1
00:00:00,000 --> 00:00:17,790
35C3 preroll music
2
00:00:17,790 --> 00:00:25,360
Herald Angel: We start the next talk. It's
by Martin Vigo. He stands here. He is a
3
00:00:25,360 --> 00:00:32,500
product security lead and researcher and
he's responsible for mobile security,
4
00:00:32,500 --> 00:00:39,860
identity, and authentication. So he helps
people design and secure systems and
5
00:00:39,860 --> 00:00:46,710
applications. And he has worked on stuff
like breaking password managers or
6
00:00:46,710 --> 00:00:57,500
exploiting Apple's FaceTime to create a
spy... yeah, a spy program. So give him a
7
00:00:57,500 --> 00:01:09,360
warm applause for his talk.
Applause
8
00:01:09,360 --> 00:01:12,650
Martin Vigo: Thank you for joining me in
this talk. I'm super excited to be here.
9
00:01:12,650 --> 00:01:16,500
It's actually my second year at the
conference, so super super excited that
10
00:01:16,500 --> 00:01:20,490
the first year I was sitting there, and
the second year I'm sitting here. This is
11
00:01:20,490 --> 00:01:24,980
me, but an introduction was already made.
Just pointing out that this is me, 9 year
12
00:01:24,980 --> 00:01:32,640
old, with an Amstrad CPC 6128. You had
this machine before? I see only one hand?
13
00:01:32,640 --> 00:01:36,480
I think this was sold in Europe, but I was
playing here La Abadía del crímen, which
14
00:01:36,480 --> 00:01:40,770
is the best video game ever written. If
you guys like abandonware, you should
15
00:01:40,770 --> 00:01:45,410
definitely check it out. So like any good
research we have to start by looking at
16
00:01:45,410 --> 00:01:49,860
previous art, right? We can learn a lot
from researchers that did stuff in the
17
00:01:49,860 --> 00:01:55,800
past. And in this case I went all the way
back to the 80s to understand how freakers
18
00:01:55,800 --> 00:01:59,590
of the time, when the hacking thing
started, we're doing to actually hack into
19
00:01:59,590 --> 00:02:06,110
voicemail systems. I condensed everything
I learned in five different paragraphs of
20
00:02:06,110 --> 00:02:11,670
five different essences, that I actually
got from frac website, which is an amazing
21
00:02:11,670 --> 00:02:16,870
resource. So, here from the Hacking
Telephone Answering Machines, the
22
00:02:16,870 --> 00:02:20,840
paragraph that I extracted was that "You
can just enter all 2-digit combinations
23
00:02:20,840 --> 00:02:25,240
until you get the right one", "A more
sophisticated and fast way to do this is
24
00:02:25,240 --> 00:02:29,200
to take advantage of the fact that such
machines typically do not read two numbers
25
00:02:29,200 --> 00:02:33,330
at a time, and discard them, but just look
for the correct sequence". What is this
26
00:02:33,330 --> 00:02:41,650
about? In older voicemail systems if you
will enter like 1234 for the 2-digit PIN,
27
00:02:41,650 --> 00:02:47,770
it will not process 12 and 34 to to verify
the PIN, but it will also process 23,
28
00:02:47,770 --> 00:02:52,280
which is very interesting. In fact, in
Hacking AT&T Answering Machines, again,
29
00:02:52,280 --> 00:02:56,960
this is amazing from their 90s or 80s, we
actually get the correct sequence to cover
30
00:02:56,960 --> 00:03:01,230
the entire 2-digit key space. So, if you
enter all these, you are basically brute
31
00:03:01,230 --> 00:03:05,770
forcing the entire key space, without
having to enter in the entire thing that
32
00:03:05,770 --> 00:03:11,541
covers it. I also learned, from A Tutorial
of Aspen Voice Mailbox Systems, that in
33
00:03:11,541 --> 00:03:16,319
the 80s there was default passwords.
Surprise, surprise! But also that as
34
00:03:16,319 --> 00:03:21,660
humans, we actually have patterns when we
choose PINs. And so we have the classics:
35
00:03:21,660 --> 00:03:28,230
1111, 9999, 1234. And another thing that I
learned in Hacking Answering Machines in
36
00:03:28,230 --> 00:03:32,700
the 90s, was that "There is also the old
'change the message' secret to make it say
37
00:03:32,700 --> 00:03:36,970
something to the effect of this line
accepts all toll charges so you can bill
38
00:03:36,970 --> 00:03:41,849
third party calls to that number". This is
basically a trick used by inmates to get
39
00:03:41,849 --> 00:03:46,160
free calls. Basically, they would record
in the voicemail a greeting message "yes,
40
00:03:46,160 --> 00:03:49,750
yes, yes", so when the automated system
comes in and asks "Do you want to accept
41
00:03:49,750 --> 00:03:53,890
the toll charges from the call from the
penitentiary, it will go and they will be
42
00:03:53,890 --> 00:03:59,940
able to do free calls. So, condensing
everything and summarizing what what I
43
00:03:59,940 --> 00:04:04,350
learned from looking at what previous
hackers did in the 80s: we know that the
44
00:04:04,350 --> 00:04:08,780
voicemail system security looked like...
there was default PINs, there was common
45
00:04:08,780 --> 00:04:12,650
PINs, there was bruteforceable PINs, there
was efficient bruteforcing because we can
46
00:04:12,650 --> 00:04:16,779
enter multiple PINs at the same time, that
the greeting message is actually an attack
47
00:04:16,779 --> 00:04:21,470
vector. So let's play a game. Let's do
checklist and let's look at the voicemail
48
00:04:21,470 --> 00:04:26,970
security today. So, I looked at the
American carriers because I live in the
49
00:04:26,970 --> 00:04:32,340
US, but because I was invited to talk in
Germany, I took some friends to give me
50
00:04:32,340 --> 00:04:37,190
some SIM cards and I actually wanted to
put about German carriers as well. So,
51
00:04:37,190 --> 00:04:41,490
checklist time, default PINs: all American
carriers do have default PINs and
52
00:04:41,490 --> 00:04:45,940
unfortunately they are really not a secret
because most of them is actually the last
53
00:04:45,940 --> 00:04:51,060
digits of your phone number. When it comes
to German carriers it's actually a much
54
00:04:51,060 --> 00:04:54,840
better state, for example Vodaphone it's
the last 4 digits of the client number
55
00:04:54,840 --> 00:04:59,530
which you don't know. I mean, you know as
the customer, not others, it's a secret.
56
00:04:59,530 --> 00:05:03,650
Or if it comes to the CallYa, that is the
card that I got, it's the last 4 digits of
57
00:05:03,650 --> 00:05:07,440
the PUK. For Telekom it's the last 4
digits of the card number, which is the
58
00:05:07,440 --> 00:05:11,590
card you get with the SIM card. For O2,
unfortunately, there is a default PIN,
59
00:05:11,590 --> 00:05:18,440
which is 8705, which is the only PIN you
can't set, when you choose to set one.
