned in Hacking Answering Machines in

0:03:28.230,0:03:32.700
the 90s, was that "There is also the old[br]'change the message' secret to make it say

0:03:32.700,0:03:36.970
something to the effect of this line[br]accepts all toll charges so you can bill

0:03:36.970,0:03:41.849
third party calls to that number". This is[br]basically a trick used by inmates to get

0:03:41.849,0:03:46.160
free calls. Basically, they would record[br]in the voicemail a greeting message "yes,

0:03:46.160,0:03:49.750
yes, yes", so when the automated system[br]comes in and asks "Do you want to accept

0:03:49.750,0:03:53.890
the toll charges from the call from the[br]penitentiary, it will go and they will be

0:03:53.890,0:03:59.940
able to do free calls. So, condensing[br]everything and summarizing what what I

0:03:59.940,0:04:04.350
learned from looking at what previous[br]hackers did in the 80s: we know that the

0:04:04.350,0:04:08.780
voicemail system security looked like...[br]there was default PINs, there was common

0:04:08.780,0:04:12.650
PINs, there was bruteforceable PINs, there[br]was efficient bruteforcing because we can

0:04:12.650,0:04:16.779
enter multiple PINs at the same time, that[br]the greeting message is actually an attack

0:04:16.779,0:04:21.470
vector. So let's play a game. Let's do[br]checklist and let's look at the voicemail

0:04:21.470,0:04:26.970
security today. So, I looked at the[br]American carriers because I live in the

0:04:26.970,0:04:32.340
US, but because I was invited to talk in[br]Germany, I took some friends to give me

0:04:32.340,0:04:37.190
some SIM cards and I actually wanted to[br]put about German carriers as well. So,

0:04:37.190,0:04:41.490
checklist time, default PINs: all American[br]carriers do have default PINs and

0:04:41.490,0:04:45.940
unfortunately they are really not a secret[br]because most of them is actually the last

0:04:45.940,0:04:51.060
digits of your phone number. When it comes[br]to German carriers it's actually a much

0:04:51.060,0:04:54.840
better state, for example Vodaphone it's[br]the last 4 digits of the client number

0:04:54.840,0:04:59.530
which you don't know. I mean, you know as[br]the customer, not others, it's a secret.

0:04:59.530,0:05:03.650
Or if it comes to the CallYa, that is the[br]card that I got, it's the last 4 digits of

0:05:03.650,0:05:07.440
the PUK. For Telekom it's the last 4[br]digits of the card number, which is the

0:05:07.440,0:05:11.590
card you get with the SIM card. For O2,[br]unfortunately, there is a default PIN,

0:05:11.590,0:05:18.440
which is 8705, which is the only PIN you[br]can't set, when you choose to set one.

0:05:18.440,0:05:23.680
Yeah. So, voicemail security today when it[br]comes to common PINs: according to like a

0:05:23.680,0:05:28.180
fantastic research from Data Genetics,[br]this is actually about people choosing

0:05:28.180,0:05:33.530
PINs for their credit cards, but there was[br]a lot of conclusions that I learned from

0:05:33.530,0:05:38.500
this research and basically, to summarize[br]the most important regarding this work, is

0:05:38.500,0:05:44.940
that for example by trying the top 20 most[br]common PINs, you have a 22 percent chance

0:05:44.940,0:05:50.060
of getting the right one. What this means[br]in other words is for every fourth victim

0:05:50.060,0:05:53.990
that I tried to brute force the PIN from[br]their voicemail system, I will get it

0:05:53.990,0:05:58.290
right every fourth person. There are other[br]conclusions that are very interesting

0:05:58.290,0:06:08.660
like, the PINs mostly start by 19. Who has[br]an idea why is that? Birth year, right? Is

0:06:08.660,0:06:13.819
very common to set as your birth year.[br]Most of us were born in the 20th

0:06:13.819,0:06:20.440
century... to set it as a PIN.[br]Bruteforceable PINs. Same thing in Germany

0:06:20.440,0:06:24.650
and in the US, it accepts 4-digit PINs[br]which, we will see later, is just not

0:06:24.650,0:06:29.970
enough key space. Efficient bruteforcing[br]all the carriers accept concatenation of

0:06:29.970,0:06:34.880
payload. So, in this case I use it to try[br]different PINs and I don't even have to

0:06:34.880,0:06:38.919
wait for error messages. I just use the[br]pound as kind of like an enter in a

0:06:38.919,0:06:43.270
voicemail system and I can try three PINs[br]at a time. Usually carriers will hang up

0:06:43.270,0:06:46.710
when you enter three PINs wrong, for[br]security purposes, but we will take

0:06:46.710,0:06:52.289
advantage of that. So with everything that[br]I learned from the 80s, I verified that it

0:06:52.289,0:06:56.711
was still a problem today. I decided to[br]write a tool that allows you to brute

0:06:56.711,0:07:01.970
force voicemail system fast, cheap,[br]easily, efficiently, and undetected. So,

0:07:01.970,0:07:08.179
fast: I used Twilio... who is familiar[br]with Twilio here? Some of you? So a Twilio

0:07:08.179,0:07:11.950
is basically an online services that[br]allows you to programmatically interact

0:07:11.950,0:07:15.410
with phone calls. You can make phone[br]calls, interact with them, and all that.

0:07:15.410,0:07:18.780
So I use it to launch hundreds and[br]hundreds of calls at the same time in

0:07:18.780,0:07:24.150
order to brute force PINs. It's cheap! The[br]entire 4-digit keyspace costs 40 dollars.

0:07:24.150,0:07:29.490
So if I want to have a 100 percent chance[br]of getting your 4-digit PIN, I only have

0:07:29.490,0:07:33.460
to pay 40 bucks. A 50 percent chance,[br]according to the research from Data

0:07:33.460,0:07:37.370
Genetics, it will cost me five dollars. So[br]once every two victims, I will get the

0:07:37.370,0:07:41.490
PIN. Actually, if I want to take a[br]different approach and instead of just

0:07:41.490,0:07:46.620
trying to brute force only yours, I want[br]to brute force the PIN from everyone here,

0:07:46.620,0:07:50.620
according to Data Genetics, and in this[br]case, according to the fact that that is

0:07:50.620,0:07:54.570
default PINs... I'm not going to ask how[br]many of you have O2, now that they know

0:07:54.570,0:07:58.490
that there is a default PIN to their[br]voicemail system. It will be more

0:07:58.490,0:08:03.320
interesting to actually try a thousand[br]phone numbers for that default PIN for O2

