[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:17.79,Default,,0000,0000,0000,,{\i1}35C3 preroll music{\i0}
Dialogue: 0,0:00:17.79,0:00:25.36,Default,,0000,0000,0000,,Herald Angel: We start the next talk. It's\Nby Martin Vigo. He stands here. He is a
Dialogue: 0,0:00:25.36,0:00:32.50,Default,,0000,0000,0000,,product security lead and researcher and\Nhe's responsible for mobile security,
Dialogue: 0,0:00:32.50,0:00:39.86,Default,,0000,0000,0000,,identity, and authentication. So he helps\Npeople design and secure systems and
Dialogue: 0,0:00:39.86,0:00:46.71,Default,,0000,0000,0000,,applications. And he has worked on stuff\Nlike breaking password managers or
Dialogue: 0,0:00:46.71,0:00:57.50,Default,,0000,0000,0000,,exploiting Apple's FaceTime to create a\Nspy... yeah, a spy program. So give him a
Dialogue: 0,0:00:57.50,0:01:09.36,Default,,0000,0000,0000,,warm applause for his talk.\N{\i1}Applause{\i0}
Dialogue: 0,0:01:09.36,0:01:12.65,Default,,0000,0000,0000,,Martin Vigo: Thank you for joining me in\Nthis talk. I'm super excited to be here.
Dialogue: 0,0:01:12.65,0:01:16.50,Default,,0000,0000,0000,,It's actually my second year at the\Nconference, so super super excited that
Dialogue: 0,0:01:16.50,0:01:20.49,Default,,0000,0000,0000,,the first year I was sitting there, and\Nthe second year I'm sitting here. This is
Dialogue: 0,0:01:20.49,0:01:24.98,Default,,0000,0000,0000,,me, but an introduction was already made.\NJust pointing out that this is me, 9 year
Dialogue: 0,0:01:24.98,0:01:32.64,Default,,0000,0000,0000,,old, with an Amstrad CPC 6128. You had\Nthis machine before? I see only one hand?
Dialogue: 0,0:01:32.64,0:01:36.48,Default,,0000,0000,0000,,I think this was sold in Europe, but I was\Nplaying here La Abadía del crímen, which
Dialogue: 0,0:01:36.48,0:01:40.77,Default,,0000,0000,0000,,is the best video game ever written. If\Nyou guys like abandonware, you should
Dialogue: 0,0:01:40.77,0:01:45.41,Default,,0000,0000,0000,,definitely check it out. So like any good\Nresearch we have to start by looking at
Dialogue: 0,0:01:45.41,0:01:49.86,Default,,0000,0000,0000,,previous art, right? We can learn a lot\Nfrom researchers that did stuff in the
Dialogue: 0,0:01:49.86,0:01:55.80,Default,,0000,0000,0000,,past. And in this case I went all the way\Nback to the 80s to understand how freakers
Dialogue: 0,0:01:55.80,0:01:59.59,Default,,0000,0000,0000,,of the time, when the hacking thing\Nstarted, we're doing to actually hack into
Dialogue: 0,0:01:59.59,0:02:06.11,Default,,0000,0000,0000,,voicemail systems. I condensed everything\NI learned in five different paragraphs of
Dialogue: 0,0:02:06.11,0:02:11.67,Default,,0000,0000,0000,,five different essences, that I actually\Ngot from frac website, which is an amazing
Dialogue: 0,0:02:11.67,0:02:16.87,Default,,0000,0000,0000,,resource. So, here from the Hacking\NTelephone Answering Machines, the
Dialogue: 0,0:02:16.87,0:02:20.84,Default,,0000,0000,0000,,paragraph that I extracted was that "You\Ncan just enter all 2-digit combinations
Dialogue: 0,0:02:20.84,0:02:25.24,Default,,0000,0000,0000,,until you get the right one", "A more\Nsophisticated and fast way to do this is
Dialogue: 0,0:02:25.24,0:02:29.20,Default,,0000,0000,0000,,to take advantage of the fact that such\Nmachines typically do not read two numbers
Dialogue: 0,0:02:29.20,0:02:33.33,Default,,0000,0000,0000,,at a time, and discard them, but just look\Nfor the correct sequence". What is this
Dialogue: 0,0:02:33.33,0:02:41.65,Default,,0000,0000,0000,,about? In older voicemail systems if you\Nwill enter like 1234 for the 2-digit PIN,
Dialogue: 0,0:02:41.65,0:02:47.77,Default,,0000,0000,0000,,it will not process 12 and 34 to to verify\Nthe PIN, but it will also process 23,
Dialogue: 0,0:02:47.77,0:02:52.28,Default,,0000,0000,0000,,which is very interesting. In fact, in\NHacking AT&amp;T Answering Machines, again,
Dialogue: 0,0:02:52.28,0:02:56.96,Default,,0000,0000,0000,,this is amazing from their 90s or 80s, we\Nactually get the correct sequence to cover
Dialogue: 0,0:02:56.96,0:03:01.23,Default,,0000,0000,0000,,the entire 2-digit key space. So, if you\Nenter all these, you are basically brute
Dialogue: 0,0:03:01.23,0:03:05.77,Default,,0000,0000,0000,,forcing the entire key space, without\Nhaving to enter in the entire thing that
Dialogue: 0,0:03:05.77,0:03:11.54,Default,,0000,0000,0000,,covers it. I also learned, from A Tutorial\Nof Aspen Voice Mailbox Systems, that in
Dialogue: 0,0:03:11.54,0:03:16.32,Default,,0000,0000,0000,,the 80s there was default passwords.\NSurprise, surprise! But also that as
Dialogue: 0,0:03:16.32,0:03:21.66,Default,,0000,0000,0000,,humans, we actually have patterns when we\Nchoose PINs. And so we have the classics:
Dialogue: 0,0:03:21.66,0:03:28.23,Default,,0000,0000,0000,,1111, 9999, 1234. And another thing that I\Nlearned in Hacking Answering Machines in
Dialogue: 0,0:03:28.23,0:03:32.70,Default,,0000,0000,0000,,the 90s, was that "There is also the old\N'change the message' secret to make it say
Dialogue: 0,0:03:32.70,0:03:36.97,Default,,0000,0000,0000,,something to the effect of this line\Naccepts all toll charges so you can bill
Dialogue: 0,0:03:36.97,0:03:41.85,Default,,0000,0000,0000,,third party calls to that number". This is\Nbasically a trick used by inmates to get
Dialogue: 0,0:03:41.85,0:03:46.16,Default,,0000,0000,0000,,free calls. Basically, they would record\Nin the voicemail a greeting message "yes,
Dialogue: 0,0:03:46.16,0:03:49.75,Default,,0000,0000,0000,,yes, yes", so when the automated system\Ncomes in and asks "Do you want to accept
Dialogue: 0,0:03:49.75,0:03:53.89,Default,,0000,0000,0000,,the toll charges from the call from the\Npenitentiary, it will go and they will be
Dialogue: 0,0:03:53.89,0:03:59.94,Default,,0000,0000,0000,,able to do free calls. So, condensing\Neverything and summarizing what what I
Dialogue: 0,0:03:59.94,0:04:04.35,Default,,0000,0000,0000,,learned from looking at what previous\Nhackers did in the 80s: we know that the
Dialogue: 0,0:04:04.35,0:04:08.78,Default,,0000,0000,0000,,voicemail system security looked like...\Nthere was default PINs, there was common
Dialogue: 0,0:04:08.78,0:04:12.65,Default,,0000,0000,0000,,PINs, there was bruteforceable PINs, there\Nwas efficient bruteforcing because we can
Dialogue: 0,0:04:12.65,0:04:16.78,Default,,0000,0000,0000,,enter multiple PINs at the same time, that\Nthe greeting message is actually an attack
Dialogue: 0,0:04:16.78,0:04:21.47,Default,,0000,0000,0000,,vector. So let's play a game. Let's do\Nchecklist and let's look at the voicemail
Dialogue: 0,0:04:21.47,0:04:26.97,Default,,0000,0000,0000,,security today. So, I looked at the\NAmerican carriers because I live in the
Dialogue: 0,0:04:26.97,0:04:32.34,Default,,0000,0000,0000,,US, but because I was invited to talk in\NGermany, I took some friends to give me
Dialogue: 0,0:04:32.34,0:04:37.19,Default,,0000,0000,0000,,some SIM cards and I actually wanted to\Nput about German carriers as well. So,
Dialogue: 0,0:04:37.19,0:04:41.49,Default,,0000,0000,0000,,checklist time, default PINs: all American\Ncarriers do have default PINs and
Dialogue: 0,0:04:41.49,0:04:45.94,Default,,0000,0000,0000,,unfortunately they are really not a secret\Nbecause most of them is actually the last
Dialogue: 0,0:04:45.94,0:04:51.06,Default,,0000,0000,0000,,digits of your phone number. When it comes\Nto German carriers it's actually a much
Dialogue: 0,0:04:51.06,0:04:54.84,Default,,0000,0000,0000,,better state, for example Vodaphone it's\Nthe last 4 digits of the client number
Dialogue: 0,0:04:54.84,0:04:59.53,Default,,0000,0000,0000,,which you don't know. I mean, you know as\Nthe customer, not others, it's a secret.
Dialogue: 0,0:04:59.53,0:05:03.65,Default,,0000,0000,0000,,Or if it comes to the CallYa, that is the\Ncard that I got, it's the last 4 digits of
Dialogue: 0,0:05:03.65,0:05:07.44,Default,,0000,0000,0000,,the PUK. For Telekom it's the last 4\Ndigits of the card number, which is the
Dialogue: 0,0:05:07.44,0:05:11.59,Default,,0000,0000,0000,,card you get with the SIM card. For O2,\Nunfortunately, there is a default PIN,
Dialogue: 0,0:05:11.59,0:05:18.44,Default,,0000,0000,0000,,which is 8705, which is the only PIN you\Ncan't set, when you choose to set one.