60
00:05:18,440 --> 00:05:23,680
Yeah. So, voicemail security today when it
comes to common PINs: according to like a
61
00:05:23,680 --> 00:05:28,180
fantastic research from Data Genetics,
this is actually about people choosing
62
00:05:28,180 --> 00:05:33,530
PINs for their credit cards, but there was
a lot of conclusions that I learned from
63
00:05:33,530 --> 00:05:38,500
this research and basically, to summarize
the most important regarding this work, is
64
00:05:38,500 --> 00:05:44,940
that for example by trying the top 20 most
common PINs, you have a 22 percent chance
65
00:05:44,940 --> 00:05:50,060
of getting the right one. What this means
in other words is for every fourth victim
66
00:05:50,060 --> 00:05:53,990
that I tried to brute force the PIN from
their voicemail system, I will get it
67
00:05:53,990 --> 00:05:58,290
right every fourth person. There are other
conclusions that are very interesting
68
00:05:58,290 --> 00:06:08,660
like, the PINs mostly start by 19. Who has
an idea why is that? Birth year, right? Is
69
00:06:08,660 --> 00:06:13,819
very common to set as your birth year.
Most of us were born in the 20th
70
00:06:13,819 --> 00:06:20,440
century... to set it as a PIN.
Bruteforceable PINs. Same thing in Germany
71
00:06:20,440 --> 00:06:24,650
and in the US, it accepts 4-digit PINs
which, we will see later, is just not
72
00:06:24,650 --> 00:06:29,970
enough key space. Efficient bruteforcing
all the carriers accept concatenation of
73
00:06:29,970 --> 00:06:34,880
payload. So, in this case I use it to try
different PINs and I don't even have to
74
00:06:34,880 --> 00:06:38,919
wait for error messages. I just use the
pound as kind of like an enter in a
75
00:06:38,919 --> 00:06:43,270
voicemail system and I can try three PINs
at a time. Usually carriers will hang up
76
00:06:43,270 --> 00:06:46,710
when you enter three PINs wrong, for
security purposes, but we will take
77
00:06:46,710 --> 00:06:52,289
advantage of that. So with everything that
I learned from the 80s, I verified that it
78
00:06:52,289 --> 00:06:56,711
was still a problem today. I decided to
write a tool that allows you to brute
79
00:06:56,711 --> 00:07:01,970
force voicemail system fast, cheap,
easily, efficiently, and undetected. So,
80
00:07:01,970 --> 00:07:08,179
fast: I used Twilio... who is familiar
with Twilio here? Some of you? So a Twilio
81
00:07:08,179 --> 00:07:11,950
is basically an online services that
allows you to programmatically interact
82
00:07:11,950 --> 00:07:15,410
with phone calls. You can make phone
calls, interact with them, and all that.
83
00:07:15,410 --> 00:07:18,780
So I use it to launch hundreds and
hundreds of calls at the same time in
84
00:07:18,780 --> 00:07:24,150
order to brute force PINs. It's cheap! The
entire 4-digit keyspace costs 40 dollars.
85
00:07:24,150 --> 00:07:29,490
So if I want to have a 100 percent chance
of getting your 4-digit PIN, I only have
86
00:07:29,490 --> 00:07:33,460
to pay 40 bucks. A 50 percent chance,
according to the research from Data
87
00:07:33,460 --> 00:07:37,370
Genetics, it will cost me five dollars. So
once every two victims, I will get the
88
00:07:37,370 --> 00:07:41,490
PIN. Actually, if I want to take a
different approach and instead of just
89
00:07:41,490 --> 00:07:46,620
trying to brute force only yours, I want
to brute force the PIN from everyone here,
90
00:07:46,620 --> 00:07:50,620
according to Data Genetics, and in this
case, according to the fact that that is
91
00:07:50,620 --> 00:07:54,570
default PINs... I'm not going to ask how
many of you have O2, now that they know
92
00:07:54,570 --> 00:07:58,490
that there is a default PIN to their
voicemail system. It will be more
93
00:07:58,490 --> 00:08:03,320
interesting to actually try a thousand
phone numbers for that default PIN for O2
94
00:08:03,320 --> 00:08:08,410
customers, only for 13 dollars. It's easy:
fully automated, the tool does everything
95
00:08:08,410 --> 00:08:11,770
for you, you just have to provide the
victim number, the carrier, and couple
96
00:08:11,770 --> 00:08:16,091
other parameters and it's efficient! It
optimizes brute forcing, I use the
97
00:08:16,091 --> 00:08:20,910
research from Data Genetics to favor the
PINs that are most common, and obviously
98
00:08:20,910 --> 00:08:25,350
it tries different PINs and all that
stuff. But the most important here is
99
00:08:25,350 --> 00:08:28,750
detection, because think about it. In
order for me to interact with your
100
00:08:28,750 --> 00:08:33,049
voicemail system I need to call you and
you cannot pick up, because if not, it
101
00:08:33,049 --> 00:08:36,539
doesn't go to the voicemail system. So I
was trying to find ways, because I need
102
00:08:36,539 --> 00:08:41,938
to, in the end, make a lot of calls,
trying different PINs. How can I interact
103
00:08:41,938 --> 00:08:46,100
directly with your voicemail? I try call
flooding like basically doing three calls
104
00:08:46,100 --> 00:08:49,810
at a time, because the line gets flooded
just with three calls, it goes directly to
105
00:08:49,810 --> 00:08:54,220
the voicemail, but it wasn't very
reliable. You can use OSINT techniques, a
106
00:08:54,220 --> 00:08:57,290
lot of people likes to tweet that they,
you know, they go on a trip, they are
107
00:08:57,290 --> 00:09:01,980
about to board a plane, so it goes into
airplane mode, or you go in a remote area,
108
00:09:01,980 --> 00:09:06,850
or you are in a movie theater, or at night
you put in Do Not Disturb. Those are all
109
00:09:06,850 --> 00:09:12,300
situations in which calls go directly to
the voicemail. You can use HLR database to
110
00:09:12,300 --> 00:09:17,529
find out if mobile devices are
disconnected or the SIM cards have been
111
00:09:17,529 --> 00:09:21,720
discarded, but they are still assigned to
an account. And you can use online
112
00:09:21,720 --> 00:09:25,800
services like realphonevalidation.com
which I actually reached out and they
113
00:09:25,800 --> 00:09:30,300
provide services that allow you to know if
a phone is acutally connected to a tower
114
00:09:30,300 --> 00:09:34,870
at the moment, so it's basically
available, so you could use that too. You
115
00:09:34,870 --> 00:09:40,509
can also use class 0 SMS, which gives you
feedback. It's basically a type of SMS
116
00:09:40,509 --> 00:09:45,570
that will... it has more priority and will
basically display on the screen and you'll
117
00:09:45,570 --> 00:09:49,519
get the feedback if it was displayed. So,
that's a nice trick to find out if the
118
00:09:49,519 --> 00:09:55,259
phone actually connected to a tower. But
in reality, I wanted a bullet proof way to
119
00:09:55,259 --> 00:09:59,480
do this and in the U.S. I found that there
is this concept of backdoor voice mail systems.
120
00:09:59,480 --> 00:10:03,019
So instead of me calling you, I'm going to
call one of these services that you guys
121
00:10:03,019 --> 00:10:08,129
have listed here for every carrier and
there I enter the number, in this case the
122
00:10:08,129 --> 00:10:11,769
number of the victim from the voicemail I
want to interact to. And of course it
123
00:10:11,769 --> 00:10:16,069
allows you to access to the logging
prompt. Actually in Germany I find it
124
00:10:16,069 --> 00:10:19,740
interesting that you guys have it as a
service, because in the US it's more a
125
00:10:19,740 --> 00:10:24,589
secret that I had to found using Google,
but here... Basically if I dial your phone
126
00:10:24,589 --> 00:10:28,029
number and when it comes to Vodafone
between the area code and the rest of the
127
00:10:28,029 --> 00:10:33,889
number I put 55, or for Telekom 13, or for
O2 33, I directly go to the voicemail, you
128
00:10:33,889 --> 00:10:37,469
won't ring your phone. So I can use that.
