<i>35C3 preroll music</i>

Herald Angel: We start the next talk. It's
by Martin Vigo. He stands here. He is a

product security lead and researcher and
he's responsible for mobile security,

identity, and authentication. So he helps
people design and secure systems and

applications. And he has worked on stuff
like breaking password managers or

exploiting Apple's FaceTime to create a
spy... yeah, a spy program. So give him a

warm applause for his talk.
<i>Applause</i>

Martin Vigo: Thank you for joining me in
this talk. I'm super excited to be here.

It's actually my second year at the
conference, so super super excited that

the first year I was sitting there, and
the second year I'm sitting here. This is

me, but an introduction was already made.
Just pointing out that this is me, 9 year

old, with an Amstrad CPC 6128. You had
this machine before? I see only one hand?

I think this was sold in Europe, but I was
playing here La Abadía del crímen, which

is the best video game ever written. If
you guys like abandonware, you should

definitely check it out. So like any good
research we have to start by looking at

previous art, right? We can learn a lot
from researchers that did stuff in the

past. And in this case I went all the way
back to the 80s to understand how freakers

of the time, when the hacking thing
started, we're doing to actually hack into

voicemail systems. I condensed everything
I learned in five different paragraphs of

five different essences, that I actually
got from frac website, which is an amazing

resource. So, here from the Hacking
Telephone Answering Machines, the

paragraph that I extracted was that "You
can just enter all 2-digit combinations

until you get the right one", "A more
sophisticated and fast way to do this is

to take advantage of the fact that such
machines typically do not read two numbers

at a time, and discard them, but just look
for the correct sequence". What is this

about? In older voicemail systems if you
will enter like 1234 for the 2-digit PIN,

it will not process 12 and 34 to to verify
the PIN, but it will also process 23,

which is very interesting. In fact, in
Hacking AT&amp;T Answering Machines, again,

this is amazing from their 90s or 80s, we
actually get the correct sequence to cover

the entire 2-digit key space. So, if you
enter all these, you are basically brute

forcing the entire key space, without
having to enter in the entire thing that

covers it. I also learned, from A Tutorial
of Aspen Voice Mailbox Systems, that in

the 80s there was default passwords.
Surprise, surprise! But also that as

humans, we actually have patterns when we
choose PINs. And so we have the classics:

1111, 9999, 1234. And another thing that I
learned in Hacking Answering Machines in

the 90s, was that "There is also the old
'change the message' secret to make it say

something to the effect of this line
accepts all toll charges so you can bill

third party calls to that number". This is
basically a trick used by inmates to get

free calls. Basically, they would record
in the voicemail a greeting message "yes,

yes, yes", so when the automated system
comes in and asks "Do you want to accept

the toll charges from the call from the
penitentiary, it will go and they will be

able to do free calls. So, condensing
everything and summarizing what what I

learned from looking at what previous
hackers did in the 80s: we know that the

voicemail system security looked like...
there was default PINs, there was common

PINs, there was bruteforceable PINs, there
was efficient bruteforcing because we can

enter multiple PINs at the same time, that
the greeting message is actually an attack

vector. So let's play a game. Let's do
checklist and let's look at the voicemail

security today. So, I looked at the
American carriers because I live in the

US, but because I was invited to talk in
Germany, I took some friends to give me

some SIM cards and I actually wanted to
put about German carriers as well. So,

checklist time, default PINs: all American
carriers do have default PINs and

unfortunately they are really not a secret
because most of them is actually the last

digits of your phone number. When it comes
to German carriers it's actually a much

better state, for example Vodaphone it's
the last 4 digits of the client number

which you don't know. I mean, you know as
the customer, not others, it's a secret.

Or if it comes to the CallYa, that is the
card that I got, it's the last 4 digits of

the PUK. For Telekom it's the last 4
digits of the card number, which is the

card you get with the SIM card. For O2,
unfortunately, there is a default PIN,

which is 8705, which is the only PIN you
can't set, when you choose to set one.

Yeah. So, voicemail security today when it
comes to common PINs: according to like a

fantastic research from Data Genetics,
this is actually about people choosing

PINs for their credit cards, but there was
a lot of conclusions that I learned from

this research and basically, to summarize
the most important regarding this work, is

that for example by trying the top 20 most
common PINs, you have a 22 percent chance

of getting the right one. What this means
in other words is for every fourth victim

that I tried to brute force the PIN from
their voicemail system, I will get it

right every fourth person. There are other
conclusions that are very interesting

like, the PINs mostly start by 19. Who has
an idea why is that? Birth year, right? Is

very common to set as your birth year.
Most of us were born in the 20th

century... to set it as a PIN.
Bruteforceable PINs. Same thing in Germany

and in the US, it accepts 4-digit PINs
which, we will see later, is just not

enough key space. Efficient bruteforcing
all the carriers accept concatenation of