Dialogue: 0,0:05:18.44,0:05:23.68,Default,,0000,0000,0000,,Yeah. So, voicemail security today when it\Ncomes to common PINs: according to like a
Dialogue: 0,0:05:23.68,0:05:28.18,Default,,0000,0000,0000,,fantastic research from Data Genetics,\Nthis is actually about people choosing
Dialogue: 0,0:05:28.18,0:05:33.53,Default,,0000,0000,0000,,PINs for their credit cards, but there was\Na lot of conclusions that I learned from
Dialogue: 0,0:05:33.53,0:05:38.50,Default,,0000,0000,0000,,this research and basically, to summarize\Nthe most important regarding this work, is
Dialogue: 0,0:05:38.50,0:05:44.94,Default,,0000,0000,0000,,that for example by trying the top 20 most\Ncommon PINs, you have a 22 percent chance
Dialogue: 0,0:05:44.94,0:05:50.06,Default,,0000,0000,0000,,of getting the right one. What this means\Nin other words is for every fourth victim
Dialogue: 0,0:05:50.06,0:05:53.99,Default,,0000,0000,0000,,that I tried to brute force the PIN from\Ntheir voicemail system, I will get it
Dialogue: 0,0:05:53.99,0:05:58.29,Default,,0000,0000,0000,,right every fourth person. There are other\Nconclusions that are very interesting
Dialogue: 0,0:05:58.29,0:06:08.66,Default,,0000,0000,0000,,like, the PINs mostly start by 19. Who has\Nan idea why is that? Birth year, right? Is
Dialogue: 0,0:06:08.66,0:06:13.82,Default,,0000,0000,0000,,very common to set as your birth year.\NMost of us were born in the 20th
Dialogue: 0,0:06:13.82,0:06:20.44,Default,,0000,0000,0000,,century... to set it as a PIN.\NBruteforceable PINs. Same thing in Germany
Dialogue: 0,0:06:20.44,0:06:24.65,Default,,0000,0000,0000,,and in the US, it accepts 4-digit PINs\Nwhich, we will see later, is just not
Dialogue: 0,0:06:24.65,0:06:29.97,Default,,0000,0000,0000,,enough key space. Efficient bruteforcing\Nall the carriers accept concatenation of
Dialogue: 0,0:06:29.97,0:06:34.88,Default,,0000,0000,0000,,payload. So, in this case I use it to try\Ndifferent PINs and I don't even have to
Dialogue: 0,0:06:34.88,0:06:38.92,Default,,0000,0000,0000,,wait for error messages. I just use the\Npound as kind of like an enter in a
Dialogue: 0,0:06:38.92,0:06:43.27,Default,,0000,0000,0000,,voicemail system and I can try three PINs\Nat a time. Usually carriers will hang up
Dialogue: 0,0:06:43.27,0:06:46.71,Default,,0000,0000,0000,,when you enter three PINs wrong, for\Nsecurity purposes, but we will take
Dialogue: 0,0:06:46.71,0:06:52.29,Default,,0000,0000,0000,,advantage of that. So with everything that\NI learned from the 80s, I verified that it
Dialogue: 0,0:06:52.29,0:06:56.71,Default,,0000,0000,0000,,was still a problem today. I decided to\Nwrite a tool that allows you to brute
Dialogue: 0,0:06:56.71,0:07:01.97,Default,,0000,0000,0000,,force voicemail system fast, cheap,\Neasily, efficiently, and undetected. So,
Dialogue: 0,0:07:01.97,0:07:08.18,Default,,0000,0000,0000,,fast: I used Twilio... who is familiar\Nwith Twilio here? Some of you? So a Twilio
Dialogue: 0,0:07:08.18,0:07:11.95,Default,,0000,0000,0000,,is basically an online services that\Nallows you to programmatically interact
Dialogue: 0,0:07:11.95,0:07:15.41,Default,,0000,0000,0000,,with phone calls. You can make phone\Ncalls, interact with them, and all that.
Dialogue: 0,0:07:15.41,0:07:18.78,Default,,0000,0000,0000,,So I use it to launch hundreds and\Nhundreds of calls at the same time in
Dialogue: 0,0:07:18.78,0:07:24.15,Default,,0000,0000,0000,,order to brute force PINs. It's cheap! The\Nentire 4-digit keyspace costs 40 dollars.
Dialogue: 0,0:07:24.15,0:07:29.49,Default,,0000,0000,0000,,So if I want to have a 100 percent chance\Nof getting your 4-digit PIN, I only have
Dialogue: 0,0:07:29.49,0:07:33.46,Default,,0000,0000,0000,,to pay 40 bucks. A 50 percent chance,\Naccording to the research from Data
Dialogue: 0,0:07:33.46,0:07:37.37,Default,,0000,0000,0000,,Genetics, it will cost me five dollars. So\Nonce every two victims, I will get the
Dialogue: 0,0:07:37.37,0:07:41.49,Default,,0000,0000,0000,,PIN. Actually, if I want to take a\Ndifferent approach and instead of just
Dialogue: 0,0:07:41.49,0:07:46.62,Default,,0000,0000,0000,,trying to brute force only yours, I want\Nto brute force the PIN from everyone here,
Dialogue: 0,0:07:46.62,0:07:50.62,Default,,0000,0000,0000,,according to Data Genetics, and in this\Ncase, according to the fact that that is
Dialogue: 0,0:07:50.62,0:07:54.57,Default,,0000,0000,0000,,default PINs... I'm not going to ask how\Nmany of you have O2, now that they know
Dialogue: 0,0:07:54.57,0:07:58.49,Default,,0000,0000,0000,,that there is a default PIN to their\Nvoicemail system. It will be more
Dialogue: 0,0:07:58.49,0:08:03.32,Default,,0000,0000,0000,,interesting to actually try a thousand\Nphone numbers for that default PIN for O2
Dialogue: 0,0:08:03.32,0:08:08.41,Default,,0000,0000,0000,,customers, only for 13 dollars. It's easy:\Nfully automated, the tool does everything
Dialogue: 0,0:08:08.41,0:08:11.77,Default,,0000,0000,0000,,for you, you just have to provide the\Nvictim number, the carrier, and couple
Dialogue: 0,0:08:11.77,0:08:16.09,Default,,0000,0000,0000,,other parameters and it's efficient! It\Noptimizes brute forcing, I use the
Dialogue: 0,0:08:16.09,0:08:20.91,Default,,0000,0000,0000,,research from Data Genetics to favor the\NPINs that are most common, and obviously
Dialogue: 0,0:08:20.91,0:08:25.35,Default,,0000,0000,0000,,it tries different PINs and all that\Nstuff. But the most important here is
Dialogue: 0,0:08:25.35,0:08:28.75,Default,,0000,0000,0000,,detection, because think about it. In\Norder for me to interact with your
Dialogue: 0,0:08:28.75,0:08:33.05,Default,,0000,0000,0000,,voicemail system I need to call you and\Nyou cannot pick up, because if not, it
Dialogue: 0,0:08:33.05,0:08:36.54,Default,,0000,0000,0000,,doesn't go to the voicemail system. So I\Nwas trying to find ways, because I need
Dialogue: 0,0:08:36.54,0:08:41.94,Default,,0000,0000,0000,,to, in the end, make a lot of calls,\Ntrying different PINs. How can I interact
Dialogue: 0,0:08:41.94,0:08:46.10,Default,,0000,0000,0000,,directly with your voicemail? I try call\Nflooding like basically doing three calls
Dialogue: 0,0:08:46.10,0:08:49.81,Default,,0000,0000,0000,,at a time, because the line gets flooded\Njust with three calls, it goes directly to
Dialogue: 0,0:08:49.81,0:08:54.22,Default,,0000,0000,0000,,the voicemail, but it wasn't very\Nreliable. You can use OSINT techniques, a
Dialogue: 0,0:08:54.22,0:08:57.29,Default,,0000,0000,0000,,lot of people likes to tweet that they,\Nyou know, they go on a trip, they are
Dialogue: 0,0:08:57.29,0:09:01.98,Default,,0000,0000,0000,,about to board a plane, so it goes into\Nairplane mode, or you go in a remote area,
Dialogue: 0,0:09:01.98,0:09:06.85,Default,,0000,0000,0000,,or you are in a movie theater, or at night\Nyou put in Do Not Disturb. Those are all
Dialogue: 0,0:09:06.85,0:09:12.30,Default,,0000,0000,0000,,situations in which calls go directly to\Nthe voicemail. You can use HLR database to
Dialogue: 0,0:09:12.30,0:09:17.53,Default,,0000,0000,0000,,find out if mobile devices are\Ndisconnected or the SIM cards have been
Dialogue: 0,0:09:17.53,0:09:21.72,Default,,0000,0000,0000,,discarded, but they are still assigned to\Nan account. And you can use online
Dialogue: 0,0:09:21.72,0:09:25.80,Default,,0000,0000,0000,,services like realphonevalidation.com\Nwhich I actually reached out and they
Dialogue: 0,0:09:25.80,0:09:30.30,Default,,0000,0000,0000,,provide services that allow you to know if\Na phone is acutally connected to a tower
Dialogue: 0,0:09:30.30,0:09:34.87,Default,,0000,0000,0000,,at the moment, so it's basically\Navailable, so you could use that too. You
Dialogue: 0,0:09:34.87,0:09:40.51,Default,,0000,0000,0000,,can also use class 0 SMS, which gives you\Nfeedback. It's basically a type of SMS
Dialogue: 0,0:09:40.51,0:09:45.57,Default,,0000,0000,0000,,that will... it has more priority and will\Nbasically display on the screen and you'll
Dialogue: 0,0:09:45.57,0:09:49.52,Default,,0000,0000,0000,,get the feedback if it was displayed. So,\Nthat's a nice trick to find out if the
Dialogue: 0,0:09:49.52,0:09:55.26,Default,,0000,0000,0000,,phone actually connected to a tower. But\Nin reality, I wanted a bullet proof way to
Dialogue: 0,0:09:55.26,0:09:59.48,Default,,0000,0000,0000,,do this and in the U.S. I found that there\Nis this concept of backdoor voice mail systems.