Who was aware of this, that is from
129
00:10:37,469 --> 00:10:42,439
Germany? OK, many of you. So that's what I
thought. Like here it's not really like
130
00:10:42,439 --> 00:10:46,569
something you guys care too much about. In
the U.S. it's actually used a lot for
131
00:10:46,569 --> 00:10:53,429
scammers or to leave directly voicemail
messages from spammers as well. So,
132
00:10:53,429 --> 00:10:56,809
voicemailcracker actually takes advantage
of backdoor numbers, so it allows you to
133
00:10:56,809 --> 00:11:00,119
be undetected. I don't need to call you, I
don't need to wait till you are flying, I
134
00:11:00,119 --> 00:11:04,399
can do that. And for example for the U.S.
it's great, because when I launch that
135
00:11:04,399 --> 00:11:08,549
many calls, the line gets flooded even if
you are offline. But when I use these
136
00:11:08,549 --> 00:11:14,959
backdoor voicemail systems, because they
are meant to be used by everyone, those
137
00:11:14,959 --> 00:11:19,320
don't get flooded. So I literally make
hundreds and hundreds of calls and it
138
00:11:19,320 --> 00:11:25,339
never fails.So, but you know like
carriers, or some of them, add a brute
139
00:11:25,339 --> 00:11:28,799
force protections, right? So that you
can't actually launch brute forcing
140
00:11:28,799 --> 00:11:32,929
attacks. And I looked at the German
carriers and for example Vodafone, I saw
141
00:11:32,929 --> 00:11:37,619
that it resets the 6 digit PIN and sends
it over SMS. So, I guess I can flood your
142
00:11:37,619 --> 00:11:41,260
phone with text but who cares, that's not
a big deal, but I think it's actually a
143
00:11:41,260 --> 00:11:45,709
pretty effective measure against
voicemail... against brute forcing.
144
00:11:45,709 --> 00:11:48,660
Telekom blocks the Caller ID from
accessing the mailbox or even leaving
145
00:11:48,660 --> 00:11:53,220
messages. I tried and after six times that
it's wrong every time, I call it says
146
00:11:53,220 --> 00:11:56,949
"Hey, you can't do anything", and it hangs
up. And for O2 it connects directly to the
147
00:11:56,949 --> 00:12:01,059
customer help-line, but someone started
talking German and my German is not that
148
00:12:01,059 --> 00:12:08,410
good. So brute force, I wanted to be able
to bypass this writing and so if you look
149
00:12:08,410 --> 00:12:12,869
at telecom I mentioned that it blocks the
caller I.D. but it turns out that Twilio
150
00:12:12,869 --> 00:12:16,959
you can actually buy caller IDs you can,
well, you can buy phone numbers, right?
151
00:12:16,959 --> 00:12:22,509
and they are really cheap. So it's very
easy for me to do randomization of caller
152
00:12:22,509 --> 00:12:28,329
I.D.s for very very cheap and bypass
telecom's brute force protection. So
153
00:12:28,329 --> 00:12:33,009
voicemailcracker also supports that. It
supports caller ID randomization. So let's
154
00:12:33,009 --> 00:12:38,490
make the first demo. So as you can see
here on the left is the victim's mobile
155
00:12:38,490 --> 00:12:43,789
device, and on the right is the tool. And
in this case I'm going to use the brute
156
00:12:43,789 --> 00:12:47,509
force option. The brute force option
allows me to basically brute force the
157
00:12:47,509 --> 00:12:51,940
pin. It makes hundreds of calls as I
explain and I'll try to guess it. And
158
00:12:51,940 --> 00:12:55,070
there is a number of parameters like the
victim number, the carrier... the carrier
159
00:12:55,070 --> 00:12:58,990
is important because they put their
specific payloads for every single carrier
160
00:12:58,990 --> 00:13:03,589
because all the voicemail systems are
different, how you interact with them, and
161
00:13:03,589 --> 00:13:06,869
in this case are using a backdoor number
because he's more efficient. And then
162
00:13:06,869 --> 00:13:11,109
there is no detection. And in this case I
did the option of top pin. So this is
163
00:13:11,109 --> 00:13:17,499
basically trying the top 20 pins according
to the research for four digits. So as you
164
00:13:17,499 --> 00:13:21,639
can see it's trying actually three pins at
a time as I mentioned before rather than
165
00:13:21,639 --> 00:13:26,959
one. So we have to do a third of the of
the of the calls, right? And how did you
166
00:13:26,959 --> 00:13:34,390
think that I'm detecting if the pin was
correct or not? Any ideas?
167
00:13:34,390 --> 00:13:40,170
Unintelligible suggestion from audience
M.V.: OK. So the disconnect and hang up.
168
00:13:40,170 --> 00:13:43,879
That's what I heard. And that's exactly
right. If you think about it I can look at
169
00:13:43,879 --> 00:13:48,170
the call duration because when I tried
three pins and it hangs up it's always the
170
00:13:48,170 --> 00:13:54,379
same call duration. For T-Mobile in this
case it's like 18 seconds. So I instruct
171
00:13:54,379 --> 00:13:58,110
Twilio to after dialing and putting the
payload to interact with the voicemail
172
00:13:58,110 --> 00:14:03,109
system trying the pins to wait 10 extra
seconds. So all I got to do, I don't need
173
00:14:03,109 --> 00:14:07,509
any sound processing to try to guess what
the voicemail voice is telling me if it's
174
00:14:07,509 --> 00:14:11,069
correct or not. I just use the call
duration. So if the call duration is ten
175
00:14:11,069 --> 00:14:15,549
times longer then I know that's the right
pin because because it locked in. So as
176
00:14:15,549 --> 00:14:19,239
you can see it found out one of those
three is actually the correct one: in this
177
00:14:19,239 --> 00:14:24,649
case it's 1983. So in order to give you
the exact one because at that time it
178
00:14:24,649 --> 00:14:29,389
tried the three of them, now it's trying
one by one and it may look like it's
179
00:14:29,389 --> 00:14:35,350
taking longer than it should for only 20
pins but remember failing pins is very
180
00:14:35,350 --> 00:14:38,989
very quick. It's just that because in the
top 20 found already the right pin it
181
00:14:38,989 --> 00:14:46,219
takes longer than it should, and there you
go. We got that it's 1983. Awesome. So
182
00:14:46,219 --> 00:14:50,410
what is the impact really why am I here
talking to you at CCC that has such
183
00:14:50,410 --> 00:14:55,560
amazing talks, right? And this is really
the thing about this. No one cares about
184
00:14:55,560 --> 00:15:00,720
the voicemail. Probably if I ask here, who
knows his own voicemail pin?
185
00:15:00,720 --> 00:15:05,329
laughter
M.V.: Nice. That's what I was expecting.
186
00:15:05,329 --> 00:15:09,869
Probably less hands here. So some of them
are lying but that's the thing, right? We
187
00:15:09,869 --> 00:15:13,910
don't care about the voicemail. We don't
even use it, which is the crazy thing
188
00:15:13,910 --> 00:15:18,309
here. We have we have an open door for
discussing an issue that we don't even
189
00:15:18,309 --> 00:15:23,290
know about or we don't even remember. So
many people is not familiar with the fact
190
00:15:23,290 --> 00:15:27,869
that you can a reset passwords over phone
call. We are familiar with resetting
191
00:15:27,869 --> 00:15:32,699
passwords over e-mail. You get a unique
link maybe over SMS you get a code that
192
00:15:32,699 --> 00:15:36,809
you that you then have to enter in the UI.