payload. So, in this case I use it to try
different PINs and I don't even have to

wait for error messages. I just use the
pound as kind of like an enter in a

voicemail system and I can try three PINs
at a time. Usually carriers will hang up

when you enter three PINs wrong, for
security purposes, but we will take

advantage of that. So with everything that
I learned from the 80s, I verified that it

was still a problem today. I decided to
write a tool that allows you to brute

force voicemail system fast, cheap,
easily, efficiently, and undetected. So,

fast: I used Twilio... who is familiar
with Twilio here? Some of you? So a Twilio

is basically an online services that
allows you to programmatically interact

with phone calls. You can make phone
calls, interact with them, and all that.

So I use it to launch hundreds and
hundreds of calls at the same time in

order to brute force PINs. It's cheap! The
entire 4-digit keyspace costs 40 dollars.

So if I want to have a 100 percent chance
of getting your 4-digit PIN, I only have

to pay 40 bucks. A 50 percent chance,
according to the research from Data

Genetics, it will cost me five dollars. So
once every two victims, I will get the

PIN. Actually, if I want to take a
different approach and instead of just

trying to brute force only yours, I want
to brute force the PIN from everyone here,

according to Data Genetics, and in this
case, according to the fact that that is

default PINs... I'm not going to ask how
many of you have O2, now that they know

that there is a default PIN to their
voicemail system. It will be more

interesting to actually try a thousand
phone numbers for that default PIN for O2

customers, only for 13 dollars. It's easy:
fully automated, the tool does everything

for you, you just have to provide the
victim number, the carrier, and couple

other parameters and it's efficient! It
optimizes brute forcing, I use the

research from Data Genetics to favor the
PINs that are most common, and obviously

it tries different PINs and all that
stuff. But the most important here is

detection, because think about it. In
order for me to interact with your

voicemail system I need to call you and
you cannot pick up, because if not, it

doesn't go to the voicemail system. So I
was trying to find ways, because I need

to, in the end, make a lot of calls,
trying different PINs. How can I interact

directly with your voicemail? I try call
flooding like basically doing three calls

at a time, because the line gets flooded
just with three calls, it goes directly to

the voicemail, but it wasn't very
reliable. You can use OSINT techniques, a

lot of people likes to tweet that they,
you know, they go on a trip, they are

about to board a plane, so it goes into
airplane mode, or you go in a remote area,

or you are in a movie theater, or at night
you put in Do Not Disturb. Those are all

situations in which calls go directly to
the voicemail. You can use HLR database to

find out if mobile devices are
disconnected or the SIM cards have been

discarded, but they are still assigned to
an account. And you can use online

services like realphonevalidation.com
which I actually reached out and they

provide services that allow you to know if
a phone is acutally connected to a tower

at the moment, so it's basically
available, so you could use that too. You

can also use class 0 SMS, which gives you
feedback. It's basically a type of SMS

that will... it has more priority and will
basically display on the screen and you'll

get the feedback if it was displayed. So,
that's a nice trick to find out if the

phone actually connected to a tower. But
in reality, I wanted a bullet proof way to

do this and in the U.S. I found that there
is this concept of backdoor voice mail systems.

So instead of me calling you, I'm going to
call one of these services that you guys

have listed here for every carrier and
there I enter the number, in this case the

number of the victim from the voicemail I
want to interact to. And of course it

allows you to access to the logging
prompt. Actually in Germany I find it

interesting that you guys have it as a
service, because in the US it's more a

secret that I had to found using Google,
but here... Basically if I dial your phone

number and when it comes to Vodafone
between the area code and the rest of the

number I put 55, or for Telekom 13, or for
O2 33, I directly go to the voicemail, you

won't ring your phone. So I can use that.
Who was aware of this, that is from

Germany? OK, many of you. So that's what I
thought. Like here it's not really like

something you guys care too much about. In
the U.S. it's actually used a lot for

scammers or to leave directly voicemail
messages from spammers as well. So,

voicemailcracker actually takes advantage
of backdoor numbers, so it allows you to

be undetected. I don't need to call you, I
don't need to wait till you are flying, I

can do that. And for example for the U.S.
it's great, because when I launch that

many calls, the line gets flooded even if
you are offline. But when I use these

backdoor voicemail systems, because they
are meant to be used by everyone, those

don't get flooded. So I literally make
hundreds and hundreds of calls and it

never fails.So, but you know like
carriers, or some of them, add a brute

force protections, right? So that you
can't actually launch brute forcing

attacks. And I looked at the German
carriers and for example Vodafone, I saw

that it resets the 6 digit PIN and sends
it over SMS. So, I guess I can flood your

phone with text but who cares, that's not
a big deal, but I think it's actually a

pretty effective measure against
voicemail... against brute forcing.