Dialogue: 0,0:09:59.48,0:10:03.02,Default,,0000,0000,0000,,So instead of me calling you, I'm going to\Ncall one of these services that you guys
Dialogue: 0,0:10:03.02,0:10:08.13,Default,,0000,0000,0000,,have listed here for every carrier and\Nthere I enter the number, in this case the
Dialogue: 0,0:10:08.13,0:10:11.77,Default,,0000,0000,0000,,number of the victim from the voicemail I\Nwant to interact to. And of course it
Dialogue: 0,0:10:11.77,0:10:16.07,Default,,0000,0000,0000,,allows you to access to the logging\Nprompt. Actually in Germany I find it
Dialogue: 0,0:10:16.07,0:10:19.74,Default,,0000,0000,0000,,interesting that you guys have it as a\Nservice, because in the US it's more a
Dialogue: 0,0:10:19.74,0:10:24.59,Default,,0000,0000,0000,,secret that I had to found using Google,\Nbut here... Basically if I dial your phone
Dialogue: 0,0:10:24.59,0:10:28.03,Default,,0000,0000,0000,,number and when it comes to Vodafone\Nbetween the area code and the rest of the
Dialogue: 0,0:10:28.03,0:10:33.89,Default,,0000,0000,0000,,number I put 55, or for Telekom 13, or for\NO2 33, I directly go to the voicemail, you
Dialogue: 0,0:10:33.89,0:10:37.47,Default,,0000,0000,0000,,won't ring your phone. So I can use that.\NWho was aware of this, that is from
Dialogue: 0,0:10:37.47,0:10:42.44,Default,,0000,0000,0000,,Germany? OK, many of you. So that's what I\Nthought. Like here it's not really like
Dialogue: 0,0:10:42.44,0:10:46.57,Default,,0000,0000,0000,,something you guys care too much about. In\Nthe U.S. it's actually used a lot for
Dialogue: 0,0:10:46.57,0:10:53.43,Default,,0000,0000,0000,,scammers or to leave directly voicemail\Nmessages from spammers as well. So,
Dialogue: 0,0:10:53.43,0:10:56.81,Default,,0000,0000,0000,,voicemailcracker actually takes advantage\Nof backdoor numbers, so it allows you to
Dialogue: 0,0:10:56.81,0:11:00.12,Default,,0000,0000,0000,,be undetected. I don't need to call you, I\Ndon't need to wait till you are flying, I
Dialogue: 0,0:11:00.12,0:11:04.40,Default,,0000,0000,0000,,can do that. And for example for the U.S.\Nit's great, because when I launch that
Dialogue: 0,0:11:04.40,0:11:08.55,Default,,0000,0000,0000,,many calls, the line gets flooded even if\Nyou are offline. But when I use these
Dialogue: 0,0:11:08.55,0:11:14.96,Default,,0000,0000,0000,,backdoor voicemail systems, because they\Nare meant to be used by everyone, those
Dialogue: 0,0:11:14.96,0:11:19.32,Default,,0000,0000,0000,,don't get flooded. So I literally make\Nhundreds and hundreds of calls and it
Dialogue: 0,0:11:19.32,0:11:25.34,Default,,0000,0000,0000,,never fails.So, but you know like\Ncarriers, or some of them, add a brute
Dialogue: 0,0:11:25.34,0:11:28.80,Default,,0000,0000,0000,,force protections, right? So that you\Ncan't actually launch brute forcing
Dialogue: 0,0:11:28.80,0:11:32.93,Default,,0000,0000,0000,,attacks. And I looked at the German\Ncarriers and for example Vodafone, I saw
Dialogue: 0,0:11:32.93,0:11:37.62,Default,,0000,0000,0000,,that it resets the 6 digit PIN and sends\Nit over SMS. So, I guess I can flood your
Dialogue: 0,0:11:37.62,0:11:41.26,Default,,0000,0000,0000,,phone with text but who cares, that's not\Na big deal, but I think it's actually a
Dialogue: 0,0:11:41.26,0:11:45.71,Default,,0000,0000,0000,,pretty effective measure against\Nvoicemail... against brute forcing.
Dialogue: 0,0:11:45.71,0:11:48.66,Default,,0000,0000,0000,,Telekom blocks the Caller ID from\Naccessing the mailbox or even leaving
Dialogue: 0,0:11:48.66,0:11:53.22,Default,,0000,0000,0000,,messages. I tried and after six times that\Nit's wrong every time, I call it says
Dialogue: 0,0:11:53.22,0:11:56.95,Default,,0000,0000,0000,,"Hey, you can't do anything", and it hangs\Nup. And for O2 it connects directly to the
Dialogue: 0,0:11:56.95,0:12:01.06,Default,,0000,0000,0000,,customer help-line, but someone started\Ntalking German and my German is not that
Dialogue: 0,0:12:01.06,0:12:08.41,Default,,0000,0000,0000,,good. So brute force, I wanted to be able\Nto bypass this writing and so if you look
Dialogue: 0,0:12:08.41,0:12:12.87,Default,,0000,0000,0000,,at telecom I mentioned that it blocks the\Ncaller I.D. but it turns out that Twilio
Dialogue: 0,0:12:12.87,0:12:16.96,Default,,0000,0000,0000,,you can actually buy caller IDs you can,\Nwell, you can buy phone numbers, right?
Dialogue: 0,0:12:16.96,0:12:22.51,Default,,0000,0000,0000,,and they are really cheap. So it's very\Neasy for me to do randomization of caller
Dialogue: 0,0:12:22.51,0:12:28.33,Default,,0000,0000,0000,,I.D.s for very very cheap and bypass\Ntelecom's brute force protection. So
Dialogue: 0,0:12:28.33,0:12:33.01,Default,,0000,0000,0000,,voicemailcracker also supports that. It\Nsupports caller ID randomization. So let's
Dialogue: 0,0:12:33.01,0:12:38.49,Default,,0000,0000,0000,,make the first demo. So as you can see\Nhere on the left is the victim's mobile
Dialogue: 0,0:12:38.49,0:12:43.79,Default,,0000,0000,0000,,device, and on the right is the tool. And\Nin this case I'm going to use the brute
Dialogue: 0,0:12:43.79,0:12:47.51,Default,,0000,0000,0000,,force option. The brute force option\Nallows me to basically brute force the
Dialogue: 0,0:12:47.51,0:12:51.94,Default,,0000,0000,0000,,pin. It makes hundreds of calls as I\Nexplain and I'll try to guess it. And
Dialogue: 0,0:12:51.94,0:12:55.07,Default,,0000,0000,0000,,there is a number of parameters like the\Nvictim number, the carrier... the carrier
Dialogue: 0,0:12:55.07,0:12:58.99,Default,,0000,0000,0000,,is important because they put their\Nspecific payloads for every single carrier
Dialogue: 0,0:12:58.99,0:13:03.59,Default,,0000,0000,0000,,because all the voicemail systems are\Ndifferent, how you interact with them, and
Dialogue: 0,0:13:03.59,0:13:06.87,Default,,0000,0000,0000,,in this case are using a backdoor number\Nbecause he's more efficient. And then
Dialogue: 0,0:13:06.87,0:13:11.11,Default,,0000,0000,0000,,there is no detection. And in this case I\Ndid the option of top pin. So this is
Dialogue: 0,0:13:11.11,0:13:17.50,Default,,0000,0000,0000,,basically trying the top 20 pins according\Nto the research for four digits. So as you
Dialogue: 0,0:13:17.50,0:13:21.64,Default,,0000,0000,0000,,can see it's trying actually three pins at\Na time as I mentioned before rather than
Dialogue: 0,0:13:21.64,0:13:26.96,Default,,0000,0000,0000,,one. So we have to do a third of the of\Nthe of the calls, right? And how did you
Dialogue: 0,0:13:26.96,0:13:34.39,Default,,0000,0000,0000,,think that I'm detecting if the pin was\Ncorrect or not? Any ideas?
Dialogue: 0,0:13:34.39,0:13:40.17,Default,,0000,0000,0000,,{\i1}Unintelligible suggestion from audience{\i0}\NM.V.: OK. So the disconnect and hang up.
Dialogue: 0,0:13:40.17,0:13:43.88,Default,,0000,0000,0000,,That's what I heard. And that's exactly\Nright. If you think about it I can look at
Dialogue: 0,0:13:43.88,0:13:48.17,Default,,0000,0000,0000,,the call duration because when I tried\Nthree pins and it hangs up it's always the
Dialogue: 0,0:13:48.17,0:13:54.38,Default,,0000,0000,0000,,same call duration. For T-Mobile in this\Ncase it's like 18 seconds. So I instruct
Dialogue: 0,0:13:54.38,0:13:58.11,Default,,0000,0000,0000,,Twilio to after dialing and putting the\Npayload to interact with the voicemail
Dialogue: 0,0:13:58.11,0:14:03.11,Default,,0000,0000,0000,,system trying the pins to wait 10 extra\Nseconds. So all I got to do, I don't need
Dialogue: 0,0:14:03.11,0:14:07.51,Default,,0000,0000,0000,,any sound processing to try to guess what\Nthe voicemail voice is telling me if it's
Dialogue: 0,0:14:07.51,0:14:11.07,Default,,0000,0000,0000,,correct or not. I just use the call\Nduration. So if the call duration is ten
Dialogue: 0,0:14:11.07,0:14:15.55,Default,,0000,0000,0000,,times longer then I know that's the right\Npin because because it locked in. So as
Dialogue: 0,0:14:15.55,0:14:19.24,Default,,0000,0000,0000,,you can see it found out one of those\Nthree is actually the correct one: in this
Dialogue: 0,0:14:19.24,0:14:24.65,Default,,0000,0000,0000,,case it's 1983. So in order to give you\Nthe exact one because at that time it
Dialogue: 0,0:14:24.65,0:14:29.39,Default,,0000,0000,0000,,tried the three of them, now it's trying\None by one and it may look like it's
Dialogue: 0,0:14:29.39,0:14:35.35,Default,,0000,0000,0000,,taking longer than it should for only 20\Npins but remember failing pins is very
Dialogue: 0,0:14:35.35,0:14:38.99,Default,,0000,0000,0000,,very quick. It's just that because in the\Ntop 20 found already the right pin it
Dialogue: 0,0:14:38.99,0:14:46.22,Default,,0000,0000,0000,,takes longer than it should, and there you\Ngo. We got that it's 1983. Awesome. So
Dialogue: 0,0:14:46.22,0:14:50.41,Default,,0000,0000,0000,,what is the impact really why am I here\Ntalking to you at CCC that has such
Dialogue: 0,0:14:50.41,0:14:55.56,Default,,0000,0000,0000,,amazing talks, right? And this is really\Nthe thing about this. No one cares about
Dialogue: 0,0:14:55.56,0:15:00.72,Default,,0000,0000,0000,,the voicemail. Probably if I ask here, who\Nknows his own voicemail pin?
Dialogue: 0,0:15:00.72,0:15:05.33,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NM.V.: Nice. That's what I was expecting.