0:08:03.320,0:08:08.410
customers, only for 13 dollars. It's easy:[br]fully automated, the tool does everything

0:08:08.410,0:08:11.770
for you, you just have to provide the[br]victim number, the carrier, and couple

0:08:11.770,0:08:16.091
other parameters and it's efficient! It[br]optimizes brute forcing, I use the

0:08:16.091,0:08:20.910
research from Data Genetics to favor the[br]PINs that are most common, and obviously

0:08:20.910,0:08:25.350
it tries different PINs and all that[br]stuff. But the most important here is

0:08:25.350,0:08:28.750
detection, because think about it. In[br]order for me to interact with your

0:08:28.750,0:08:33.049
voicemail system I need to call you and[br]you cannot pick up, because if not, it

0:08:33.049,0:08:36.539
doesn't go to the voicemail system. So I[br]was trying to find ways, because I need

0:08:36.539,0:08:41.938
to, in the end, make a lot of calls,[br]trying different PINs. How can I interact

0:08:41.938,0:08:46.100
directly with your voicemail? I try call[br]flooding like basically doing three calls

0:08:46.100,0:08:49.810
at a time, because the line gets flooded[br]just with three calls, it goes directly to

0:08:49.810,0:08:54.220
the voicemail, but it wasn't very[br]reliable. You can use OSINT techniques, a

0:08:54.220,0:08:57.290
lot of people likes to tweet that they,[br]you know, they go on a trip, they are

0:08:57.290,0:09:01.980
about to board a plane, so it goes into[br]airplane mode, or you go in a remote area,

0:09:01.980,0:09:06.850
or you are in a movie theater, or at night[br]you put in Do Not Disturb. Those are all

0:09:06.850,0:09:12.300
situations in which calls go directly to[br]the voicemail. You can use HLR database to

0:09:12.300,0:09:17.529
find out if mobile devices are[br]disconnected or the SIM cards have been

0:09:17.529,0:09:21.720
discarded, but they are still assigned to[br]an account. And you can use online

0:09:21.720,0:09:25.800
services like realphonevalidation.com[br]which I actually reached out and they

0:09:25.800,0:09:30.300
provide services that allow you to know if[br]a phone is acutally connected to a tower

0:09:30.300,0:09:34.870
at the moment, so it's basically[br]available, so you could use that too. You

0:09:34.870,0:09:40.509
can also use class 0 SMS, which gives you[br]feedback. It's basically a type of SMS

0:09:40.509,0:09:45.570
that will... it has more priority and will[br]basically display on the screen and you'll

0:09:45.570,0:09:49.519
get the feedback if it was displayed. So,[br]that's a nice trick to find out if the

0:09:49.519,0:09:55.259
phone actually connected to a tower. But[br]in reality, I wanted a bullet proof way to

0:09:55.259,0:09:59.480
do this and in the U.S. I found that there[br]is this concept of backdoor voice mail systems.

0:09:59.480,0:10:03.019
So instead of me calling you, I'm going to[br]call one of these services that you guys

0:10:03.019,0:10:08.129
have listed here for every carrier and[br]there I enter the number, in this case the

0:10:08.129,0:10:11.769
number of the victim from the voicemail I[br]want to interact to. And of course it

0:10:11.769,0:10:16.069
allows you to access to the logging[br]prompt. Actually in Germany I find it

0:10:16.069,0:10:19.740
interesting that you guys have it as a[br]service, because in the US it's more a

0:10:19.740,0:10:24.589
secret that I had to found using Google,[br]but here... Basically if I dial your phone

0:10:24.589,0:10:28.029
number and when it comes to Vodafone[br]between the area code and the rest of the

0:10:28.029,0:10:33.889
number I put 55, or for Telekom 13, or for[br]O2 33, I directly go to the voicemail, you

0:10:33.889,0:10:37.469
won't ring your phone. So I can use that.[br]Who was aware of this, that is from

0:10:37.469,0:10:42.439
Germany? OK, many of you. So that's what I[br]thought. Like here it's not really like

0:10:42.439,0:10:46.569
something you guys care too much about. In[br]the U.S. it's actually used a lot for

0:10:46.569,0:10:53.429
scammers or to leave directly voicemail[br]messages from spammers as well. So,

0:10:53.429,0:10:56.809
voicemailcracker actually takes advantage[br]of backdoor numbers, so it allows you to

0:10:56.809,0:11:00.119
be undetected. I don't need to call you, I[br]don't need to wait till you are flying, I

0:11:00.119,0:11:04.399
can do that. And for example for the U.S.[br]it's great, because when I launch that

0:11:04.399,0:11:08.549
many calls, the line gets flooded even if[br]you are offline. But when I use these

0:11:08.549,0:11:14.959
backdoor voicemail systems, because they[br]are meant to be used by everyone, those

0:11:14.959,0:11:19.320
don't get flooded. So I literally make[br]hundreds and hundreds of calls and it

0:11:19.320,0:11:25.339
never fails.So, but you know like[br]carriers, or some of them, add a brute

0:11:25.339,0:11:28.799
force protections, right? So that you[br]can't actually launch brute forcing

0:11:28.799,0:11:32.929
attacks. And I looked at the German[br]carriers and for example Vodafone, I saw

0:11:32.929,0:11:37.619
that it resets the 6 digit PIN and sends[br]it over SMS. So, I guess I can flood your

0:11:37.619,0:11:41.260
phone with text but who cares, that's not[br]a big deal, but I think it's actually a

0:11:41.260,0:11:45.709
pretty effective measure against[br]voicemail... against brute forcing.

0:11:45.709,0:11:48.660
Telekom blocks the Caller ID from[br]accessing the mailbox or even leaving

0:11:48.660,0:11:53.220
messages. I tried and after six times that[br]it's wrong every time, I call it says

0:11:53.220,0:11:56.949
"Hey, you can't do anything", and it hangs[br]up. And for O2 it connects directly to the

0:11:56.949,0:12:01.059
customer help-line, but someone started[br]talking German and my German is not that

0:12:01.059,0:12:08.410
good. So brute force, I wanted to be able[br]to bypass this writing and so if you look

0:12:08.410,0:12:12.869
at telecom I mentioned that it blocks the[br]caller I.D. but it turns out that Twilio

0:12:12.869,0:12:16.959
you can actually buy caller IDs you can,[br]well, you can buy phone numbers, right?