Telekom blocks the Caller ID from
accessing the mailbox or even leaving

messages. I tried and after six times that
it's wrong every time, I call it says

"Hey, you can't do anything", and it hangs
up. And for O2 it connects directly to the

customer help-line, but someone started
talking German and my German is not that

good. So brute force, I wanted to be able
to bypass this writing and so if you look

at telecom I mentioned that it blocks the
caller I.D. but it turns out that Twilio

you can actually buy caller IDs you can,
well, you can buy phone numbers, right?

and they are really cheap. So it's very
easy for me to do randomization of caller

I.D.s for very very cheap and bypass
telecom's brute force protection. So

voicemailcracker also supports that. It
supports caller ID randomization. So let's

make the first demo. So as you can see
here on the left is the victim's mobile

device, and on the right is the tool. And
in this case I'm going to use the brute

force option. The brute force option
allows me to basically brute force the

pin. It makes hundreds of calls as I
explain and I'll try to guess it. And

there is a number of parameters like the
victim number, the carrier... the carrier

is important because they put their
specific payloads for every single carrier

because all the voicemail systems are
different, how you interact with them, and

in this case are using a backdoor number
because he's more efficient. And then

there is no detection. And in this case I
did the option of top pin. So this is

basically trying the top 20 pins according
to the research for four digits. So as you

can see it's trying actually three pins at
a time as I mentioned before rather than

one. So we have to do a third of the of
the of the calls, right? And how did you

think that I'm detecting if the pin was
correct or not? Any ideas?

<i>Unintelligible suggestion from audience</i>
M.V.: OK. So the disconnect and hang up.

That's what I heard. And that's exactly
right. If you think about it I can look at

the call duration because when I tried
three pins and it hangs up it's always the

same call duration. For T-Mobile in this
case it's like 18 seconds. So I instruct

Twilio to after dialing and putting the
payload to interact with the voicemail

system trying the pins to wait 10 extra
seconds. So all I got to do, I don't need

any sound processing to try to guess what
the voicemail voice is telling me if it's

correct or not. I just use the call
duration. So if the call duration is ten

times longer then I know that's the right
pin because because it locked in. So as

you can see it found out one of those
three is actually the correct one: in this

case it's 1983. So in order to give you
the exact one because at that time it

tried the three of them, now it's trying
one by one and it may look like it's

taking longer than it should for only 20
pins but remember failing pins is very

very quick. It's just that because in the
top 20 found already the right pin it

takes longer than it should, and there you
go. We got that it's 1983. Awesome. So

what is the impact really why am I here
talking to you at CCC that has such

amazing talks, right? And this is really
the thing about this. No one cares about

the voicemail. Probably if I ask here, who
knows his own voicemail pin?

<i>laughter</i>
M.V.: Nice. That's what I was expecting.

Probably less hands here. So some of them
are lying but that's the thing, right? We

don't care about the voicemail. We don't
even use it, which is the crazy thing

here. We have we have an open door for
discussing an issue that we don't even

know about or we don't even remember. So
many people is not familiar with the fact

that you can a reset passwords over phone
call. We are familiar with resetting

passwords over e-mail. You get a unique
link maybe over SMS you get a code that

you that you then have to enter in the UI.
But a lot of people cannot receive SMS, or

that's what services claim. So they allow
you to provide that temporary code over a

phone call, and that's exactly what we
take advantage of, because I ask you what

what happens if you don't pick up the
phone if basically I go to a service,

enter your e-mail or your phone number and
reset a password, and everyone can do

that. Anyone can reset it, initiate the
reset password process, and I know that

you are not going to pick up the phone. I
know that thanks to my tool I got access

to your voicemail system. So basically the
voicemail system will pick up the call and

it will start recording, so it will record
the voice spelling out the code that I

need to basically reset your account and
get access to it. So -- oops! -- and I

press play here.
<i>Static</i>

M.V.: Okay, so, what does the attack
vector look like? You brute force the

voicemail system using the tool ideally
using backdoor numbers. For that

particular call -- that is, the call that
the victim will receive once you initiate

the password reset -- that one it cannot
go through the backdoor number, right?,

because it's gonna-- PayPal is gonna
directly call the victim. So for that one

you need to make sure that the victim is
not connected to a tower through all the

methods that I showed before. You start
the password reset process using the

economy feature. You listen to the
recorded message, secret code and profit.

You hijacked that account, and
Voicemailcracker can do all that for you.

Let's compromise Whatsapp. So on the left
you see my number, right?, with a secret

lover group, and a secret group, and all
that stuff. On the right notice that I'm

not even using an actual device. It's an
android emulator that I installed, an APK.