Dialogue: 0,0:15:05.33,0:15:09.87,Default,,0000,0000,0000,,Probably less hands here. So some of them\Nare lying but that's the thing, right? We
Dialogue: 0,0:15:09.87,0:15:13.91,Default,,0000,0000,0000,,don't care about the voicemail. We don't\Neven use it, which is the crazy thing
Dialogue: 0,0:15:13.91,0:15:18.31,Default,,0000,0000,0000,,here. We have we have an open door for\Ndiscussing an issue that we don't even
Dialogue: 0,0:15:18.31,0:15:23.29,Default,,0000,0000,0000,,know about or we don't even remember. So\Nmany people is not familiar with the fact
Dialogue: 0,0:15:23.29,0:15:27.87,Default,,0000,0000,0000,,that you can a reset passwords over phone\Ncall. We are familiar with resetting
Dialogue: 0,0:15:27.87,0:15:32.70,Default,,0000,0000,0000,,passwords over e-mail. You get a unique\Nlink maybe over SMS you get a code that
Dialogue: 0,0:15:32.70,0:15:36.81,Default,,0000,0000,0000,,you that you then have to enter in the UI.\NBut a lot of people cannot receive SMS, or
Dialogue: 0,0:15:36.81,0:15:41.99,Default,,0000,0000,0000,,that's what services claim. So they allow\Nyou to provide that temporary code over a
Dialogue: 0,0:15:41.99,0:15:46.56,Default,,0000,0000,0000,,phone call, and that's exactly what we\Ntake advantage of, because I ask you what
Dialogue: 0,0:15:46.56,0:15:50.91,Default,,0000,0000,0000,,what happens if you don't pick up the\Nphone if basically I go to a service,
Dialogue: 0,0:15:50.91,0:15:55.21,Default,,0000,0000,0000,,enter your e-mail or your phone number and\Nreset a password, and everyone can do
Dialogue: 0,0:15:55.21,0:16:01.99,Default,,0000,0000,0000,,that. Anyone can reset it, initiate the\Nreset password process, and I know that
Dialogue: 0,0:16:01.99,0:16:05.71,Default,,0000,0000,0000,,you are not going to pick up the phone. I\Nknow that thanks to my tool I got access
Dialogue: 0,0:16:05.71,0:16:09.76,Default,,0000,0000,0000,,to your voicemail system. So basically the\Nvoicemail system will pick up the call and
Dialogue: 0,0:16:09.76,0:16:15.31,Default,,0000,0000,0000,,it will start recording, so it will record\Nthe voice spelling out the code that I
Dialogue: 0,0:16:15.31,0:16:22.57,Default,,0000,0000,0000,,need to basically reset your account and\Nget access to it. So -- oops! -- and I
Dialogue: 0,0:16:22.57,0:16:26.57,Default,,0000,0000,0000,,press play here.\N{\i1}Static{\i0}
Dialogue: 0,0:16:26.57,0:16:31.32,Default,,0000,0000,0000,,M.V.: Okay, so, what does the attack\Nvector look like? You brute force the
Dialogue: 0,0:16:31.32,0:16:35.80,Default,,0000,0000,0000,,voicemail system using the tool ideally\Nusing backdoor numbers. For that
Dialogue: 0,0:16:35.80,0:16:38.78,Default,,0000,0000,0000,,particular call -- that is, the call that\Nthe victim will receive once you initiate
Dialogue: 0,0:16:38.78,0:16:42.37,Default,,0000,0000,0000,,the password reset -- that one it cannot\Ngo through the backdoor number, right?,
Dialogue: 0,0:16:42.37,0:16:45.85,Default,,0000,0000,0000,,because it's gonna-- PayPal is gonna\Ndirectly call the victim. So for that one
Dialogue: 0,0:16:45.85,0:16:50.15,Default,,0000,0000,0000,,you need to make sure that the victim is\Nnot connected to a tower through all the
Dialogue: 0,0:16:50.15,0:16:53.98,Default,,0000,0000,0000,,methods that I showed before. You start\Nthe password reset process using the
Dialogue: 0,0:16:53.98,0:16:57.80,Default,,0000,0000,0000,,economy feature. You listen to the\Nrecorded message, secret code and profit.
Dialogue: 0,0:16:57.80,0:17:01.68,Default,,0000,0000,0000,,You hijacked that account, and\NVoicemailcracker can do all that for you.
Dialogue: 0,0:17:01.68,0:17:09.55,Default,,0000,0000,0000,,Let's compromise Whatsapp. So on the left\Nyou see my number, right?, with a secret
Dialogue: 0,0:17:09.55,0:17:13.94,Default,,0000,0000,0000,,lover group, and a secret group, and all\Nthat stuff. On the right notice that I'm
Dialogue: 0,0:17:13.94,0:17:19.71,Default,,0000,0000,0000,,not even using an actual device. It's an\Nandroid emulator that I installed, an APK.
Dialogue: 0,0:17:19.71,0:17:23.81,Default,,0000,0000,0000,,And there is some sound to this, and you\Nare gonna see -- so again on your left
Dialogue: 0,0:17:23.81,0:17:27.90,Default,,0000,0000,0000,,it's the victims number. On the right is\Nan emulator of the attacker. So you'll see
Dialogue: 0,0:17:27.90,0:17:33.92,Default,,0000,0000,0000,,that I'm going to use my tool with the\Nmessage payload, with the message option.
Dialogue: 0,0:17:33.92,0:17:38.52,Default,,0000,0000,0000,,So in this case what I'm doing is I'm\Nsetting the victim's phone to airplane
Dialogue: 0,0:17:38.52,0:17:43.88,Default,,0000,0000,0000,,mode, simulating that it's now offline for\Nsome reason, and I detected that. So if
Dialogue: 0,0:17:43.88,0:17:50.68,Default,,0000,0000,0000,,you see, WhatsApp allows sends you a text\Nto actually register as a WhatsApp user,
Dialogue: 0,0:17:50.68,0:17:54.88,Default,,0000,0000,0000,,but if you don't reply in a minute it\Nallows you-- it gives you an option to
Dialogue: 0,0:17:54.88,0:17:59.43,Default,,0000,0000,0000,,call, to call me, right? And that's\Nexactly what I click. So now WhatsApp is
Dialogue: 0,0:17:59.43,0:18:04.08,Default,,0000,0000,0000,,basically calling the victim which is\Nagain in airplane mode, because he went on
Dialogue: 0,0:18:04.08,0:18:08.60,Default,,0000,0000,0000,,a remote trip or on a plane, and so I'm\Nusing Voicemailcracker with the option
Dialogue: 0,0:18:08.60,0:18:14.06,Default,,0000,0000,0000,,"message" to automatically retrieve that\Nnewest message. So the tool is gonna
Dialogue: 0,0:18:14.06,0:18:17.59,Default,,0000,0000,0000,,provide me as you can see the last option\Nis the pin, because I brute forced it
Dialogue: 0,0:18:17.59,0:18:21.96,Default,,0000,0000,0000,,before. So it's going to give me a URL\Nwith the recording of the newest message,
Dialogue: 0,0:18:21.96,0:18:29.53,Default,,0000,0000,0000,,which, hopefully -- it's a recorded demo\N-- hopefully contains actually the code.
Dialogue: 0,0:18:29.53,0:18:46.08,Default,,0000,0000,0000,,So let's see... I got the URL.\N{\i1}Phone alert sound{\i0}
Dialogue: 0,0:18:46.08,0:18:48.76,Default,,0000,0000,0000,,Computerized phone voice: New Message! --\NM.V.: It's interacting with the voicemail
Dialogue: 0,0:18:48.76,0:18:50.55,Default,,0000,0000,0000,,system right now.\NPhone voice: -- your verification code is:
Dialogue: 0,0:18:50.55,0:19:01.44,Default,,0000,0000,0000,,3 6 5 9 1 5. Your verification code is: 3\N6 5 9 1 5. Your ver--
Dialogue: 0,0:19:01.44,0:19:06.06,Default,,0000,0000,0000,,M.V.: And that simple. We just hijacked\Nthat person's WhatsApp, and I -- here I'm
Dialogue: 0,0:19:06.06,0:19:08.82,Default,,0000,0000,0000,,fast forwarding just to show you--\N{\i1}Applause{\i0}
Dialogue: 0,0:19:08.82,0:19:18.76,Default,,0000,0000,0000,,M.V: --that you get actually that. Thank\Nyou. I do want to point out that WhatsApp
Dialogue: 0,0:19:18.76,0:19:21.84,Default,,0000,0000,0000,,is super secure, it like-- end to end\Nencryption all that -- and there is a
Dialogue: 0,0:19:21.84,0:19:25.18,Default,,0000,0000,0000,,number of things that you can notice this\Nattack. For example you wouldn't be able
Dialogue: 0,0:19:25.18,0:19:28.69,Default,,0000,0000,0000,,to see the previous messages that were\Nthere but you can just hold on and ask
Dialogue: 0,0:19:28.69,0:19:32.91,Default,,0000,0000,0000,,people, right? The groups will pop up. So\Nyou hijacked that WhatsApp account. There
Dialogue: 0,0:19:32.91,0:19:37.56,Default,,0000,0000,0000,,is also fingerprinting. But who really\Npays attention to the fingerprinting when
Dialogue: 0,0:19:37.56,0:19:43.44,Default,,0000,0000,0000,,someone changes the device, right? So are\Nwe done? Not yet. Because the truth is,
Dialogue: 0,0:19:43.44,0:19:48.03,Default,,0000,0000,0000,,some researchers talked about this in the\Npast then and actually services tried to
Dialogue: 0,0:19:48.03,0:19:52.16,Default,,0000,0000,0000,,slowly pick up. So that is actually\Nsomething that I found in several
Dialogue: 0,0:19:52.16,0:19:56.71,Default,,0000,0000,0000,,services. That is what I call the user\Ninteraction based protection. So when you
Dialogue: 0,0:19:56.71,0:20:01.06,Default,,0000,0000,0000,,received that phone call that provides you\Nwith the temporary code in reality it's
Dialogue: 0,0:20:01.06,0:20:04.70,Default,,0000,0000,0000,,not giving it away. You have to press a\Nkey. It comes in three different flavors
Dialogue: 0,0:20:04.70,0:20:08.53,Default,,0000,0000,0000,,from what I found from my tests. Please\Npress any key to hear the code, so when
Dialogue: 0,0:20:08.53,0:20:11.68,Default,,0000,0000,0000,,you get the call, you have to press, and\Nthen it will tell you the code; please
Dialogue: 0,0:20:11.68,0:20:15.95,Default,,0000,0000,0000,,press a random key so specifically please\Npress 1, please press 2, or please enter
Dialogue: 0,0:20:15.95,0:20:20.09,Default,,0000,0000,0000,,the code. PayPal does that, and instead of\Nyou having to press a key to hear the code
Dialogue: 0,0:20:20.09,0:20:24.29,Default,,0000,0000,0000,,when you reset the password you will see a\Nfour digits code that you have to enter
Dialogue: 0,0:20:24.29,0:20:29.14,Default,,0000,0000,0000,,when you receive the call and then it will\Nreset the password. So I'm going to get
Dialogue: 0,0:20:29.14,0:20:33.68,Default,,0000,0000,0000,,the help from all of you guys. Can we beat\Nthis currently recommended protection what
Dialogue: 0,0:20:33.68,0:20:37.92,Default,,0000,0000,0000,,is nowadays recommended to prevent these\Nkind of attacks? And we're going to play a
Dialogue: 0,0:20:37.92,0:20:44.59,Default,,0000,0000,0000,,game. I'm going to give you two hints.\NThis is the first one. So, you probably
Dialogue: 0,0:20:44.59,0:20:48.51,Default,,0000,0000,0000,,guys are familiar with this, but Captain\NCrunch. Again we go back today it is we
Dialogue: 0,0:20:48.51,0:20:54.51,Default,,0000,0000,0000,,can learn so much from them, use this to\Ngenerate specific sounds at a specific
Dialogue: 0,0:20:54.51,0:20:58.17,Default,,0000,0000,0000,,frequency to basically -- you can go and\Nread it -- to get free international
Dialogue: 0,0:20:58.17,0:21:02.55,Default,,0000,0000,0000,,calls. So he will create that sound and\Nthe system will process it on the on the
Dialogue: 0,0:21:02.55,0:21:07.43,Default,,0000,0000,0000,,line. And the second one is that I\Ncheated. When we did the checklist, I
Dialogue: 0,0:21:07.43,0:21:11.75,Default,,0000,0000,0000,,actually skipped one , which was the\Ngreeting message is an attack vector. So I
Dialogue: 0,0:21:11.75,0:21:16.55,Default,,0000,0000,0000,,ask you guys how can we bypass the\Nprotection that requires user interaction
Dialogue: 0,0:21:16.55,0:21:20.13,Default,,0000,0000,0000,,in order to get the code recorded on the\Nvoicemail system?