But a lot of people cannot receive SMS, or
193
00:15:36,809 --> 00:15:41,990
that's what services claim. So they allow
you to provide that temporary code over a
194
00:15:41,990 --> 00:15:46,559
phone call, and that's exactly what we
take advantage of, because I ask you what
195
00:15:46,559 --> 00:15:50,909
what happens if you don't pick up the
phone if basically I go to a service,
196
00:15:50,909 --> 00:15:55,209
enter your e-mail or your phone number and
reset a password, and everyone can do
197
00:15:55,209 --> 00:16:01,989
that. Anyone can reset it, initiate the
reset password process, and I know that
198
00:16:01,989 --> 00:16:05,709
you are not going to pick up the phone. I
know that thanks to my tool I got access
199
00:16:05,709 --> 00:16:09,759
to your voicemail system. So basically the
voicemail system will pick up the call and
200
00:16:09,759 --> 00:16:15,309
it will start recording, so it will record
the voice spelling out the code that I
201
00:16:15,309 --> 00:16:22,569
need to basically reset your account and
get access to it. So -- oops! -- and I
202
00:16:22,569 --> 00:16:26,570
press play here.
Static
203
00:16:26,570 --> 00:16:31,319
M.V.: Okay, so, what does the attack
vector look like? You brute force the
204
00:16:31,319 --> 00:16:35,799
voicemail system using the tool ideally
using backdoor numbers. For that
205
00:16:35,799 --> 00:16:38,779
particular call -- that is, the call that
the victim will receive once you initiate
206
00:16:38,779 --> 00:16:42,369
the password reset -- that one it cannot
go through the backdoor number, right?,
207
00:16:42,369 --> 00:16:45,849
because it's gonna-- PayPal is gonna
directly call the victim. So for that one
208
00:16:45,849 --> 00:16:50,149
you need to make sure that the victim is
not connected to a tower through all the
209
00:16:50,149 --> 00:16:53,979
methods that I showed before. You start
the password reset process using the
210
00:16:53,979 --> 00:16:57,799
economy feature. You listen to the
recorded message, secret code and profit.
211
00:16:57,799 --> 00:17:01,679
You hijacked that account, and
Voicemailcracker can do all that for you.
212
00:17:01,679 --> 00:17:09,549
Let's compromise Whatsapp. So on the left
you see my number, right?, with a secret
213
00:17:09,549 --> 00:17:13,939
lover group, and a secret group, and all
that stuff. On the right notice that I'm
214
00:17:13,939 --> 00:17:19,709
not even using an actual device. It's an
android emulator that I installed, an APK.
215
00:17:19,709 --> 00:17:23,809
And there is some sound to this, and you
are gonna see -- so again on your left
216
00:17:23,809 --> 00:17:27,898
it's the victims number. On the right is
an emulator of the attacker. So you'll see
217
00:17:27,898 --> 00:17:33,919
that I'm going to use my tool with the
message payload, with the message option.
218
00:17:33,919 --> 00:17:38,520
So in this case what I'm doing is I'm
setting the victim's phone to airplane
219
00:17:38,520 --> 00:17:43,880
mode, simulating that it's now offline for
some reason, and I detected that. So if
220
00:17:43,880 --> 00:17:50,680
you see, WhatsApp allows sends you a text
to actually register as a WhatsApp user,
221
00:17:50,680 --> 00:17:54,880
but if you don't reply in a minute it
allows you-- it gives you an option to
222
00:17:54,880 --> 00:17:59,430
call, to call me, right? And that's
exactly what I click. So now WhatsApp is
223
00:17:59,430 --> 00:18:04,080
basically calling the victim which is
again in airplane mode, because he went on
224
00:18:04,080 --> 00:18:08,600
a remote trip or on a plane, and so I'm
using Voicemailcracker with the option
225
00:18:08,600 --> 00:18:14,059
"message" to automatically retrieve that
newest message. So the tool is gonna
226
00:18:14,059 --> 00:18:17,589
provide me as you can see the last option
is the pin, because I brute forced it
227
00:18:17,589 --> 00:18:21,960
before. So it's going to give me a URL
with the recording of the newest message,
228
00:18:21,960 --> 00:18:29,529
which, hopefully -- it's a recorded demo
-- hopefully contains actually the code.
229
00:18:29,529 --> 00:18:46,079
So let's see... I got the URL.
Phone alert sound
230
00:18:46,079 --> 00:18:48,760
Computerized phone voice: New Message! --
M.V.: It's interacting with the voicemail
231
00:18:48,760 --> 00:18:50,550
system right now.
Phone voice: -- your verification code is:
232
00:18:50,550 --> 00:19:01,440
3 6 5 9 1 5. Your verification code is: 3
6 5 9 1 5. Your ver--
233
00:19:01,440 --> 00:19:06,059
M.V.: And that simple. We just hijacked
that person's WhatsApp, and I -- here I'm
234
00:19:06,059 --> 00:19:08,819
fast forwarding just to show you--
Applause
235
00:19:08,819 --> 00:19:18,760
M.V: --that you get actually that. Thank
you. I do want to point out that WhatsApp
236
00:19:18,760 --> 00:19:21,841
is super secure, it like-- end to end
encryption all that -- and there is a
237
00:19:21,841 --> 00:19:25,179
number of things that you can notice this
attack. For example you wouldn't be able
238
00:19:25,179 --> 00:19:28,690
to see the previous messages that were
there but you can just hold on and ask
239
00:19:28,690 --> 00:19:32,910
people, right? The groups will pop up. So
you hijacked that WhatsApp account. There
240
00:19:32,910 --> 00:19:37,559
is also fingerprinting. But who really
pays attention to the fingerprinting when
241
00:19:37,559 --> 00:19:43,440
someone changes the device, right? So are
we done? Not yet. Because the truth is,
242
00:19:43,440 --> 00:19:48,029
some researchers talked about this in the
past then and actually services tried to
243
00:19:48,029 --> 00:19:52,159
slowly pick up. So that is actually
something that I found in several
244
00:19:52,159 --> 00:19:56,710
services. That is what I call the user
interaction based protection. So when you
245
00:19:56,710 --> 00:20:01,060
received that phone call that provides you
with the temporary code in reality it's
246
00:20:01,060 --> 00:20:04,700
not giving it away. You have to press a
key. It comes in three different flavors
247
00:20:04,700 --> 00:20:08,530
from what I found from my tests. Please
press any key to hear the code, so when
248
00:20:08,530 --> 00:20:11,679
you get the call, you have to press, and
then it will tell you the code; please
249
00:20:11,679 --> 00:20:15,950
press a random key so specifically please
press 1, please press 2, or please enter
250
00:20:15,950 --> 00:20:20,090
the code. PayPal does that, and instead of
you having to press a key to hear the code
251
00:20:20,090 --> 00:20:24,289
when you reset the password you will see a
four digits code that you have to enter
252
00:20:24,289 --> 00:20:29,140
when you receive the call and then it will
reset the password. So I'm going to get
253
00:20:29,140 --> 00:20:33,680
the help from all of you guys. Can we beat
this currently recommended protection what
254
00:20:33,680 --> 00:20:37,920
is nowadays recommended to prevent these
kind of attacks? And we're going to play a
255
00:20:37,920 --> 00:20:44,590
game. I'm going to give you two hints.