0:12:16.959,0:12:22.509
and they are really cheap. So it's very[br]easy for me to do randomization of caller

0:12:22.509,0:12:28.329
I.D.s for very very cheap and bypass[br]telecom's brute force protection. So

0:12:28.329,0:12:33.009
voicemailcracker also supports that. It[br]supports caller ID randomization. So let's

0:12:33.009,0:12:38.490
make the first demo. So as you can see[br]here on the left is the victim's mobile

0:12:38.490,0:12:43.789
device, and on the right is the tool. And[br]in this case I'm going to use the brute

0:12:43.789,0:12:47.509
force option. The brute force option[br]allows me to basically brute force the

0:12:47.509,0:12:51.940
pin. It makes hundreds of calls as I[br]explain and I'll try to guess it. And

0:12:51.940,0:12:55.070
there is a number of parameters like the[br]victim number, the carrier... the carrier

0:12:55.070,0:12:58.990
is important because they put their[br]specific payloads for every single carrier

0:12:58.990,0:13:03.589
because all the voicemail systems are[br]different, how you interact with them, and

0:13:03.589,0:13:06.869
in this case are using a backdoor number[br]because he's more efficient. And then

0:13:06.869,0:13:11.109
there is no detection. And in this case I[br]did the option of top pin. So this is

0:13:11.109,0:13:17.499
basically trying the top 20 pins according[br]to the research for four digits. So as you

0:13:17.499,0:13:21.639
can see it's trying actually three pins at[br]a time as I mentioned before rather than

0:13:21.639,0:13:26.959
one. So we have to do a third of the of[br]the of the calls, right? And how did you

0:13:26.959,0:13:34.390
think that I'm detecting if the pin was[br]correct or not? Any ideas?

0:13:34.390,0:13:40.170
<i>Unintelligible suggestion from audience</i>[br]M.V.: OK. So the disconnect and hang up.

0:13:40.170,0:13:43.879
That's what I heard. And that's exactly[br]right. If you think about it I can look at

0:13:43.879,0:13:48.170
the call duration because when I tried[br]three pins and it hangs up it's always the

0:13:48.170,0:13:54.379
same call duration. For T-Mobile in this[br]case it's like 18 seconds. So I instruct

0:13:54.379,0:13:58.110
Twilio to after dialing and putting the[br]payload to interact with the voicemail

0:13:58.110,0:14:03.109
system trying the pins to wait 10 extra[br]seconds. So all I got to do, I don't need

0:14:03.109,0:14:07.509
any sound processing to try to guess what[br]the voicemail voice is telling me if it's

0:14:07.509,0:14:11.069
correct or not. I just use the call[br]duration. So if the call duration is ten

0:14:11.069,0:14:15.549
times longer then I know that's the right[br]pin because because it locked in. So as

0:14:15.549,0:14:19.239
you can see it found out one of those[br]three is actually the correct one: in this

0:14:19.239,0:14:24.649
case it's 1983. So in order to give you[br]the exact one because at that time it

0:14:24.649,0:14:29.389
tried the three of them, now it's trying[br]one by one and it may look like it's

0:14:29.389,0:14:35.350
taking longer than it should for only 20[br]pins but remember failing pins is very

0:14:35.350,0:14:38.989
very quick. It's just that because in the[br]top 20 found already the right pin it

0:14:38.989,0:14:46.219
takes longer than it should, and there you[br]go. We got that it's 1983. Awesome. So

0:14:46.219,0:14:50.410
what is the impact really why am I here[br]talking to you at CCC that has such

0:14:50.410,0:14:55.560
amazing talks, right? And this is really[br]the thing about this. No one cares about

0:14:55.560,0:15:00.720
the voicemail. Probably if I ask here, who[br]knows his own voicemail pin?

0:15:00.720,0:15:05.329
<i>laughter</i>[br]M.V.: Nice. That's what I was expecting.

0:15:05.329,0:15:09.869
Probably less hands here. So some of them[br]are lying but that's the thing, right? We

0:15:09.869,0:15:13.910
don't care about the voicemail. We don't[br]even use it, which is the crazy thing

0:15:13.910,0:15:18.309
here. We have we have an open door for[br]discussing an issue that we don't even

0:15:18.309,0:15:23.290
know about or we don't even remember. So[br]many people is not familiar with the fact

0:15:23.290,0:15:27.869
that you can a reset passwords over phone[br]call. We are familiar with resetting

0:15:27.869,0:15:32.699
passwords over e-mail. You get a unique[br]link maybe over SMS you get a code that

0:15:32.699,0:15:36.809
you that you then have to enter in the UI.[br]But a lot of people cannot receive SMS, or

0:15:36.809,0:15:41.990
that's what services claim. So they allow[br]you to provide that temporary code over a

0:15:41.990,0:15:46.559
phone call, and that's exactly what we[br]take advantage of, because I ask you what

0:15:46.559,0:15:50.909
what happens if you don't pick up the[br]phone if basically I go to a service,

0:15:50.909,0:15:55.209
enter your e-mail or your phone number and[br]reset a password, and everyone can do

0:15:55.209,0:16:01.989
that. Anyone can reset it, initiate the[br]reset password process, and I know that

0:16:01.989,0:16:05.709
you are not going to pick up the phone. I[br]know that thanks to my tool I got access

0:16:05.709,0:16:09.759
to your voicemail system. So basically the[br]voicemail system will pick up the call and

0:16:09.759,0:16:15.309
it will start recording, so it will record[br]the voice spelling out the code that I

0:16:15.309,0:16:22.569
need to basically reset your account and[br]get access to it. So -- oops! -- and I

0:16:22.569,0:16:26.570
press play here.[br]<i>Static</i>

0:16:26.570,0:16:31.319
M.V.: Okay, so, what does the attack[br]vector look like? You brute force the

0:16:31.319,0:16:35.799
voicemail system using the tool ideally[br]using backdoor numbers. For that

0:16:35.799,0:16:38.779
particular call -- that is, the call that[br]the victim will receive once you initiate

0:16:38.779,0:16:42.369
the password reset -- that one it cannot[br]go through the backdoor number, right?,

0:16:42.369,0:16:45.849
because it's gonna-- PayPal is gonna[br]directly call the victim. So for that one

0:16:45.849,0:16:50.149
you need to make sure that the victim is[br]not connected to a tower through all the

0:16:50.149,0:16:53.979
methods that I showed before. You start[br]the password reset process using the

0:16:53.979,0:16:57.799
economy feature. You listen to the[br]recorded message, secret code and profit.

0:16:57.799,0:17:01.679
You hijacked that account, and[br]Voicemailcracker can do all that for you.