Dialogue: 0,0:21:20.13,0:21:26.27,Default,,0000,0000,0000,,{\i1}Inaudible suggestion from audience{\i0}\NM.V.: What was that?... Exactly. Record
Dialogue: 0,0:21:26.27,0:21:31.47,Default,,0000,0000,0000,,DTMF tones as the greeting message. We own\Nthe voice mail system so we can alter the
Dialogue: 0,0:21:31.47,0:21:36.73,Default,,0000,0000,0000,,greeting message. So this is exactly how\Nit works: We just alter the greeting
Dialogue: 0,0:21:36.73,0:21:42.26,Default,,0000,0000,0000,,message we call the DTMF that the system\Nis expecting and it works every single
Dialogue: 0,0:21:42.26,0:21:48.04,Default,,0000,0000,0000,,time. The best thing of this is what\Nreally is so awesome about about all of us
Dialogue: 0,0:21:48.04,0:21:52.17,Default,,0000,0000,0000,,that really care about technology. We want\Nto have a deep understanding because when
Dialogue: 0,0:21:52.17,0:21:57.05,Default,,0000,0000,0000,,I was asking people when when you know I\Nwanted to show them this I was asking them
Dialogue: 0,0:21:57.05,0:22:01.48,Default,,0000,0000,0000,,how does this protection really work. And\Nthey will say well you have to press a key
Dialogue: 0,0:22:01.48,0:22:05.79,Default,,0000,0000,0000,,and then you know it will give you the\Ncode. But that's not really true. That's
Dialogue: 0,0:22:05.79,0:22:09.49,Default,,0000,0000,0000,,what you have to do is to provide a\Nspecific sound that the system is
Dialogue: 0,0:22:09.49,0:22:13.99,Default,,0000,0000,0000,,expecting. That is different than saying\Nyou have to press a key, because if you
Dialogue: 0,0:22:13.99,0:22:18.52,Default,,0000,0000,0000,,say I have to press a key that requires\Nphysical access. If you say I have to
Dialogue: 0,0:22:18.52,0:22:22.46,Default,,0000,0000,0000,,provide a sound, now we know it doesn't\Nrequire physical access. That is why
Dialogue: 0,0:22:22.46,0:22:26.49,Default,,0000,0000,0000,,hackers are so cool, because we really\Nwant to understand what is happening
Dialogue: 0,0:22:26.49,0:22:30.72,Default,,0000,0000,0000,,backstage, and we take advantage of that.\NSo how does the attack vector look like?
Dialogue: 0,0:22:30.72,0:22:34.09,Default,,0000,0000,0000,,Bruteforcing voicemail systems as before.\NSo basically we have an extra step which
Dialogue: 0,0:22:34.09,0:22:38.12,Default,,0000,0000,0000,,is update the greeting message according\Nto the account to be hacked in voicemail.
Dialogue: 0,0:22:38.12,0:22:40.93,Default,,0000,0000,0000,,Cracker can do that for you. Let's\Ncompromise PayPal.
Dialogue: 0,0:22:40.93,0:22:46.99,Default,,0000,0000,0000,,{\i1}Laughter{\i0}\NM.V.: So on the left side you see that as
Dialogue: 0,0:22:46.99,0:22:53.33,Default,,0000,0000,0000,,before I brute force the pin of the voice\Nmail. And in this case on the right side
Dialogue: 0,0:22:53.33,0:23:00.77,Default,,0000,0000,0000,,I'm going to start a password reset for\Nthat account. So I do that and I choose
Dialogue: 0,0:23:00.77,0:23:05.80,Default,,0000,0000,0000,,"please call me with a temporary code".\NBut in this case PayPal works differently
Dialogue: 0,0:23:05.80,0:23:10.14,Default,,0000,0000,0000,,because it will show me a four digits code\Nthat I need to enter when I receive the
Dialogue: 0,0:23:10.14,0:23:15.69,Default,,0000,0000,0000,,call in order to reset the password. So\Nyou see that here I'm using the greeting
Dialogue: 0,0:23:15.69,0:23:20.31,Default,,0000,0000,0000,,option. So the greeting is going to allow\Nme to enter a payload that I want to
Dialogue: 0,0:23:20.31,0:23:26.27,Default,,0000,0000,0000,,record as the greeting message. In this\Ncase is 6 3 5 3. So I may be very very
Dialogue: 0,0:23:26.27,0:23:31.50,Default,,0000,0000,0000,,verbose for this demo. There you see\Nthe last option use PayPal code and I
Dialogue: 0,0:23:31.50,0:23:36.99,Default,,0000,0000,0000,,enter 6 3 5 3. Now the tool is going to\Nuse the pin to log into the voicemail
Dialogue: 0,0:23:36.99,0:23:42.35,Default,,0000,0000,0000,,system, interact with it, change the\Ngreeting message, record the DTMF tones
Dialogue: 0,0:23:42.35,0:23:50.76,Default,,0000,0000,0000,,according to 6 3 5 3 and then it should be\Nable to fool the call. In this case I'm
Dialogue: 0,0:23:50.76,0:23:55.86,Default,,0000,0000,0000,,asking to call again, because it didn't\Nhave enough time to do that. And in 3 2 1
Dialogue: 0,0:23:55.86,0:24:00.69,Default,,0000,0000,0000,,we should get that we actually compromise\NPayPal's account, and there we go. We can
Dialogue: 0,0:24:00.69,0:24:05.20,Default,,0000,0000,0000,,now set our own password.\N{\i1}Applause{\i0}
Dialogue: 0,0:24:05.20,0:24:14.58,Default,,0000,0000,0000,,M.V.: Thank you. So, I showed you some\Nvulnerable servers. Let's go very quick
Dialogue: 0,0:24:14.58,0:24:19.24,Default,,0000,0000,0000,,about it because I'm I'm concerned I'm\Nrunning out of time. So, I'm just
Dialogue: 0,0:24:19.24,0:24:23.49,Default,,0000,0000,0000,,mentioning Alexa top 100 types of\Nservices, no favoring anything, but... so
Dialogue: 0,0:24:23.49,0:24:27.61,Default,,0000,0000,0000,,for password reset that supports over\Nphone call: PayPal, Instagram-- no,
Dialogue: 0,0:24:27.61,0:24:35.06,Default,,0000,0000,0000,,Snapchat-- Netflix, Ebay, LinkdIn. I'm\Nstill on Facebook. What can I say? 2FA for
Dialogue: 0,0:24:35.06,0:24:38.28,Default,,0000,0000,0000,,all they major forms so 2FA over phone\Ncall for Apple, Google, Microsoft,
Dialogue: 0,0:24:38.28,0:24:42.29,Default,,0000,0000,0000,,Yahoo... Verification: So basically you\Ndon't register with a username and
Dialogue: 0,0:24:42.29,0:24:47.02,Default,,0000,0000,0000,,password on on WhatsApp or Signal you\Nactually use directly the phone number,
Dialogue: 0,0:24:47.02,0:24:50.79,Default,,0000,0000,0000,,right? As we saw before and you register\Nthrough a phone call or SMS. So you can
Dialogue: 0,0:24:50.79,0:24:54.71,Default,,0000,0000,0000,,compromise this too. Twilio, the own\Nservice that I use for these is actually
Dialogue: 0,0:24:54.71,0:25:00.52,Default,,0000,0000,0000,,really cool because you can own a caller\NI.D. by verifying it by getting a phone
Dialogue: 0,0:25:00.52,0:25:05.46,Default,,0000,0000,0000,,call so I can actually own your caller ID\Nand make calls on your behalf, send texts,
Dialogue: 0,0:25:05.46,0:25:10.04,Default,,0000,0000,0000,,and these all legitimately, right?,\Nbecause you've pressed one. Google Voice,
Dialogue: 0,0:25:10.04,0:25:13.29,Default,,0000,0000,0000,,it's actually another interesting service\Nbecause it's used a lot by scammers,
Dialogue: 0,0:25:13.29,0:25:17.01,Default,,0000,0000,0000,,right? And this is the same thing: you\Nhave to verify ownership so you can do
Dialogue: 0,0:25:17.01,0:25:21.55,Default,,0000,0000,0000,,those phone calls and you can fool it as\Nwell with this, but I found I was looking
Dialogue: 0,0:25:21.55,0:25:24.73,Default,,0000,0000,0000,,like what other services really take\Nadvantage of this? And this is super
Dialogue: 0,0:25:24.73,0:25:30.79,Default,,0000,0000,0000,,common in San Francisco, where I live. You\Ncan buzz in people like when they want to
Dialogue: 0,0:25:30.79,0:25:35.28,Default,,0000,0000,0000,,enter, right?, they enter your house\Nnumber, and then your phone rings and you
Dialogue: 0,0:25:35.28,0:25:39.45,Default,,0000,0000,0000,,press any key to open the door. So we are\Ntalking about physical security now. And
Dialogue: 0,0:25:39.45,0:25:44.02,Default,,0000,0000,0000,,I've seen this in offices as well. They\Nall work this way, basically because they
Dialogue: 0,0:25:44.02,0:25:47.77,Default,,0000,0000,0000,,want to be able -- for tenants, that you\Nknow, come and go -- be able to switch
Dialogue: 0,0:25:47.77,0:25:52.62,Default,,0000,0000,0000,,that very quickly. So it works just\Nthrough the phone that you buzz people in.