This is the first one. So, you probably
256
00:20:44,590 --> 00:20:48,510
guys are familiar with this, but Captain
Crunch. Again we go back today it is we
257
00:20:48,510 --> 00:20:54,509
can learn so much from them, use this to
generate specific sounds at a specific
258
00:20:54,509 --> 00:20:58,169
frequency to basically -- you can go and
read it -- to get free international
259
00:20:58,169 --> 00:21:02,549
calls. So he will create that sound and
the system will process it on the on the
260
00:21:02,549 --> 00:21:07,430
line. And the second one is that I
cheated. When we did the checklist, I
261
00:21:07,430 --> 00:21:11,750
actually skipped one , which was the
greeting message is an attack vector. So I
262
00:21:11,750 --> 00:21:16,549
ask you guys how can we bypass the
protection that requires user interaction
263
00:21:16,549 --> 00:21:20,129
in order to get the code recorded on the
voicemail system?
264
00:21:20,129 --> 00:21:26,269
Inaudible suggestion from audience
M.V.: What was that?... Exactly. Record
265
00:21:26,269 --> 00:21:31,470
DTMF tones as the greeting message. We own
the voice mail system so we can alter the
266
00:21:31,470 --> 00:21:36,729
greeting message. So this is exactly how
it works: We just alter the greeting
267
00:21:36,729 --> 00:21:42,260
message we call the DTMF that the system
is expecting and it works every single
268
00:21:42,260 --> 00:21:48,039
time. The best thing of this is what
really is so awesome about about all of us
269
00:21:48,039 --> 00:21:52,169
that really care about technology. We want
to have a deep understanding because when
270
00:21:52,169 --> 00:21:57,049
I was asking people when when you know I
wanted to show them this I was asking them
271
00:21:57,049 --> 00:22:01,480
how does this protection really work. And
they will say well you have to press a key
272
00:22:01,480 --> 00:22:05,789
and then you know it will give you the
code. But that's not really true. That's
273
00:22:05,789 --> 00:22:09,490
what you have to do is to provide a
specific sound that the system is
274
00:22:09,490 --> 00:22:13,990
expecting. That is different than saying
you have to press a key, because if you
275
00:22:13,990 --> 00:22:18,520
say I have to press a key that requires
physical access. If you say I have to
276
00:22:18,520 --> 00:22:22,460
provide a sound, now we know it doesn't
require physical access. That is why
277
00:22:22,460 --> 00:22:26,490
hackers are so cool, because we really
want to understand what is happening
278
00:22:26,490 --> 00:22:30,720
backstage, and we take advantage of that.
So how does the attack vector look like?
279
00:22:30,720 --> 00:22:34,090
Bruteforcing voicemail systems as before.
So basically we have an extra step which
280
00:22:34,090 --> 00:22:38,121
is update the greeting message according
to the account to be hacked in voicemail.
281
00:22:38,121 --> 00:22:40,929
Cracker can do that for you. Let's
compromise PayPal.
282
00:22:40,929 --> 00:22:46,990
Laughter
M.V.: So on the left side you see that as
283
00:22:46,990 --> 00:22:53,330
before I brute force the pin of the voice
mail. And in this case on the right side
284
00:22:53,330 --> 00:23:00,769
I'm going to start a password reset for
that account. So I do that and I choose
285
00:23:00,769 --> 00:23:05,799
"please call me with a temporary code".
But in this case PayPal works differently
286
00:23:05,799 --> 00:23:10,139
because it will show me a four digits code
that I need to enter when I receive the
287
00:23:10,139 --> 00:23:15,690
call in order to reset the password. So
you see that here I'm using the greeting
288
00:23:15,690 --> 00:23:20,310
option. So the greeting is going to allow
me to enter a payload that I want to
289
00:23:20,310 --> 00:23:26,270
record as the greeting message. In this
case is 6 3 5 3. So I may be very very
290
00:23:26,270 --> 00:23:31,500
verbose for this demo. There you see
the last option use PayPal code and I
291
00:23:31,500 --> 00:23:36,989
enter 6 3 5 3. Now the tool is going to
use the pin to log into the voicemail
292
00:23:36,989 --> 00:23:42,350
system, interact with it, change the
greeting message, record the DTMF tones
293
00:23:42,350 --> 00:23:50,759
according to 6 3 5 3 and then it should be
able to fool the call. In this case I'm
294
00:23:50,759 --> 00:23:55,860
asking to call again, because it didn't
have enough time to do that. And in 3 2 1
295
00:23:55,860 --> 00:24:00,690
we should get that we actually compromise
PayPal's account, and there we go. We can
296
00:24:00,690 --> 00:24:05,200
now set our own password.
Applause
297
00:24:05,200 --> 00:24:14,580
M.V.: Thank you. So, I showed you some
vulnerable servers. Let's go very quick
298
00:24:14,580 --> 00:24:19,240
about it because I'm I'm concerned I'm
running out of time. So, I'm just
299
00:24:19,240 --> 00:24:23,490
mentioning Alexa top 100 types of
services, no favoring anything, but... so
300
00:24:23,490 --> 00:24:27,610
for password reset that supports over
phone call: PayPal, Instagram-- no,
301
00:24:27,610 --> 00:24:35,059
Snapchat-- Netflix, Ebay, LinkdIn. I'm
still on Facebook. What can I say? 2FA for
302
00:24:35,059 --> 00:24:38,279
all they major forms so 2FA over phone
call for Apple, Google, Microsoft,
303
00:24:38,279 --> 00:24:42,289
Yahoo... Verification: So basically you
don't register with a username and
304
00:24:42,289 --> 00:24:47,020
password on on WhatsApp or Signal you
actually use directly the phone number,
305
00:24:47,020 --> 00:24:50,790
right? As we saw before and you register
through a phone call or SMS. So you can
306
00:24:50,790 --> 00:24:54,710
compromise this too. Twilio, the own
service that I use for these is actually
307
00:24:54,710 --> 00:25:00,519
really cool because you can own a caller
I.D. by verifying it by getting a phone
308
00:25:00,519 --> 00:25:05,460
call so I can actually own your caller ID
and make calls on your behalf, send texts,
309
00:25:05,460 --> 00:25:10,039
and these all legitimately, right?,
because you've pressed one. Google Voice,
310
00:25:10,039 --> 00:25:13,289
it's actually another interesting service
because it's used a lot by scammers,
311
00:25:13,289 --> 00:25:17,009
right? And this is the same thing: you
have to verify ownership so you can do
312
00:25:17,009 --> 00:25:21,549
those phone calls and you can fool it as
well with this, but I found I was looking
313
00:25:21,549 --> 00:25:24,730
like what other services really take
advantage of this? And this is super
314
00:25:24,730 --> 00:25:30,789
common in San Francisco, where I live. You
can buzz in people like when they want to
315
00:25:30,789 --> 00:25:35,279
enter, right?, they enter your house
number, and then your phone rings and you
316
00:25:35,279 --> 00:25:39,449
press any key to open the door. So we are
talking about physical security now. And
317
00:25:39,449 --> 00:25:44,019
I've seen this in offices as well. They
all work this way, basically because they
318
00:25:44,019 --> 00:25:47,769
want to be able -- for tenants, that you
know, come and go -- be able to switch
319
00:25:47,769 --> 00:25:52,620
that very quickly. So it works just
through the phone that you buzz people in.