0:17:01.679,0:17:09.549
Let's compromise Whatsapp. So on the left[br]you see my number, right?, with a secret

0:17:09.549,0:17:13.939
lover group, and a secret group, and all[br]that stuff. On the right notice that I'm

0:17:13.939,0:17:19.709
not even using an actual device. It's an[br]android emulator that I installed, an APK.

0:17:19.709,0:17:23.809
And there is some sound to this, and you[br]are gonna see -- so again on your left

0:17:23.809,0:17:27.898
it's the victims number. On the right is[br]an emulator of the attacker. So you'll see

0:17:27.898,0:17:33.919
that I'm going to use my tool with the[br]message payload, with the message option.

0:17:33.919,0:17:38.520
So in this case what I'm doing is I'm[br]setting the victim's phone to airplane

0:17:38.520,0:17:43.880
mode, simulating that it's now offline for[br]some reason, and I detected that. So if

0:17:43.880,0:17:50.680
you see, WhatsApp allows sends you a text[br]to actually register as a WhatsApp user,

0:17:50.680,0:17:54.880
but if you don't reply in a minute it[br]allows you-- it gives you an option to

0:17:54.880,0:17:59.430
call, to call me, right? And that's[br]exactly what I click. So now WhatsApp is

0:17:59.430,0:18:04.080
basically calling the victim which is[br]again in airplane mode, because he went on

0:18:04.080,0:18:08.600
a remote trip or on a plane, and so I'm[br]using Voicemailcracker with the option

0:18:08.600,0:18:14.059
"message" to automatically retrieve that[br]newest message. So the tool is gonna

0:18:14.059,0:18:17.589
provide me as you can see the last option[br]is the pin, because I brute forced it

0:18:17.589,0:18:21.960
before. So it's going to give me a URL[br]with the recording of the newest message,

0:18:21.960,0:18:29.529
which, hopefully -- it's a recorded demo[br]-- hopefully contains actually the code.

0:18:29.529,0:18:46.079
So let's see... I got the URL.[br]<i>Phone alert sound</i>

0:18:46.079,0:18:48.760
Computerized phone voice: New Message! --[br]M.V.: It's interacting with the voicemail

0:18:48.760,0:18:50.550
system right now.[br]Phone voice: -- your verification code is:

0:18:50.550,0:19:01.440
3 6 5 9 1 5. Your verification code is: 3[br]6 5 9 1 5. Your ver--

0:19:01.440,0:19:06.059
M.V.: And that simple. We just hijacked[br]that person's WhatsApp, and I -- here I'm

0:19:06.059,0:19:08.819
fast forwarding just to show you--[br]<i>Applause</i>

0:19:08.819,0:19:18.760
M.V: --that you get actually that. Thank[br]you. I do want to point out that WhatsApp

0:19:18.760,0:19:21.841
is super secure, it like-- end to end[br]encryption all that -- and there is a

0:19:21.841,0:19:25.179
number of things that you can notice this[br]attack. For example you wouldn't be able

0:19:25.179,0:19:28.690
to see the previous messages that were[br]there but you can just hold on and ask

0:19:28.690,0:19:32.910
people, right? The groups will pop up. So[br]you hijacked that WhatsApp account. There

0:19:32.910,0:19:37.559
is also fingerprinting. But who really[br]pays attention to the fingerprinting when

0:19:37.559,0:19:43.440
someone changes the device, right? So are[br]we done? Not yet. Because the truth is,

0:19:43.440,0:19:48.029
some researchers talked about this in the[br]past then and actually services tried to

0:19:48.029,0:19:52.159
slowly pick up. So that is actually[br]something that I found in several

0:19:52.159,0:19:56.710
services. That is what I call the user[br]interaction based protection. So when you

0:19:56.710,0:20:01.060
received that phone call that provides you[br]with the temporary code in reality it's

0:20:01.060,0:20:04.700
not giving it away. You have to press a[br]key. It comes in three different flavors

0:20:04.700,0:20:08.530
from what I found from my tests. Please[br]press any key to hear the code, so when

0:20:08.530,0:20:11.679
you get the call, you have to press, and[br]then it will tell you the code; please

0:20:11.679,0:20:15.950
press a random key so specifically please[br]press 1, please press 2, or please enter

0:20:15.950,0:20:20.090
the code. PayPal does that, and instead of[br]you having to press a key to hear the code

0:20:20.090,0:20:24.289
when you reset the password you will see a[br]four digits code that you have to enter

0:20:24.289,0:20:29.140
when you receive the call and then it will[br]reset the password. So I'm going to get

0:20:29.140,0:20:33.680
the help from all of you guys. Can we beat[br]this currently recommended protection what

0:20:33.680,0:20:37.920
is nowadays recommended to prevent these[br]kind of attacks? And we're going to play a

0:20:37.920,0:20:44.590
game. I'm going to give you two hints.[br]This is the first one. So, you probably

0:20:44.590,0:20:48.510
guys are familiar with this, but Captain[br]Crunch. Again we go back today it is we

0:20:48.510,0:20:54.509
can learn so much from them, use this to[br]generate specific sounds at a specific

0:20:54.509,0:20:58.169
frequency to basically -- you can go and[br]read it -- to get free international

0:20:58.169,0:21:02.549
calls. So he will create that sound and[br]the system will process it on the on the

0:21:02.549,0:21:07.430
line. And the second one is that I[br]cheated. When we did the checklist, I

0:21:07.430,0:21:11.750
actually skipped one , which was the[br]greeting message is an attack vector. So I

0:21:11.750,0:21:16.549
ask you guys how can we bypass the[br]protection that requires user interaction

0:21:16.549,0:21:20.129
in order to get the code recorded on the[br]voicemail system?

0:21:20.129,0:21:26.269
<i>Inaudible suggestion from audience</i>[br]M.V.: What was that?... Exactly. Record

0:21:26.269,0:21:31.470
DTMF tones as the greeting message. We own[br]the voice mail system so we can alter the

0:21:31.470,0:21:36.729
greeting message. So this is exactly how[br]it works: We just alter the greeting

0:21:36.729,0:21:42.260
message we call the DTMF that the system[br]is expecting and it works every single

0:21:42.260,0:21:48.039
time. The best thing of this is what[br]really is so awesome about about all of us

0:21:48.039,0:21:52.169
that really care about technology. We want[br]to have a deep understanding because when

0:21:52.169,0:21:57.049
I was asking people when when you know I[br]wanted to show them this I was asking them

0:21:57.049,0:22:01.480
how does this protection really work. And[br]they will say well you have to press a key

0:22:01.480,0:22:05.789
and then you know it will give you the[br]code. But that's not really true. That's

0:22:05.789,0:22:09.490
what you have to do is to provide a[br]specific sound that the system is

0:22:09.490,0:22:13.990
expecting. That is different than saying[br]you have to press a key, because if you

0:22:13.990,0:22:18.520
say I have to press a key that requires[br]physical access. If you say I have to

0:22:18.520,0:22:22.460
provide a sound, now we know it doesn't[br]require physical access. That is why

0:22:22.460,0:22:26.490
hackers are so cool, because we really[br]want to understand what is happening

0:22:26.490,0:22:30.720
backstage, and we take advantage of that.[br]So how does the attack vector look like?