Dialogue: 0,0:25:52.62,0:25:56.71,Default,,0000,0000,0000,,But my favorite is consent, because when\Nwe think about consent we think about
Dialogue: 0,0:25:56.71,0:26:00.78,Default,,0000,0000,0000,,lawyers and we think about signing papers\Nand we think about all of these difficult
Dialogue: 0,0:26:00.78,0:26:07.80,Default,,0000,0000,0000,,things. And I find out about these\Nlocation smart service that is not anymore
Dialogue: 0,0:26:07.80,0:26:15.19,Default,,0000,0000,0000,,there and you will see why... But this was\Nrecently in the news because, basically
Dialogue: 0,0:26:15.19,0:26:19.69,Default,,0000,0000,0000,,Brian Krebs wrote a really great article\Nabout it. But I'm going to let you hear
Dialogue: 0,0:26:19.69,0:26:23.39,Default,,0000,0000,0000,,then their YouTube channel, how Location\NSmart works.
Dialogue: 0,0:26:23.39,0:26:30.38,Default,,0000,0000,0000,,LS vid speaker 1: The screen that you're\Nshowing, that you're seeing right now is a
Dialogue: 0,0:26:30.38,0:26:36.80,Default,,0000,0000,0000,,demo that we have on our Web site it's at\Nlocation smart.com/pride, and I've entered
Dialogue: 0,0:26:36.80,0:26:43.19,Default,,0000,0000,0000,,my name, my email, my mobile phone number,\Nand it's again going to get my permission
Dialogue: 0,0:26:43.19,0:26:48.47,Default,,0000,0000,0000,,by calling my phone, and then it'll\Nlocate. So let's go ahead and, I clicked
Dialogue: 0,0:26:48.47,0:26:55.10,Default,,0000,0000,0000,,the box to say yes I agree, click the\Nlocate, and the screen now shows that it's
Dialogue: 0,0:26:55.10,0:26:58.17,Default,,0000,0000,0000,,going to call my device to get my\Npermission.
Dialogue: 0,0:26:58.17,0:27:03.68,Default,,0000,0000,0000,,{\i1}vid speaker's phone vibrates, sounds like an airhorn in video{\i0}\NLS vid speaker 2: Heh, that's a nice ring
Dialogue: 0,0:27:03.68,0:27:05.61,Default,,0000,0000,0000,,tone --\NM.V.: No, it's not--
Dialogue: 0,0:27:05.61,0:27:09.62,Default,,0000,0000,0000,,LS vid speaker 1's phone: To log into\NLocation Smart Services, press 1 or say
Dialogue: 0,0:27:09.62,0:27:16.87,Default,,0000,0000,0000,,'Yes'. To repeat, press 2 or say 'Repeat'.\NLSVS1: Yes
Dialogue: 0,0:27:16.87,0:27:21.81,Default,,0000,0000,0000,,Phone: Congratulations. You have been\Nopted in to Location Smart Services.
Dialogue: 0,0:27:21.81,0:27:23.42,Default,,0000,0000,0000,,Goodbye\NM.V.: So as you see, this service, this
Dialogue: 0,0:27:23.42,0:27:30.09,Default,,0000,0000,0000,,Web site had a free demo, had a free demo\Nthat allow you to put out a phone number
Dialogue: 0,0:27:30.09,0:27:33.64,Default,,0000,0000,0000,,-- yours, of course -- and you will get a\Nphone call and then you will give
Dialogue: 0,0:27:33.64,0:27:38.50,Default,,0000,0000,0000,,permission by pressing one. So someone\Ncould locate you and keep tracking -- I
Dialogue: 0,0:27:38.50,0:27:47.97,Default,,0000,0000,0000,,mean, I checked with them -- for up to 30\Ndays, real time. So now you know why they
Dialogue: 0,0:27:47.97,0:27:51.58,Default,,0000,0000,0000,,don't exist anymore!\N{\i1}Applause{\i0}
Dialogue: 0,0:27:51.58,0:28:00.81,Default,,0000,0000,0000,,M.V.: Open source..\N{\i1}More Applause{\i0}
Dialogue: 0,0:28:00.81,0:28:05.49,Default,,0000,0000,0000,,M.V: Open source. So, and this was with\Nthe permission of the carriers. This was
Dialogue: 0,0:28:05.49,0:28:11.74,Default,,0000,0000,0000,,not some fishy thing. This was actually a\Nservice. So I wanted to release code,
Dialogue: 0,0:28:11.74,0:28:15.01,Default,,0000,0000,0000,,because I want you guys to verify that\Nwhat I mentioned is true and have code to
Dialogue: 0,0:28:15.01,0:28:20.49,Default,,0000,0000,0000,,hopefully help push the industry forward\Nto make a voice mail systems more secure,
Dialogue: 0,0:28:20.49,0:28:24.99,Default,,0000,0000,0000,,right?. We want to push carriers to do so.\NA but I didn't want to provide on tool
Dialogue: 0,0:28:24.99,0:28:29.64,Default,,0000,0000,0000,,that works out of the box and anyone can\Nvery easily as we saw like just start to
Dialogue: 0,0:28:29.64,0:28:32.93,Default,,0000,0000,0000,,bruteforce pins, especially because I saw\Nthat there is so many people with the
Dialogue: 0,0:28:32.93,0:28:37.28,Default,,0000,0000,0000,,default PINs out there. So I just removed\Nthe brute forcing, so the tool allows you
Dialogue: 0,0:28:37.28,0:28:41.22,Default,,0000,0000,0000,,to test it on your own. You can test, you\Nknow, you can test the greeting message
Dialogue: 0,0:28:41.22,0:28:45.01,Default,,0000,0000,0000,,you can test the retreiving messages\Ncompromising the services and all that. So
Dialogue: 0,0:28:45.01,0:28:48.22,Default,,0000,0000,0000,,the tool allows you to test on your own\Ndevice. I won't give you code to brute
Dialogue: 0,0:28:48.22,0:28:54.22,Default,,0000,0000,0000,,force someone else's device. And feel free\Nto go to my github repo. So now like all
Dialogue: 0,0:28:54.22,0:28:59.31,Default,,0000,0000,0000,,the talks comes the recommendations, but I\Nknow what you guys are thinking, right?
Dialogue: 0,0:28:59.31,0:29:02.51,Default,,0000,0000,0000,,When someone comes with all this paranoia\Nand stuff you still think "yeah but you
Dialogue: 0,0:29:02.51,0:29:07.08,Default,,0000,0000,0000,,know still like no one is gonna come after\Nme. I don't have anything to hide" or
Dialogue: 0,0:29:07.08,0:29:11.33,Default,,0000,0000,0000,,anything like that. So I wanted to give\Nyou reasons why you should still care
Dialogue: 0,0:29:11.33,0:29:17.49,Default,,0000,0000,0000,,about this, and why we need to do better.\NBecause do carriers set default PINs? Yes,
Dialogue: 0,0:29:17.49,0:29:23.35,Default,,0000,0000,0000,,we saw that. Is testing for default pins\Ncheap, fast, undetected, and automatable?
Dialogue: 0,0:29:23.35,0:29:28.90,Default,,0000,0000,0000,,Yes it is. Is updating reading the message\Nautomatable? Yes it is. Is retrieving you
Dialogue: 0,0:29:28.90,0:29:34.93,Default,,0000,0000,0000,,the newest message automatable? Yes it is.\NIs there speech to text description, so
Dialogue: 0,0:29:34.93,0:29:39.19,Default,,0000,0000,0000,,that I can get the sound that I played\Nbefore with the code and get it in text?
Dialogue: 0,0:29:39.19,0:29:45.92,Default,,0000,0000,0000,,Yeah. Twilio gives you that as well. So\Ncan the account compromise process be
Dialogue: 0,0:29:45.92,0:29:49.64,Default,,0000,0000,0000,,automatable? Of course you can use\Nselenium if you want to automate the UI.
Dialogue: 0,0:29:49.64,0:29:55.55,Default,,0000,0000,0000,,Or you can use a Web proxy and look at the\NAPIs and do it yourself. So it is only a
Dialogue: 0,0:29:55.55,0:30:00.63,Default,,0000,0000,0000,,matter of time that someone actually does\Nall these steps that I showed you step by
Dialogue: 0,0:30:00.63,0:30:05.35,Default,,0000,0000,0000,,step and just makes it all straight and\Nstarts to go over phone numbers trying the
Dialogue: 0,0:30:05.35,0:30:10.39,Default,,0000,0000,0000,,default PINs, and just automatically\Ncompromising services like WhatsApp like
Dialogue: 0,0:30:10.39,0:30:16.14,Default,,0000,0000,0000,,PayPal and all that. You can do basically,\Nnot a worm, but, you know, you can
Dialogue: 0,0:30:16.14,0:30:20.70,Default,,0000,0000,0000,,compromise a lot of devices without doing\Nanything. Recommendations for online
Dialogue: 0,0:30:20.70,0:30:24.88,Default,,0000,0000,0000,,services. Don't use automated calls for\Nsecurity purposes. if not possible detect
Dialogue: 0,0:30:24.88,0:30:28.27,Default,,0000,0000,0000,,answering machines and fail. I mean this\Nis not very accurate and you can still
Dialogue: 0,0:30:28.27,0:30:33.63,Default,,0000,0000,0000,,trick it. Require user interaction before\Nproviding the secret. I just show you how
Dialogue: 0,0:30:33.63,0:30:39.63,Default,,0000,0000,0000,,to bypass that, but that's with hope that\Ncarriers ban DTMF tones from the greeting
Dialogue: 0,0:30:39.63,0:30:44.37,Default,,0000,0000,0000,,message. I don't see why that should be\Nsupported, right? Recommendations for
Dialogue: 0,0:30:44.37,0:30:48.12,Default,,0000,0000,0000,,carriers. The most important thing: Ban\NDTMF tones from the greeting message,
Dialogue: 0,0:30:48.12,0:30:53.25,Default,,0000,0000,0000,,eliminate backdoor mobile services, or at\Nleast a give no access to the login
Dialogue: 0,0:30:53.25,0:30:57.08,Default,,0000,0000,0000,,prompt, right? There is no reason why you\Nshould be able to access your voicemail
Dialogue: 0,0:30:57.08,0:31:01.71,Default,,0000,0000,0000,,directly to leave a message. But then I\Ncan access the login prompt by pressing
Dialogue: 0,0:31:01.71,0:31:05.75,Default,,0000,0000,0000,,star. Voicemail disabled by default. This\Nis very important and can only be
Dialogue: 0,0:31:05.75,0:31:10.10,Default,,0000,0000,0000,,activated from the actual phone, or\Nonline maybe with a special code. Oh great
Dialogue: 0,0:31:10.10,0:31:15.73,Default,,0000,0000,0000,,I have time for questions. No default\Npins. Learn from the German carriers:
Dialogue: 0,0:31:15.73,0:31:19.40,Default,,0000,0000,0000,,don't allow common pins, detect and\Nprevent brute force attempts, don't
Dialogue: 0,0:31:19.40,0:31:23.62,Default,,0000,0000,0000,,process multiple pins at once.\NRecommendations for you which, is in the
Dialogue: 0,0:31:23.62,0:31:28.39,Default,,0000,0000,0000,,end, very important here. disable the\Nvoice mail if you don't use it. I found
Dialogue: 0,0:31:28.39,0:31:31.76,Default,,0000,0000,0000,,though that some carriers you're still\Nthrough the backdoor voicemail numbers you
Dialogue: 0,0:31:31.76,0:31:37.33,Default,,0000,0000,0000,,are unable to activate it again. So kind\Nof sucks. So I guess use the longest
Dialogue: 0,0:31:37.33,0:31:41.65,Default,,0000,0000,0000,,possible random pin. Don't provide phone\Nnumbers to online services unless
Dialogue: 0,0:31:41.65,0:31:45.68,Default,,0000,0000,0000,,required, or is the only way to get 2FA.\N2FA is more important. Use a virtual
Dialogue: 0,0:31:45.68,0:31:50.25,Default,,0000,0000,0000,,number to prevent OSINT like a Google\NVoice number so no one can you know learn
Dialogue: 0,0:31:50.25,0:31:55.40,Default,,0000,0000,0000,,about your phone number digits by\Nresetting the password or do SIM swapping.