320
00:25:52,620 --> 00:25:56,710
But my favorite is consent, because when
we think about consent we think about
321
00:25:56,710 --> 00:26:00,779
lawyers and we think about signing papers
and we think about all of these difficult
322
00:26:00,779 --> 00:26:07,799
things. And I find out about these
location smart service that is not anymore
323
00:26:07,799 --> 00:26:15,190
there and you will see why... But this was
recently in the news because, basically
324
00:26:15,190 --> 00:26:19,690
Brian Krebs wrote a really great article
about it. But I'm going to let you hear
325
00:26:19,690 --> 00:26:23,389
then their YouTube channel, how Location
Smart works.
326
00:26:23,389 --> 00:26:30,380
LS vid speaker 1: The screen that you're
showing, that you're seeing right now is a
327
00:26:30,380 --> 00:26:36,800
demo that we have on our Web site it's at
location smart.com/pride, and I've entered
328
00:26:36,800 --> 00:26:43,190
my name, my email, my mobile phone number,
and it's again going to get my permission
329
00:26:43,190 --> 00:26:48,470
by calling my phone, and then it'll
locate. So let's go ahead and, I clicked
330
00:26:48,470 --> 00:26:55,100
the box to say yes I agree, click the
locate, and the screen now shows that it's
331
00:26:55,100 --> 00:26:58,170
going to call my device to get my
permission.
332
00:26:58,170 --> 00:27:03,680
vid speaker's phone vibrates, sounds like an airhorn in video
LS vid speaker 2: Heh, that's a nice ring
333
00:27:03,680 --> 00:27:05,610
tone --
M.V.: No, it's not--
334
00:27:05,610 --> 00:27:09,620
LS vid speaker 1's phone: To log into
Location Smart Services, press 1 or say
335
00:27:09,620 --> 00:27:16,870
'Yes'. To repeat, press 2 or say 'Repeat'.
LSVS1: Yes
336
00:27:16,870 --> 00:27:21,809
Phone: Congratulations. You have been
opted in to Location Smart Services.
337
00:27:21,809 --> 00:27:23,419
Goodbye
M.V.: So as you see, this service, this
338
00:27:23,419 --> 00:27:30,091
Web site had a free demo, had a free demo
that allow you to put out a phone number
339
00:27:30,091 --> 00:27:33,639
-- yours, of course -- and you will get a
phone call and then you will give
340
00:27:33,639 --> 00:27:38,499
permission by pressing one. So someone
could locate you and keep tracking -- I
341
00:27:38,499 --> 00:27:47,970
mean, I checked with them -- for up to 30
days, real time. So now you know why they
342
00:27:47,970 --> 00:27:51,580
don't exist anymore!
Applause
343
00:27:51,580 --> 00:28:00,810
M.V.: Open source..
More Applause
344
00:28:00,810 --> 00:28:05,490
M.V: Open source. So, and this was with
the permission of the carriers. This was
345
00:28:05,490 --> 00:28:11,740
not some fishy thing. This was actually a
service. So I wanted to release code,
346
00:28:11,740 --> 00:28:15,009
because I want you guys to verify that
what I mentioned is true and have code to
347
00:28:15,009 --> 00:28:20,490
hopefully help push the industry forward
to make a voice mail systems more secure,
348
00:28:20,490 --> 00:28:24,990
right?. We want to push carriers to do so.
A but I didn't want to provide on tool
349
00:28:24,990 --> 00:28:29,639
that works out of the box and anyone can
very easily as we saw like just start to
350
00:28:29,639 --> 00:28:32,929
bruteforce pins, especially because I saw
that there is so many people with the
351
00:28:32,929 --> 00:28:37,280
default PINs out there. So I just removed
the brute forcing, so the tool allows you
352
00:28:37,280 --> 00:28:41,220
to test it on your own. You can test, you
know, you can test the greeting message
353
00:28:41,220 --> 00:28:45,010
you can test the retreiving messages
compromising the services and all that. So
354
00:28:45,010 --> 00:28:48,221
the tool allows you to test on your own
device. I won't give you code to brute
355
00:28:48,221 --> 00:28:54,220
force someone else's device. And feel free
to go to my github repo. So now like all
356
00:28:54,220 --> 00:28:59,309
the talks comes the recommendations, but I
know what you guys are thinking, right?
357
00:28:59,309 --> 00:29:02,509
When someone comes with all this paranoia
and stuff you still think "yeah but you
358
00:29:02,509 --> 00:29:07,080
know still like no one is gonna come after
me. I don't have anything to hide" or
359
00:29:07,080 --> 00:29:11,330
anything like that. So I wanted to give
you reasons why you should still care
360
00:29:11,330 --> 00:29:17,490
about this, and why we need to do better.
Because do carriers set default PINs? Yes,
361
00:29:17,490 --> 00:29:23,350
we saw that. Is testing for default pins
cheap, fast, undetected, and automatable?
362
00:29:23,350 --> 00:29:28,899
Yes it is. Is updating reading the message
automatable? Yes it is. Is retrieving you
363
00:29:28,899 --> 00:29:34,929
the newest message automatable? Yes it is.
Is there speech to text description, so
364
00:29:34,929 --> 00:29:39,190
that I can get the sound that I played
before with the code and get it in text?
365
00:29:39,190 --> 00:29:45,920
Yeah. Twilio gives you that as well. So
can the account compromise process be
366
00:29:45,920 --> 00:29:49,640
automatable? Of course you can use
selenium if you want to automate the UI.
367
00:29:49,640 --> 00:29:55,549
Or you can use a Web proxy and look at the
APIs and do it yourself. So it is only a
368
00:29:55,549 --> 00:30:00,629
matter of time that someone actually does
all these steps that I showed you step by
369
00:30:00,629 --> 00:30:05,350
step and just makes it all straight and
starts to go over phone numbers trying the
370
00:30:05,350 --> 00:30:10,389
default PINs, and just automatically
compromising services like WhatsApp like
371
00:30:10,389 --> 00:30:16,140
PayPal and all that. You can do basically,
not a worm, but, you know, you can
372
00:30:16,140 --> 00:30:20,700
compromise a lot of devices without doing
anything. Recommendations for online
373
00:30:20,700 --> 00:30:24,879
services. Don't use automated calls for
security purposes. if not possible detect
374
00:30:24,879 --> 00:30:28,270
answering machines and fail. I mean this
is not very accurate and you can still
375
00:30:28,270 --> 00:30:33,630
trick it. Require user interaction before
providing the secret. I just show you how
376
00:30:33,630 --> 00:30:39,630
to bypass that, but that's with hope that
carriers ban DTMF tones from the greeting
377
00:30:39,630 --> 00:30:44,370
message. I don't see why that should be
supported, right? Recommendations for
378
00:30:44,370 --> 00:30:48,119
carriers. The most important thing: Ban
DTMF tones from the greeting message,
379
00:30:48,119 --> 00:30:53,250
eliminate backdoor mobile services, or at
least a give no access to the login
380
00:30:53,250 --> 00:30:57,080
prompt, right? There is no reason why you
should be able to access your voicemail
381
00:30:57,080 --> 00:31:01,710
directly to leave a message. But then I
can access the login prompt by pressing
382
00:31:01,710 --> 00:31:05,749
star. Voicemail disabled by default. This
is very important and can only be
383
00:31:05,749 --> 00:31:10,100
activated from the actual phone, or
online maybe with a special code. Oh great
384
00:31:10,100 --> 00:31:15,730
I have time for questions. No default
pins. Learn from the German carriers:
385
00:31:15,730 --> 00:31:19,399
don't allow common pins, detect and
prevent brute force attempts, don't
386
00:31:19,399 --> 00:31:23,619
process multiple pins at once.