0:22:30.720,0:22:34.090
Bruteforcing voicemail systems as before.[br]So basically we have an extra step which

0:22:34.090,0:22:38.121
is update the greeting message according[br]to the account to be hacked in voicemail.

0:22:38.121,0:22:40.929
Cracker can do that for you. Let's[br]compromise PayPal.

0:22:40.929,0:22:46.990
<i>Laughter</i>[br]M.V.: So on the left side you see that as

0:22:46.990,0:22:53.330
before I brute force the pin of the voice[br]mail. And in this case on the right side

0:22:53.330,0:23:00.769
I'm going to start a password reset for[br]that account. So I do that and I choose

0:23:00.769,0:23:05.799
"please call me with a temporary code".[br]But in this case PayPal works differently

0:23:05.799,0:23:10.139
because it will show me a four digits code[br]that I need to enter when I receive the

0:23:10.139,0:23:15.690
call in order to reset the password. So[br]you see that here I'm using the greeting

0:23:15.690,0:23:20.310
option. So the greeting is going to allow[br]me to enter a payload that I want to

0:23:20.310,0:23:26.270
record as the greeting message. In this[br]case is 6 3 5 3. So I may be very very

0:23:26.270,0:23:31.500
verbose for this demo. There you see[br]the last option use PayPal code and I

0:23:31.500,0:23:36.989
enter 6 3 5 3. Now the tool is going to[br]use the pin to log into the voicemail

0:23:36.989,0:23:42.350
system, interact with it, change the[br]greeting message, record the DTMF tones

0:23:42.350,0:23:50.759
according to 6 3 5 3 and then it should be[br]able to fool the call. In this case I'm

0:23:50.759,0:23:55.860
asking to call again, because it didn't[br]have enough time to do that. And in 3 2 1

0:23:55.860,0:24:00.690
we should get that we actually compromise[br]PayPal's account, and there we go. We can

0:24:00.690,0:24:05.200
now set our own password.[br]<i>Applause</i>

0:24:05.200,0:24:14.580
M.V.: Thank you. So, I showed you some[br]vulnerable servers. Let's go very quick

0:24:14.580,0:24:19.240
about it because I'm I'm concerned I'm[br]running out of time. So, I'm just

0:24:19.240,0:24:23.490
mentioning Alexa top 100 types of[br]services, no favoring anything, but... so

0:24:23.490,0:24:27.610
for password reset that supports over[br]phone call: PayPal, Instagram-- no,

0:24:27.610,0:24:35.059
Snapchat-- Netflix, Ebay, LinkdIn. I'm[br]still on Facebook. What can I say? 2FA for

0:24:35.059,0:24:38.279
all they major forms so 2FA over phone[br]call for Apple, Google, Microsoft,

0:24:38.279,0:24:42.289
Yahoo... Verification: So basically you[br]don't register with a username and

0:24:42.289,0:24:47.020
password on on WhatsApp or Signal you[br]actually use directly the phone number,

0:24:47.020,0:24:50.790
right? As we saw before and you register[br]through a phone call or SMS. So you can

0:24:50.790,0:24:54.710
compromise this too. Twilio, the own[br]service that I use for these is actually

0:24:54.710,0:25:00.519
really cool because you can own a caller[br]I.D. by verifying it by getting a phone

0:25:00.519,0:25:05.460
call so I can actually own your caller ID[br]and make calls on your behalf, send texts,

0:25:05.460,0:25:10.039
and these all legitimately, right?,[br]because you've pressed one. Google Voice,

0:25:10.039,0:25:13.289
it's actually another interesting service[br]because it's used a lot by scammers,

0:25:13.289,0:25:17.009
right? And this is the same thing: you[br]have to verify ownership so you can do

0:25:17.009,0:25:21.549
those phone calls and you can fool it as[br]well with this, but I found I was looking

0:25:21.549,0:25:24.730
like what other services really take[br]advantage of this? And this is super

0:25:24.730,0:25:30.789
common in San Francisco, where I live. You[br]can buzz in people like when they want to

0:25:30.789,0:25:35.279
enter, right?, they enter your house[br]number, and then your phone rings and you

0:25:35.279,0:25:39.449
press any key to open the door. So we are[br]talking about physical security now. And

0:25:39.449,0:25:44.019
I've seen this in offices as well. They[br]all work this way, basically because they

0:25:44.019,0:25:47.769
want to be able -- for tenants, that you[br]know, come and go -- be able to switch

0:25:47.769,0:25:52.620
that very quickly. So it works just[br]through the phone that you buzz people in.

0:25:52.620,0:25:56.710
But my favorite is consent, because when[br]we think about consent we think about

0:25:56.710,0:26:00.779
lawyers and we think about signing papers[br]and we think about all of these difficult

0:26:00.779,0:26:07.799
things. And I find out about these[br]location smart service that is not anymore

0:26:07.799,0:26:15.190
there and you will see why... But this was[br]recently in the news because, basically

0:26:15.190,0:26:19.690
Brian Krebs wrote a really great article[br]about it. But I'm going to let you hear

0:26:19.690,0:26:23.389
then their YouTube channel, how Location[br]Smart works.

0:26:23.389,0:26:30.380
LS vid speaker 1: The screen that you're[br]showing, that you're seeing right now is a

0:26:30.380,0:26:36.800
demo that we have on our Web site it's at[br]location smart.com/pride, and I've entered

0:26:36.800,0:26:43.190
my name, my email, my mobile phone number,[br]and it's again going to get my permission

0:26:43.190,0:26:48.470
by calling my phone, and then it'll[br]locate. So let's go ahead and, I clicked

0:26:48.470,0:26:55.100
the box to say yes I agree, click the[br]locate, and the screen now shows that it's

0:26:55.100,0:26:58.170
going to call my device to get my[br]permission.