Dialogue: 0,0:31:55.40,0:31:59.66,Default,,0000,0000,0000,,Use 2FA apps only. And I always like to\Nfinish my talk with ones like that kind of
Dialogue: 0,0:31:59.66,0:32:03.52,Default,,0000,0000,0000,,summarizes everything. Automated phone\Ncalls are a common solution for password
Dialogue: 0,0:32:03.52,0:32:07.13,Default,,0000,0000,0000,,reset, 2FA, verification, and other\Nservices. These can be compromised by
Dialogue: 0,0:32:07.13,0:32:11.38,Default,,0000,0000,0000,,leveraging old weaknesses and current\Ntechnology to exploit the weakest link
Dialogue: 0,0:32:11.38,0:32:15.05,Default,,0000,0000,0000,,voicemail systems. Thank you so much.\NDanke Schön, CCC!
Dialogue: 0,0:32:15.05,0:32:33.13,Default,,0000,0000,0000,,{\i1}Applause{\i0}\NHerald Angel: Thank you, Martin. We have
Dialogue: 0,0:32:33.13,0:32:37.45,Default,,0000,0000,0000,,time for questions, so if you have any\Nquestions or if someone in the Internet
Dialogue: 0,0:32:37.45,0:32:44.99,Default,,0000,0000,0000,,has questions just go to these\Nmicrophones. Where is the microphone?
Dialogue: 0,0:32:44.99,0:32:50.02,Default,,0000,0000,0000,,You've got it. Yes. You were black and the\Nmicrophone too. So maybe you start and we
Dialogue: 0,0:32:50.02,0:32:55.83,Default,,0000,0000,0000,,take the question from the Internet.\NQ: Yes I have a question. You mentioned
Dialogue: 0,0:32:55.83,0:33:02.51,Default,,0000,0000,0000,,that the phone needed to be offline. Would\Na call like a sim teen's call to the phone
Dialogue: 0,0:33:02.51,0:33:11.05,Default,,0000,0000,0000,,that it would be in what is called in\Nenglish - besetzt?- like occupied so let's
Dialogue: 0,0:33:11.05,0:33:19.72,Default,,0000,0000,0000,,say I already called the victim. So the\Ncaller gets, yeah, the line's occupied
Dialogue: 0,0:33:19.72,0:33:21.96,Default,,0000,0000,0000,,that would then go to voicemail, wouldn't\Nit?
Dialogue: 0,0:33:21.96,0:33:26.35,Default,,0000,0000,0000,,M.V.: So that's a great question. I think\Nthe question is if you are on a call and
Dialogue: 0,0:33:26.35,0:33:31.43,Default,,0000,0000,0000,,someone else calls you, so your attack\Nwill be: I somehow make up a story to keep
Dialogue: 0,0:33:31.43,0:33:34.98,Default,,0000,0000,0000,,the person on the phone call while I\Nlaunch other calls... that will work. I
Dialogue: 0,0:33:34.98,0:33:38.85,Default,,0000,0000,0000,,tried that but the problem is usually to\Nforce, I mean that will not be too big of
Dialogue: 0,0:33:38.85,0:33:41.86,Default,,0000,0000,0000,,a deal I guess but it supports two calls\Nright. They will warn you all there is
Dialogue: 0,0:33:41.86,0:33:45.72,Default,,0000,0000,0000,,another incoming call. But I guess you\Ncould keep doing more. So that's what I
Dialogue: 0,0:33:45.72,0:33:50.51,Default,,0000,0000,0000,,meant a partly with a call flooding. In\Nthat case what I tried was just launching
Dialogue: 0,0:33:50.51,0:33:53.91,Default,,0000,0000,0000,,all of them at the same time. And if the\Nperson picks up I don't care but it's
Dialogue: 0,0:33:53.91,0:33:57.49,Default,,0000,0000,0000,,somewhat related to what you mentioned and\Nthat's definitely possible.
Dialogue: 0,0:33:57.49,0:33:59.30,Default,,0000,0000,0000,,Questioner: Okay. Thank you.\NM.V.: Yeah.
Dialogue: 0,0:33:59.30,0:34:03.74,Default,,0000,0000,0000,,Herald: Question from the internet please\NSignal Angel: Does this work with the
Dialogue: 0,0:34:03.74,0:34:07.88,Default,,0000,0000,0000,,phone calls that start talking\Nimmediately, will the new code being
Dialogue: 0,0:34:07.88,0:34:12.16,Default,,0000,0000,0000,,recorded then?\NM.V.: if I understood the question
Dialogue: 0,0:34:12.16,0:34:16.43,Default,,0000,0000,0000,,correctly it's that when the voicemail\Npicks up like basically the automated
Dialogue: 0,0:34:16.43,0:34:21.23,Default,,0000,0000,0000,,system that spits out the code already\Nstarted to talk. I believe that's the
Dialogue: 0,0:34:21.23,0:34:23.23,Default,,0000,0000,0000,,question.\NHerald: We don't know it's from the
Dialogue: 0,0:34:23.23,0:34:27.03,Default,,0000,0000,0000,,Internet.\NM.V.: OK so if that is the question I
Dialogue: 0,0:34:27.03,0:34:30.74,Default,,0000,0000,0000,,found actually that, because usually\Ngreeting messages last like 15 seconds so
Dialogue: 0,0:34:30.74,0:34:35.46,Default,,0000,0000,0000,,by the time it starts recording you\Nalready finish the recording that gives
Dialogue: 0,0:34:35.46,0:34:39.20,Default,,0000,0000,0000,,you the code, but you own the greeting\Nmessage so you make it as short as one
Dialogue: 0,0:34:39.20,0:34:44.47,Default,,0000,0000,0000,,second. And I never found a problem with\Nthat. You actually recorded DTMF tones for
Dialogue: 0,0:34:44.47,0:34:47.73,Default,,0000,0000,0000,,like two seconds.\NHerald: Ladies first let me take your
Dialogue: 0,0:34:47.73,0:34:54.80,Default,,0000,0000,0000,,question.\NQ: You talked about how you learned all of
Dialogue: 0,0:34:54.80,0:35:07.59,Default,,0000,0000,0000,,that through reading e-zines. How are they\Ncalled, and how do I find them?
Dialogue: 0,0:35:07.59,0:35:10.98,Default,,0000,0000,0000,,M.V: That's the best question I've ever\Nheard and it deserves an applause,
Dialogue: 0,0:35:10.98,0:35:15.77,Default,,0000,0000,0000,,seriously. I like that because you also\Nwant to learn about it. So that's that's
Dialogue: 0,0:35:15.77,0:35:20.19,Default,,0000,0000,0000,,really fantastic. So the Phrack Web site\Nis the best resource you can get. I guess
Dialogue: 0,0:35:20.19,0:35:26.73,Default,,0000,0000,0000,,everyone will agree here. So you just look\Nup google for phrack magazine and there is
Dialogue: 0,0:35:26.73,0:35:32.04,Default,,0000,0000,0000,,a lot a lot of interesting stuff that we\Ncan learn there still today.
Dialogue: 0,0:35:32.04,0:35:36.12,Default,,0000,0000,0000,,Q: Are there any others?\NM.V.: Yeah I mean you can then follow the
Dialogue: 0,0:35:36.12,0:35:42.04,Default,,0000,0000,0000,,classic. I mean I like Twitter to get my\Nsecurity news because it's very concise so
Dialogue: 0,0:35:42.04,0:35:47.18,Default,,0000,0000,0000,,I kind of get like you know the 140\Ncharacters version.. if I'm interested
Dialogue: 0,0:35:47.18,0:35:51.98,Default,,0000,0000,0000,,then I will read it. So I think you can\Ngoogle for like top security people to
Dialogue: 0,0:35:51.98,0:35:57.51,Default,,0000,0000,0000,,follow. Brian Krebs is great. It depends\Nalso on your technical depth. There is
Dialogue: 0,0:35:57.51,0:36:03.97,Default,,0000,0000,0000,,different people for that. And if not just\Nyou know specialized blogs in magazines.
Dialogue: 0,0:36:03.97,0:36:06.59,Default,,0000,0000,0000,,Q: All right. Thanks.\NM.V.: Thank you.