Recommendations for you which, is in the
387
00:31:23,619 --> 00:31:28,389
end, very important here. disable the
voice mail if you don't use it. I found
388
00:31:28,389 --> 00:31:31,760
though that some carriers you're still
through the backdoor voicemail numbers you
389
00:31:31,760 --> 00:31:37,330
are unable to activate it again. So kind
of sucks. So I guess use the longest
390
00:31:37,330 --> 00:31:41,649
possible random pin. Don't provide phone
numbers to online services unless
391
00:31:41,649 --> 00:31:45,680
required, or is the only way to get 2FA.
2FA is more important. Use a virtual
392
00:31:45,680 --> 00:31:50,250
number to prevent OSINT like a Google
Voice number so no one can you know learn
393
00:31:50,250 --> 00:31:55,399
about your phone number digits by
resetting the password or do SIM swapping.
394
00:31:55,399 --> 00:31:59,660
Use 2FA apps only. And I always like to
finish my talk with ones like that kind of
395
00:31:59,660 --> 00:32:03,519
summarizes everything. Automated phone
calls are a common solution for password
396
00:32:03,519 --> 00:32:07,129
reset, 2FA, verification, and other
services. These can be compromised by
397
00:32:07,129 --> 00:32:11,379
leveraging old weaknesses and current
technology to exploit the weakest link
398
00:32:11,379 --> 00:32:15,050
voicemail systems. Thank you so much.
Danke Schön, CCC!
399
00:32:15,050 --> 00:32:33,129
Applause
Herald Angel: Thank you, Martin. We have
400
00:32:33,129 --> 00:32:37,450
time for questions, so if you have any
questions or if someone in the Internet
401
00:32:37,450 --> 00:32:44,989
has questions just go to these
microphones. Where is the microphone?
402
00:32:44,989 --> 00:32:50,020
You've got it. Yes. You were black and the
microphone too. So maybe you start and we
403
00:32:50,020 --> 00:32:55,830
take the question from the Internet.
Q: Yes I have a question. You mentioned
404
00:32:55,830 --> 00:33:02,510
that the phone needed to be offline. Would
a call like a sim teen's call to the phone
405
00:33:02,510 --> 00:33:11,049
that it would be in what is called in
english - besetzt?- like occupied so let's
406
00:33:11,049 --> 00:33:19,720
say I already called the victim. So the
caller gets, yeah, the line's occupied
407
00:33:19,720 --> 00:33:21,960
that would then go to voicemail, wouldn't
it?
408
00:33:21,960 --> 00:33:26,350
M.V.: So that's a great question. I think
the question is if you are on a call and
409
00:33:26,350 --> 00:33:31,429
someone else calls you, so your attack
will be: I somehow make up a story to keep
410
00:33:31,429 --> 00:33:34,980
the person on the phone call while I
launch other calls... that will work. I
411
00:33:34,980 --> 00:33:38,850
tried that but the problem is usually to
force, I mean that will not be too big of
412
00:33:38,850 --> 00:33:41,860
a deal I guess but it supports two calls
right. They will warn you all there is
413
00:33:41,860 --> 00:33:45,719
another incoming call. But I guess you
could keep doing more. So that's what I
414
00:33:45,719 --> 00:33:50,509
meant a partly with a call flooding. In
that case what I tried was just launching
415
00:33:50,509 --> 00:33:53,909
all of them at the same time. And if the
person picks up I don't care but it's
416
00:33:53,909 --> 00:33:57,490
somewhat related to what you mentioned and
that's definitely possible.
417
00:33:57,490 --> 00:33:59,300
Questioner: Okay. Thank you.
M.V.: Yeah.
418
00:33:59,300 --> 00:34:03,739
Herald: Question from the internet please
Signal Angel: Does this work with the
419
00:34:03,739 --> 00:34:07,879
phone calls that start talking
immediately, will the new code being
420
00:34:07,879 --> 00:34:12,159
recorded then?
M.V.: if I understood the question
421
00:34:12,159 --> 00:34:16,429
correctly it's that when the voicemail
picks up like basically the automated
422
00:34:16,429 --> 00:34:21,230
system that spits out the code already
started to talk. I believe that's the
423
00:34:21,230 --> 00:34:23,230
question.
Herald: We don't know it's from the
424
00:34:23,230 --> 00:34:27,030
Internet.
M.V.: OK so if that is the question I
425
00:34:27,030 --> 00:34:30,739
found actually that, because usually
greeting messages last like 15 seconds so
426
00:34:30,739 --> 00:34:35,460
by the time it starts recording you
already finish the recording that gives
427
00:34:35,460 --> 00:34:39,199
you the code, but you own the greeting
message so you make it as short as one
428
00:34:39,199 --> 00:34:44,469
second. And I never found a problem with
that. You actually recorded DTMF tones for
429
00:34:44,469 --> 00:34:47,729
like two seconds.
Herald: Ladies first let me take your
430
00:34:47,729 --> 00:34:54,799
question.
Q: You talked about how you learned all of
431
00:34:54,799 --> 00:35:07,589
that through reading e-zines. How are they
called, and how do I find them?
432
00:35:07,589 --> 00:35:10,979
M.V: That's the best question I've ever
heard and it deserves an applause,
433
00:35:10,979 --> 00:35:15,770
seriously. I like that because you also
want to learn about it. So that's that's
434
00:35:15,770 --> 00:35:20,190
really fantastic. So the Phrack Web site
is the best resource you can get. I guess
435
00:35:20,190 --> 00:35:26,730
everyone will agree here. So you just look
up google for phrack magazine and there is
436
00:35:26,730 --> 00:35:32,040
a lot a lot of interesting stuff that we
can learn there still today.
437
00:35:32,040 --> 00:35:36,120
Q: Are there any others?
M.V.: Yeah I mean you can then follow the
438
00:35:36,120 --> 00:35:42,040
classic. I mean I like Twitter to get my
security news because it's very concise so
439
00:35:42,040 --> 00:35:47,180
I kind of get like you know the 140
characters version.. if I'm interested
440
00:35:47,180 --> 00:35:51,980
then I will read it. So I think you can
google for like top security people to
441
00:35:51,980 --> 00:35:57,510
follow. Brian Krebs is great. It depends
also on your technical depth. There is
442
00:35:57,510 --> 00:36:03,970
different people for that. And if not just
you know specialized blogs in magazines.
443
00:36:03,970 --> 00:36:06,590
Q: All right. Thanks.
M.V.: Thank you.
444
00:36:06,590 --> 00:36:10,810
Herald: And your question please.
Q: Hi. And so for me the solution is
445
00:36:10,810 --> 00:36:14,700
obvious: I just turn off my voicemail. But
thinking about some relatives which are
446
00:36:14,700 --> 00:36:19,170
maybe too lazy or don't really care and
still use two factor authentication. I was
447
00:36:19,170 --> 00:36:24,450
thinking about could I easily adapt your
script to automatically turn off voice
448
00:36:24,450 --> 00:36:37,569
boxes or generate random pins?