0:26:58.170,0:27:03.680
<i>vid speaker's phone vibrates, sounds like an airhorn in video</i>[br]LS vid speaker 2: Heh, that's a nice ring

0:27:03.680,0:27:05.610
tone --[br]M.V.: No, it's not--

0:27:05.610,0:27:09.620
LS vid speaker 1's phone: To log into[br]Location Smart Services, press 1 or say

0:27:09.620,0:27:16.870
'Yes'. To repeat, press 2 or say 'Repeat'.[br]LSVS1: Yes

0:27:16.870,0:27:21.809
Phone: Congratulations. You have been[br]opted in to Location Smart Services.

0:27:21.809,0:27:23.419
Goodbye[br]M.V.: So as you see, this service, this

0:27:23.419,0:27:30.091
Web site had a free demo, had a free demo[br]that allow you to put out a phone number

0:27:30.091,0:27:33.639
-- yours, of course -- and you will get a[br]phone call and then you will give

0:27:33.639,0:27:38.499
permission by pressing one. So someone[br]could locate you and keep tracking -- I

0:27:38.499,0:27:47.970
mean, I checked with them -- for up to 30[br]days, real time. So now you know why they

0:27:47.970,0:27:51.580
don't exist anymore![br]<i>Applause</i>

0:27:51.580,0:28:00.810
M.V.: Open source..[br]<i>More Applause</i>

0:28:00.810,0:28:05.490
M.V: Open source. So, and this was with[br]the permission of the carriers. This was

0:28:05.490,0:28:11.740
not some fishy thing. This was actually a[br]service. So I wanted to release code,

0:28:11.740,0:28:15.009
because I want you guys to verify that[br]what I mentioned is true and have code to

0:28:15.009,0:28:20.490
hopefully help push the industry forward[br]to make a voice mail systems more secure,

0:28:20.490,0:28:24.990
right?. We want to push carriers to do so.[br]A but I didn't want to provide on tool

0:28:24.990,0:28:29.639
that works out of the box and anyone can[br]very easily as we saw like just start to

0:28:29.639,0:28:32.929
bruteforce pins, especially because I saw[br]that there is so many people with the

0:28:32.929,0:28:37.280
default PINs out there. So I just removed[br]the brute forcing, so the tool allows you

0:28:37.280,0:28:41.220
to test it on your own. You can test, you[br]know, you can test the greeting message

0:28:41.220,0:28:45.010
you can test the retreiving messages[br]compromising the services and all that. So

0:28:45.010,0:28:48.221
the tool allows you to test on your own[br]device. I won't give you code to brute

0:28:48.221,0:28:54.220
force someone else's device. And feel free[br]to go to my github repo. So now like all

0:28:54.220,0:28:59.309
the talks comes the recommendations, but I[br]know what you guys are thinking, right?

0:28:59.309,0:29:02.509
When someone comes with all this paranoia[br]and stuff you still think "yeah but you

0:29:02.509,0:29:07.080
know still like no one is gonna come after[br]me. I don't have anything to hide" or

0:29:07.080,0:29:11.330
anything like that. So I wanted to give[br]you reasons why you should still care

0:29:11.330,0:29:17.490
about this, and why we need to do better.[br]Because do carriers set default PINs? Yes,

0:29:17.490,0:29:23.350
we saw that. Is testing for default pins[br]cheap, fast, undetected, and automatable?

0:29:23.350,0:29:28.899
Yes it is. Is updating reading the message[br]automatable? Yes it is. Is retrieving you

0:29:28.899,0:29:34.929
the newest message automatable? Yes it is.[br]Is there speech to text description, so

0:29:34.929,0:29:39.190
that I can get the sound that I played[br]before with the code and get it in text?

0:29:39.190,0:29:45.920
Yeah. Twilio gives you that as well. So[br]can the account compromise process be

0:29:45.920,0:29:49.640
automatable? Of course you can use[br]selenium if you want to automate the UI.

0:29:49.640,0:29:55.549
Or you can use a Web proxy and look at the[br]APIs and do it yourself. So it is only a

0:29:55.549,0:30:00.629
matter of time that someone actually does[br]all these steps that I showed you step by

0:30:00.629,0:30:05.350
step and just makes it all straight and[br]starts to go over phone numbers trying the

0:30:05.350,0:30:10.389
default PINs, and just automatically[br]compromising services like WhatsApp like

0:30:10.389,0:30:16.140
PayPal and all that. You can do basically,[br]not a worm, but, you know, you can

0:30:16.140,0:30:20.700
compromise a lot of devices without doing[br]anything. Recommendations for online

0:30:20.700,0:30:24.879
services. Don't use automated calls for[br]security purposes. if not possible detect

0:30:24.879,0:30:28.270
answering machines and fail. I mean this[br]is not very accurate and you can still

0:30:28.270,0:30:33.630
trick it. Require user interaction before[br]providing the secret. I just show you how

0:30:33.630,0:30:39.630
to bypass that, but that's with hope that[br]carriers ban DTMF tones from the greeting

0:30:39.630,0:30:44.370
message. I don't see why that should be[br]supported, right? Recommendations for

0:30:44.370,0:30:48.119
carriers. The most important thing: Ban[br]DTMF tones from the greeting message,

0:30:48.119,0:30:53.250
eliminate backdoor mobile services, or at[br]least a give no access to the login

0:30:53.250,0:30:57.080
prompt, right? There is no reason why you[br]should be able to access your voicemail

0:30:57.080,0:31:01.710
directly to leave a message. But then I[br]can access the login prompt by pressing

0:31:01.710,0:31:05.749
star. Voicemail disabled by default. This[br]is very important and can only be

0:31:05.749,0:31:10.100
activated from the actual phone, or[br]online maybe with a special code. Oh great

0:31:10.100,0:31:15.730
I have time for questions. No default[br]pins. Learn from the German carriers:

0:31:15.730,0:31:19.399
don't allow common pins, detect and[br]prevent brute force attempts, don't

0:31:19.399,0:31:23.619
process multiple pins at once.[br]Recommendations for you which, is in the

0:31:23.619,0:31:28.389
end, very important here. disable the[br]voice mail if you don't use it. I found

0:31:28.389,0:31:31.760
though that some carriers you're still[br]through the backdoor voicemail numbers you

0:31:31.760,0:31:37.330
are unable to activate it again. So kind[br]of sucks. So I guess use the longest

0:31:37.330,0:31:41.649
possible random pin. Don't provide phone[br]numbers to online services unless

0:31:41.649,0:31:45.680
required, or is the only way to get 2FA.[br]2FA is more important. Use a virtual

0:31:45.680,0:31:50.250
number to prevent OSINT like a Google[br]Voice number so no one can you know learn

0:31:50.250,0:31:55.399
about your phone number digits by[br]resetting the password or do SIM swapping.