Dialogue: 0,0:36:06.59,0:36:10.81,Default,,0000,0000,0000,,Herald: And your question please.\NQ: Hi. And so for me the solution is
Dialogue: 0,0:36:10.81,0:36:14.70,Default,,0000,0000,0000,,obvious: I just turn off my voicemail. But\Nthinking about some relatives which are
Dialogue: 0,0:36:14.70,0:36:19.17,Default,,0000,0000,0000,,maybe too lazy or don't really care and\Nstill use two factor authentication. I was
Dialogue: 0,0:36:19.17,0:36:24.45,Default,,0000,0000,0000,,thinking about could I easily adapt your\Nscript to automatically turn off voice
Dialogue: 0,0:36:24.45,0:36:37.57,Default,,0000,0000,0000,,boxes or generate random pins?\NM.V.: You can automate it to turn off the pin. Like
Dialogue: 0,0:36:37.57,0:36:41.60,Default,,0000,0000,0000,,for example on Vodaphone I don't know why\Nthat allows you to turn off the pin. To turn
Dialogue: 0,0:36:41.60,0:36:47.43,Default,,0000,0000,0000,,off the voicemail... I don't... I haven't\Ntested that. I think you may have to call
Dialogue: 0,0:36:47.43,0:36:51.57,Default,,0000,0000,0000,,the IT department but you know what. It\Nwould be really great to do that. It would
Dialogue: 0,0:36:51.57,0:36:55.63,Default,,0000,0000,0000,,be really awesome. Great question. I guess\Nif you can turn it off then you can turn
Dialogue: 0,0:36:55.63,0:37:00.04,Default,,0000,0000,0000,,it on as well. Yeah.\NHerald: Your question please.
Dialogue: 0,0:37:00.04,0:37:03.11,Default,,0000,0000,0000,,Q: Did Twilio ban you or did they find out\Nwhat you did?
Dialogue: 0,0:37:03.11,0:37:09.70,Default,,0000,0000,0000,,M.V.:I got some emails I got some emails\Nbut they were really cool. I have to say
Dialogue: 0,0:37:09.70,0:37:13.74,Default,,0000,0000,0000,,that. I explained to them what I was\Ncoming from, I gave them my identity...
Dialogue: 0,0:37:13.74,0:37:18.18,Default,,0000,0000,0000,,like I wasn't hiding anything. Actually I\Nhad to pay quite some money and because of
Dialogue: 0,0:37:18.18,0:37:21.65,Default,,0000,0000,0000,,all the calls that I was doing while I was\Ndoing the research, so I do think hide my
Dialogue: 0,0:37:21.65,0:37:27.05,Default,,0000,0000,0000,,identity at all. So, they did detect tact\Nthat I was doing many calls and stuff like
Dialogue: 0,0:37:27.05,0:37:31.81,Default,,0000,0000,0000,,that. So there is I guess at the high\Nvolumes there is some detection, but
Dialogue: 0,0:37:31.81,0:37:35.97,Default,,0000,0000,0000,,Twilio is not the only service. So again\Nyou can switch between services, space it
Dialogue: 0,0:37:35.97,0:37:40.33,Default,,0000,0000,0000,,out, change caller I.D.s, a number of\Nthings.
Dialogue: 0,0:37:40.33,0:37:45.55,Default,,0000,0000,0000,,Herald: And one more question here.\NQ: Hi. You talked about being undetected
Dialogue: 0,0:37:45.55,0:37:50.40,Default,,0000,0000,0000,,when making all these calls by going\Ndirectly to these direct access numbers.
Dialogue: 0,0:37:50.40,0:37:56.03,Default,,0000,0000,0000,,In Germany it's very common that if\Nsomeone calls your voicemail you get an
Dialogue: 0,0:37:56.03,0:38:00.46,Default,,0000,0000,0000,,SMS text even if they don't leave a\Nmessage. But I suspect there's some kind
Dialogue: 0,0:38:00.46,0:38:05.37,Default,,0000,0000,0000,,of undocumented API to actually turn that\Noff through the menus. Have you looked
Dialogue: 0,0:38:05.37,0:38:08.71,Default,,0000,0000,0000,,into that?\NM.V.: No I haven't looked into that
Dialogue: 0,0:38:08.71,0:38:14.23,Default,,0000,0000,0000,,specifically. The question is that usually\Nin Germany for the carriers you'll get an
Dialogue: 0,0:38:14.23,0:38:18.22,Default,,0000,0000,0000,,SMS when you when you get a call. I\Nwonder... the test that I did on the
Dialogue: 0,0:38:18.22,0:38:22.25,Default,,0000,0000,0000,,German carriers, I was getting a text if I\Nwas leaving a message, not if someone was
Dialogue: 0,0:38:22.25,0:38:26.42,Default,,0000,0000,0000,,calling there. I guess you are talking\Nabout a missed call, that kind of
Dialogue: 0,0:38:26.42,0:38:32.09,Default,,0000,0000,0000,,notification. I'm not sure about it. What\NI do want to point out is remember that a
Dialogue: 0,0:38:32.09,0:38:35.61,Default,,0000,0000,0000,,you can do these while the person is\Noffline maybe on a long trip so you can
Dialogue: 0,0:38:35.61,0:38:40.75,Default,,0000,0000,0000,,time it, and that will be a good probation\NI guess to just not launch at any, you
Dialogue: 0,0:38:40.75,0:38:44.30,Default,,0000,0000,0000,,know, at any point in time, but you can\Njust always time it, and by the time the
Dialogue: 0,0:38:44.30,0:38:47.85,Default,,0000,0000,0000,,person gets a million text it's too late.\NQ: Thanks.
Dialogue: 0,0:38:47.85,0:38:50.19,Default,,0000,0000,0000,,M.V.: Yeah.\NHerald: One more question over here
Dialogue: 0,0:38:50.19,0:38:55.20,Default,,0000,0000,0000,,please.\NQ: Thank you. On apple phones you can
Dialogue: 0,0:38:55.20,0:39:00.54,Default,,0000,0000,0000,,activate with some care the, what they\Ncall visual voicemail. Would that prevent
Dialogue: 0,0:39:00.54,0:39:04.95,Default,,0000,0000,0000,,your attack to work, or..?\NM.V.: No there is actually, I believe he
Dialogue: 0,0:39:04.95,0:39:11.55,Default,,0000,0000,0000,,was an Australian researcher, that looked\Ninto the visual voicemail and he was able
Dialogue: 0,0:39:11.55,0:39:16.77,Default,,0000,0000,0000,,to find that in reality uses the IMAP, If\NI remember correctly, protocol, and for
Dialogue: 0,0:39:16.77,0:39:23.11,Default,,0000,0000,0000,,some carriers he was able to to launch\Nbrute force attacks because the
Dialogue: 0,0:39:23.11,0:39:28.45,Default,,0000,0000,0000,,authentication wasn't with the same pin as\Nyou get when you dial in. But he found at
Dialogue: 0,0:39:28.45,0:39:34.82,Default,,0000,0000,0000,,least one carrier in Australia I believe\Nthat was vulnerable through visual
Dialogue: 0,0:39:34.82,0:39:37.93,Default,,0000,0000,0000,,voice mail protocol. And I check for\NGerman carriers. I did that, I actually
Dialogue: 0,0:39:37.93,0:39:43.01,Default,,0000,0000,0000,,follow the steps that he did, to see if\Nthat was worth mentioned in here. I didn't
Dialogue: 0,0:39:43.01,0:39:49.10,Default,,0000,0000,0000,,find it to be vulnerable, but that doesn't\Nmean that that's not the case.
Dialogue: 0,0:39:49.10,0:39:53.75,Default,,0000,0000,0000,,Herald: One more last question.\NQ: Thank you for the talk. What is your
Dialogue: 0,0:39:53.75,0:39:58.09,Default,,0000,0000,0000,,recommendation to American carriers to\Nprotect themselves against this attack?
Dialogue: 0,0:39:58.09,0:40:03.46,Default,,0000,0000,0000,,M.V.: I put a slight slide there. Like for\Nme I guess the most important thing is
Dialogue: 0,0:40:03.46,0:40:07.84,Default,,0000,0000,0000,,really look at what some German carriers\Nare doing I really like that in the recent
Dialogue: 0,0:40:07.84,0:40:12.94,Default,,0000,0000,0000,,past where it sends it to you over SMS as\Nsoon as it detects that someone dialed,
Dialogue: 0,0:40:12.94,0:40:17.73,Default,,0000,0000,0000,,tried six times the wrong pin. I mean if\Nyou have physical access to a locked
Dialogue: 0,0:40:17.73,0:40:22.62,Default,,0000,0000,0000,,device you could claim that if someone has\Nthe preview turned on the device you could
Dialogue: 0,0:40:22.62,0:40:26.91,Default,,0000,0000,0000,,still see the pin, you know when you get\Nit so. But then it wouldn't be like a
Dialogue: 0,0:40:26.91,0:40:33.90,Default,,0000,0000,0000,,remote attack anymore, so definitely\Ndetect brute forcing and shut down. I mean
Dialogue: 0,0:40:33.90,0:40:38.49,Default,,0000,0000,0000,,we know that with the caller I.D. is not\Nworking so well for a Telecom, because I
Dialogue: 0,0:40:38.49,0:40:43.44,Default,,0000,0000,0000,,was able to bypass it. But I know that,\Nbecause I did some test with HLR records
Dialogue: 0,0:40:43.44,0:40:46.85,Default,,0000,0000,0000,,that you can actually tell the type of\Ndevice that it is, if it's a virtual
Dialogue: 0,0:40:46.85,0:40:51.40,Default,,0000,0000,0000,,number. So if carriers could actually look\Nat the type of phone that is trying to
Dialogue: 0,0:40:51.40,0:40:55.83,Default,,0000,0000,0000,,call in. I think if it's a virtual number,\Nyou know, red flag. If it's not I don't
Dialogue: 0,0:40:55.83,0:40:59.40,Default,,0000,0000,0000,,think someone is going to have... I guess\Nthe government could like, you know have
Dialogue: 0,0:40:59.40,0:41:05.81,Default,,0000,0000,0000,,3333 devices because you try one pin for\Nthe 10000 keyspace, you know. You try 3
Dialogue: 0,0:41:05.81,0:41:10.89,Default,,0000,0000,0000,,pins at a time and just have 3333 SIM\Ncards and so it will come from real
Dialogue: 0,0:41:10.89,0:41:15.99,Default,,0000,0000,0000,,devices. But then at least it will quite\Nsignificantly mitigate it. And then like
Dialogue: 0,0:41:15.99,0:41:22.85,Default,,0000,0000,0000,,again like if you ban DTMF tones from the\Ngreeting message that will help as well.
Dialogue: 0,0:41:22.85,0:41:26.27,Default,,0000,0000,0000,,Herald: Thank you Martin. I have never\Nprovided any telephone number to any
Dialogue: 0,0:41:26.27,0:41:32.23,Default,,0000,0000,0000,,platform and now thanks to you I know why.\NWarm applause for Martin Vigo please.
Dialogue: 0,0:41:32.23,0:41:33.55,Default,,0000,0000,0000,,M.V.: Thank you
Dialogue: 0,0:41:33.55,0:41:39.53,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:41:39.53,0:41:45.10,Default,,0000,0000,0000,,{\i1}35c3 postroll music{\i0}
Dialogue: 0,0:41:45.10,0:42:02.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2019. Join, and help us!