M.V.: You can automate it to turn off the pin. Like
449
00:36:37,569 --> 00:36:41,600
for example on Vodaphone I don't know why
that allows you to turn off the pin. To turn
450
00:36:41,600 --> 00:36:47,430
off the voicemail... I don't... I haven't
tested that. I think you may have to call
451
00:36:47,430 --> 00:36:51,569
the IT department but you know what. It
would be really great to do that. It would
452
00:36:51,569 --> 00:36:55,630
be really awesome. Great question. I guess
if you can turn it off then you can turn
453
00:36:55,630 --> 00:37:00,040
it on as well. Yeah.
Herald: Your question please.
454
00:37:00,040 --> 00:37:03,109
Q: Did Twilio ban you or did they find out
what you did?
455
00:37:03,109 --> 00:37:09,700
M.V.:I got some emails I got some emails
but they were really cool. I have to say
456
00:37:09,700 --> 00:37:13,740
that. I explained to them what I was
coming from, I gave them my identity...
457
00:37:13,740 --> 00:37:18,180
like I wasn't hiding anything. Actually I
had to pay quite some money and because of
458
00:37:18,180 --> 00:37:21,650
all the calls that I was doing while I was
doing the research, so I do think hide my
459
00:37:21,650 --> 00:37:27,049
identity at all. So, they did detect tact
that I was doing many calls and stuff like
460
00:37:27,049 --> 00:37:31,809
that. So there is I guess at the high
volumes there is some detection, but
461
00:37:31,809 --> 00:37:35,970
Twilio is not the only service. So again
you can switch between services, space it
462
00:37:35,970 --> 00:37:40,330
out, change caller I.D.s, a number of
things.
463
00:37:40,330 --> 00:37:45,549
Herald: And one more question here.
Q: Hi. You talked about being undetected
464
00:37:45,549 --> 00:37:50,400
when making all these calls by going
directly to these direct access numbers.
465
00:37:50,400 --> 00:37:56,030
In Germany it's very common that if
someone calls your voicemail you get an
466
00:37:56,030 --> 00:38:00,460
SMS text even if they don't leave a
message. But I suspect there's some kind
467
00:38:00,460 --> 00:38:05,370
of undocumented API to actually turn that
off through the menus. Have you looked
468
00:38:05,370 --> 00:38:08,710
into that?
M.V.: No I haven't looked into that
469
00:38:08,710 --> 00:38:14,230
specifically. The question is that usually
in Germany for the carriers you'll get an
470
00:38:14,230 --> 00:38:18,220
SMS when you when you get a call. I
wonder... the test that I did on the
471
00:38:18,220 --> 00:38:22,250
German carriers, I was getting a text if I
was leaving a message, not if someone was
472
00:38:22,250 --> 00:38:26,420
calling there. I guess you are talking
about a missed call, that kind of
473
00:38:26,420 --> 00:38:32,089
notification. I'm not sure about it. What
I do want to point out is remember that a
474
00:38:32,089 --> 00:38:35,609
you can do these while the person is
offline maybe on a long trip so you can
475
00:38:35,609 --> 00:38:40,750
time it, and that will be a good probation
I guess to just not launch at any, you
476
00:38:40,750 --> 00:38:44,300
know, at any point in time, but you can
just always time it, and by the time the
477
00:38:44,300 --> 00:38:47,850
person gets a million text it's too late.
Q: Thanks.
478
00:38:47,850 --> 00:38:50,189
M.V.: Yeah.
Herald: One more question over here
479
00:38:50,189 --> 00:38:55,200
please.
Q: Thank you. On apple phones you can
480
00:38:55,200 --> 00:39:00,540
activate with some care the, what they
call visual voicemail. Would that prevent
481
00:39:00,540 --> 00:39:04,950
your attack to work, or..?
M.V.: No there is actually, I believe he
482
00:39:04,950 --> 00:39:11,550
was an Australian researcher, that looked
into the visual voicemail and he was able
483
00:39:11,550 --> 00:39:16,770
to find that in reality uses the IMAP, If
I remember correctly, protocol, and for
484
00:39:16,770 --> 00:39:23,110
some carriers he was able to to launch
brute force attacks because the
485
00:39:23,110 --> 00:39:28,450
authentication wasn't with the same pin as
you get when you dial in. But he found at
486
00:39:28,450 --> 00:39:34,819
least one carrier in Australia I believe
that was vulnerable through visual
487
00:39:34,819 --> 00:39:37,930
voice mail protocol. And I check for
German carriers. I did that, I actually
488
00:39:37,930 --> 00:39:43,010
follow the steps that he did, to see if
that was worth mentioned in here. I didn't
489
00:39:43,010 --> 00:39:49,100
find it to be vulnerable, but that doesn't
mean that that's not the case.
490
00:39:49,100 --> 00:39:53,750
Herald: One more last question.
Q: Thank you for the talk. What is your
491
00:39:53,750 --> 00:39:58,090
recommendation to American carriers to
protect themselves against this attack?
492
00:39:58,090 --> 00:40:03,460
M.V.: I put a slight slide there. Like for
me I guess the most important thing is
493
00:40:03,460 --> 00:40:07,839
really look at what some German carriers
are doing I really like that in the recent
494
00:40:07,839 --> 00:40:12,940
past where it sends it to you over SMS as
soon as it detects that someone dialed,
495
00:40:12,940 --> 00:40:17,730
tried six times the wrong pin. I mean if
you have physical access to a locked
496
00:40:17,730 --> 00:40:22,619
device you could claim that if someone has
the preview turned on the device you could
497
00:40:22,619 --> 00:40:26,910
still see the pin, you know when you get
it so. But then it wouldn't be like a
498
00:40:26,910 --> 00:40:33,900
remote attack anymore, so definitely
detect brute forcing and shut down. I mean
499
00:40:33,900 --> 00:40:38,490
we know that with the caller I.D. is not
working so well for a Telecom, because I
500
00:40:38,490 --> 00:40:43,440
was able to bypass it. But I know that,
because I did some test with HLR records
501
00:40:43,440 --> 00:40:46,850
that you can actually tell the type of
device that it is, if it's a virtual
502
00:40:46,850 --> 00:40:51,400
number. So if carriers could actually look
at the type of phone that is trying to
503
00:40:51,400 --> 00:40:55,830
call in. I think if it's a virtual number,
you know, red flag. If it's not I don't
504
00:40:55,830 --> 00:40:59,400
think someone is going to have... I guess
the government could like, you know have
505
00:40:59,400 --> 00:41:05,810
3333 devices because you try one pin for
the 10000 keyspace, you know. You try 3
506
00:41:05,810 --> 00:41:10,889
pins at a time and just have 3333 SIM
cards and so it will come from real
507
00:41:10,889 --> 00:41:15,990
devices. But then at least it will quite
significantly mitigate it. And then like
508
00:41:15,990 --> 00:41:22,850
again like if you ban DTMF tones from the
greeting message that will help as well.
509
00:41:22,850 --> 00:41:26,270
Herald: Thank you Martin. I have never
provided any telephone number to any
510
00:41:26,270 --> 00:41:32,230
platform and now thanks to you I know why.
Warm applause for Martin Vigo please.
511
00:41:32,230 --> 00:41:33,552
M.V.: Thank you
512
00:41:33,552 --> 00:41:39,532
applause
513
00:41:39,532 --> 00:41:45,100
35c3 postroll music
514
00:41:45,100 --> 00:42:02,000
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!