0:31:55.399,0:31:59.660
Use 2FA apps only. And I always like to[br]finish my talk with ones like that kind of

0:31:59.660,0:32:03.519
summarizes everything. Automated phone[br]calls are a common solution for password

0:32:03.519,0:32:07.129
reset, 2FA, verification, and other[br]services. These can be compromised by

0:32:07.129,0:32:11.379
leveraging old weaknesses and current[br]technology to exploit the weakest link

0:32:11.379,0:32:15.050
voicemail systems. Thank you so much.[br]Danke Schön, CCC!

0:32:15.050,0:32:33.129
<i>Applause</i>[br]Herald Angel: Thank you, Martin. We have

0:32:33.129,0:32:37.450
time for questions, so if you have any[br]questions or if someone in the Internet

0:32:37.450,0:32:44.989
has questions just go to these[br]microphones. Where is the microphone?

0:32:44.989,0:32:50.020
You've got it. Yes. You were black and the[br]microphone too. So maybe you start and we

0:32:50.020,0:32:55.830
take the question from the Internet.[br]Q: Yes I have a question. You mentioned

0:32:55.830,0:33:02.510
that the phone needed to be offline. Would[br]a call like a sim teen's call to the phone

0:33:02.510,0:33:11.049
that it would be in what is called in[br]english - besetzt?- like occupied so let's

0:33:11.049,0:33:19.720
say I already called the victim. So the[br]caller gets, yeah, the line's occupied

0:33:19.720,0:33:21.960
that would then go to voicemail, wouldn't[br]it?

0:33:21.960,0:33:26.350
M.V.: So that's a great question. I think[br]the question is if you are on a call and

0:33:26.350,0:33:31.429
someone else calls you, so your attack[br]will be: I somehow make up a story to keep

0:33:31.429,0:33:34.980
the person on the phone call while I[br]launch other calls... that will work. I

0:33:34.980,0:33:38.850
tried that but the problem is usually to[br]force, I mean that will not be too big of

0:33:38.850,0:33:41.860
a deal I guess but it supports two calls[br]right. They will warn you all there is

0:33:41.860,0:33:45.719
another incoming call. But I guess you[br]could keep doing more. So that's what I

0:33:45.719,0:33:50.509
meant a partly with a call flooding. In[br]that case what I tried was just launching

0:33:50.509,0:33:53.909
all of them at the same time. And if the[br]person picks up I don't care but it's

0:33:53.909,0:33:57.490
somewhat related to what you mentioned and[br]that's definitely possible.

0:33:57.490,0:33:59.300
Questioner: Okay. Thank you.[br]M.V.: Yeah.

0:33:59.300,0:34:03.739
Herald: Question from the internet please[br]Signal Angel: Does this work with the

0:34:03.739,0:34:07.879
phone calls that start talking[br]immediately, will the new code being

0:34:07.879,0:34:12.159
recorded then?[br]M.V.: if I understood the question

0:34:12.159,0:34:16.429
correctly it's that when the voicemail[br]picks up like basically the automated

0:34:16.429,0:34:21.230
system that spits out the code already[br]started to talk. I believe that's the

0:34:21.230,0:34:23.230
question.[br]Herald: We don't know it's from the

0:34:23.230,0:34:27.030
Internet.[br]M.V.: OK so if that is the question I

0:34:27.030,0:34:30.739
found actually that, because usually[br]greeting messages last like 15 seconds so

0:34:30.739,0:34:35.460
by the time it starts recording you[br]already finish the recording that gives

0:34:35.460,0:34:39.199
you the code, but you own the greeting[br]message so you make it as short as one

0:34:39.199,0:34:44.469
second. And I never found a problem with[br]that. You actually recorded DTMF tones for

0:34:44.469,0:34:47.729
like two seconds.[br]Herald: Ladies first let me take your

0:34:47.729,0:34:54.799
question.[br]Q: You talked about how you learned all of

0:34:54.799,0:35:07.589
that through reading e-zines. How are they[br]called, and how do I find them?

0:35:07.589,0:35:10.979
M.V: That's the best question I've ever[br]heard and it deserves an applause,

0:35:10.979,0:35:15.770
seriously. I like that because you also[br]want to learn about it. So that's that's

0:35:15.770,0:35:20.190
really fantastic. So the Phrack Web site[br]is the best resource you can get. I guess

0:35:20.190,0:35:26.730
everyone will agree here. So you just look[br]up google for phrack magazine and there is

0:35:26.730,0:35:32.040
a lot a lot of interesting stuff that we[br]can learn there still today.

0:35:32.040,0:35:36.120
Q: Are there any others?[br]M.V.: Yeah I mean you can then follow the

0:35:36.120,0:35:42.040
classic. I mean I like Twitter to get my[br]security news because it's very concise so

0:35:42.040,0:35:47.180
I kind of get like you know the 140[br]characters version.. if I'm interested

0:35:47.180,0:35:51.980
then I will read it. So I think you can[br]google for like top security people to

0:35:51.980,0:35:57.510
follow. Brian Krebs is great. It depends[br]also on your technical depth. There is

0:35:57.510,0:36:03.970
different people for that. And if not just[br]you know specialized blogs in magazines.

0:36:03.970,0:36:06.590
Q: All right. Thanks.[br]M.V.: Thank you.

0:36:06.590,0:36:10.810
Herald: And your question please.[br]Q: Hi. And so for me the solution is

0:36:10.810,0:36:14.700
obvious: I just turn off my voicemail. But[br]thinking about some relatives which are

0:36:14.700,0:36:19.170
maybe too lazy or don't really care and[br]still use two factor authentication. I was

0:36:19.170,0:36:24.450
thinking about could I easily adapt your[br]script to automatically turn off voice

0:36:24.450,0:36:37.569
boxes or generate random pins?[br]M.V.: You can automate it to turn off the pin. Like

0:36:37.569,0:36:41.600
for example on Vodaphone I don't know why[br]that allows you to turn off the pin. To turn

0:36:41.600,0:36:47.430
off the voicemail... I don't... I haven't[br]tested that. I think you may have to call

0:36:47.430,0:36:51.569
the IT department but you know what. It[br]would be really great to do that. It would

0:36:51.569,0:36:55.630
be really awesome. Great question. I guess[br]if you can turn it off then you can turn

0:36:55.630,0:37:00.040
it on as well. Yeah.[br]Herald: Your question please.

0:37:00.040,0:37:03.109
Q: Did Twilio ban you or did they find out[br]what you did?

0:37:03.109,0:37:09.700
M.V.:I got some emails I got some emails[br]but they were really cool. I have to say

0:37:09.700,0:37:13.740
that. I explained to them what I was[br]coming from, I gave them my identity...

0:37:13.740,0:37:18.180
like I wasn't hiding anything. Actually I[br]had to pay quite some money and because of

0:37:18.180,0:37:21.650
all the calls that I was doing while I was[br]doing the research, so I do think hide my

0:37:21.650,0:37:27.049
identity at all. So, they did detect tact[br]that I was doing many calls and stuff like

0:37:27.049,0:37:31.809
that. So there is I guess at the high[br]volumes there is some detection, but

0:37:31.809,0:37:35.970
Twilio is not the only service. So again[br]you can switch between services, space it

0:37:35.970,0:37:40.330
out, change caller I.D.s, a number of[br]things.

0:37:40.330,0:37:45.549
Herald: And one more question here.[br]Q: Hi. You talked about being undetected

0:37:45.549,0:37:50.400
when making all these calls by going[br]directly to these direct access numbers.

0:37:50.400,0:37:56.030
In Germany it's very common that if[br]someone calls your voicemail you get an

0:37:56.030,0:38:00.460
SMS text even if they don't leave a[br]message. But I suspect there's some kind

0:38:00.460,0:38:05.370
of undocumented API to actually turn that[br]off through the menus. Have you looked

0:38:05.370,0:38:08.710
into that?[br]M.V.: No I haven't looked into that

0:38:08.710,0:38:14.230
specifically. The question is that usually[br]in Germany for the carriers you'll get an

0:38:14.230,0:38:18.220
SMS when you when you get a call. I[br]wonder... the test that I did on the

0:38:18.220,0:38:22.250
German carriers, I was getting a text if I[br]was leaving a message, not if someone was

0:38:22.250,0:38:26.420
calling there. I guess you are talking[br]about a missed call, that kind of

0:38:26.420,0:38:32.089
notification. I'm not sure about it. What[br]I do want to point out is remember that a

0:38:32.089,0:38:35.609
you can do these while the person is[br]offline maybe on a long trip so you can

0:38:35.609,0:38:40.750
time it, and that will be a good probation[br]I guess to just not launch at any, you

0:38:40.750,0:38:44.300
know, at any point in time, but you can[br]just always time it, and by the time the

0:38:44.300,0:38:47.850
person gets a million text it's too late.[br]Q: Thanks.

0:38:47.850,0:38:50.189
M.V.: Yeah.[br]Herald: One more question over here

0:38:50.189,0:38:55.200
please.[br]Q: Thank you. On apple phones you can

0:38:55.200,0:39:00.540
activate with some care the, what they[br]call visual voicemail. Would that prevent

0:39:00.540,0:39:04.950
your attack to work, or..?[br]M.V.: No there is actually, I believe he

0:39:04.950,0:39:11.550
was an Australian researcher, that looked[br]into the visual voicemail and he was able

0:39:11.550,0:39:16.770
to find that in reality uses the IMAP, If[br]I remember correctly, protocol, and for

0:39:16.770,0:39:23.110
some carriers he was able to to launch[br]brute force attacks because the

0:39:23.110,0:39:28.450
authentication wasn't with the same pin as[br]you get when you dial in. But he found at

0:39:28.450,0:39:34.819
least one carrier in Australia I believe[br]that was vulnerable through visual

0:39:34.819,0:39:37.930
voice mail protocol. And I check for[br]German carriers. I did that, I actually

0:39:37.930,0:39:43.010
follow the steps that he did, to see if[br]that was worth mentioned in here. I didn't

0:39:43.010,0:39:49.100
find it to be vulnerable, but that doesn't[br]mean that that's not the case.

0:39:49.100,0:39:53.750
Herald: One more last question.[br]Q: Thank you for the talk. What is your

0:39:53.750,0:39:58.090
recommendation to American carriers to[br]protect themselves against this attack?

0:39:58.090,0:40:03.460
M.V.: I put a slight slide there. Like for[br]me I guess the most important thing is

0:40:03.460,0:40:07.839
really look at what some German carriers[br]are doing I really like that in the recent

0:40:07.839,0:40:12.940
past where it sends it to you over SMS as[br]soon as it detects that someone dialed,

0:40:12.940,0:40:17.730
tried six times the wrong pin. I mean if[br]you have physical access to a locked

0:40:17.730,0:40:22.619
device you could claim that if someone has[br]the preview turned on the device you could

0:40:22.619,0:40:26.910
still see the pin, you know when you get[br]it so. But then it wouldn't be like a

0:40:26.910,0:40:33.900
remote attack anymore, so definitely[br]detect brute forcing and shut down. I mean

0:40:33.900,0:40:38.490
we know that with the caller I.D. is not[br]working so well for a Telecom, because I

0:40:38.490,0:40:43.440
was able to bypass it. But I know that,[br]because I did some test with HLR records

0:40:43.440,0:40:46.850
that you can actually tell the type of[br]device that it is, if it's a virtual

0:40:46.850,0:40:51.400
number. So if carriers could actually look[br]at the type of phone that is trying to

0:40:51.400,0:40:55.830
call in. I think if it's a virtual number,[br]you know, red flag. If it's not I don't

0:40:55.830,0:40:59.400
think someone is going to have... I guess[br]the government could like, you know have

0:40:59.400,0:41:05.810
3333 devices because you try one pin for[br]the 10000 keyspace, you know. You try 3

0:41:05.810,0:41:10.889
pins at a time and just have 3333 SIM[br]cards and so it will come from real

0:41:10.889,0:41:15.990
devices. But then at least it will quite[br]significantly mitigate it. And then like

0:41:15.990,0:41:22.850
again like if you ban DTMF tones from the[br]greeting message that will help as well.

0:41:22.850,0:41:26.270
Herald: Thank you Martin. I have never[br]provided any telephone number to any

0:41:26.270,0:41:32.230
platform and now thanks to you I know why.[br]Warm applause for Martin Vigo please.

0:41:32.230,0:41:33.552
M.V.: Thank you

0:41:33.552,0:41:39.532
<i>applause</i>

0:41:39.532,0:41:45.100
<i>35c3 postroll music</i>

0:41:45.100,0:42:02.000
subtitles created by c3subtitles.de[br]in the year 2019. Join, and help us!