And there is some sound to this, and you
are gonna see -- so again on your left

it's the victims number. On the right is
an emulator of the attacker. So you'll see

that I'm going to use my tool with the
message payload, with the message option.

So in this case what I'm doing is I'm
setting the victim's phone to airplane

mode, simulating that it's now offline for
some reason, and I detected that. So if

you see, WhatsApp allows sends you a text
to actually register as a WhatsApp user,

but if you don't reply in a minute it
allows you-- it gives you an option to

call, to call me, right? And that's
exactly what I click. So now WhatsApp is

basically calling the victim which is
again in airplane mode, because he went on

a remote trip or on a plane, and so I'm
using Voicemailcracker with the option

"message" to automatically retrieve that
newest message. So the tool is gonna

provide me as you can see the last option
is the pin, because I brute forced it

before. So it's going to give me a URL
with the recording of the newest message,

which, hopefully -- it's a recorded demo
-- hopefully contains actually the code.

So let's see... I got the URL.
<i>Phone alert sound</i>

Computerized phone voice: New Message! --
M.V.: It's interacting with the voicemail

system right now.
Phone voice: -- your verification code is:

3 6 5 9 1 5. Your verification code is: 3
6 5 9 1 5. Your ver--

M.V.: And that simple. We just hijacked
that person's WhatsApp, and I -- here I'm

fast forwarding just to show you--
<i>Applause</i>

M.V: --that you get actually that. Thank
you. I do want to point out that WhatsApp

is super secure, it like-- end to end
encryption all that -- and there is a

number of things that you can notice this
attack. For example you wouldn't be able

to see the previous messages that were
there but you can just hold on and ask

people, right? The groups will pop up. So
you hijacked that WhatsApp account. There

is also fingerprinting. But who really
pays attention to the fingerprinting when

someone changes the device, right? So are
we done? Not yet. Because the truth is,

some researchers talked about this in the
past then and actually services tried to

slowly pick up. So that is actually
something that I found in several

services. That is what I call the user
interaction based protection. So when you

received that phone call that provides you
with the temporary code in reality it's

not giving it away. You have to press a
key. It comes in three different flavors

from what I found from my tests. Please
press any key to hear the code, so when

you get the call, you have to press, and
then it will tell you the code; please

press a random key so specifically please
press 1, please press 2, or please enter

the code. PayPal does that, and instead of
you having to press a key to hear the code

when you reset the password you will see a
four digits code that you have to enter

when you receive the call and then it will
reset the password. So I'm going to get

the help from all of you guys. Can we beat
this currently recommended protection what

is nowadays recommended to prevent these
kind of attacks? And we're going to play a

game. I'm going to give you two hints.
This is the first one. So, you probably

guys are familiar with this, but Captain
Crunch. Again we go back today it is we

can learn so much from them, use this to
generate specific sounds at a specific

frequency to basically -- you can go and
read it -- to get free international

calls. So he will create that sound and
the system will process it on the on the

line. And the second one is that I
cheated. When we did the checklist, I

actually skipped one , which was the
greeting message is an attack vector. So I

ask you guys how can we bypass the
protection that requires user interaction

in order to get the code recorded on the
voicemail system?

<i>Inaudible suggestion from audience</i>
M.V.: What was that?... Exactly. Record

DTMF tones as the greeting message. We own
the voice mail system so we can alter the

greeting message. So this is exactly how
it works: We just alter the greeting

message we call the DTMF that the system
is expecting and it works every single

time. The best thing of this is what
really is so awesome about about all of us

that really care about technology. We want
to have a deep understanding because when

I was asking people when when you know I
wanted to show them this I was asking them

how does this protection really work. And
they will say well you have to press a key

and then you know it will give you the
code. But that's not really true. That's

what you have to do is to provide a
specific sound that the system is

expecting. That is different than saying
you have to press a key, because if you

say I have to press a key that requires
physical access. If you say I have to

provide a sound, now we know it doesn't
require physical access. That is why

hackers are so cool, because we really
want to understand what is happening

backstage, and we take advantage of that.
So how does the attack vector look like?

Bruteforcing voicemail systems as before.
So basically we have an extra step which

is update the greeting message according
to the account to be hacked in voicemail.

Cracker can do that for you. Let's
compromise PayPal.

<i>Laughter</i>
M.V.: So on the left side you see that as

before I brute force the pin of the voice
mail. And in this case on the right side

I'm going to start a password reset for
that account. So I do that and I choose

"please call me with a temporary code".
But in this case PayPal works differently

because it will show me a four digits code
that I need to enter when I receive the

call in order to reset the password. So
you see that here I'm using the greeting

option. So the greeting is going to allow
me to enter a payload that I want to

record as the greeting message. In this
case is 6 3 5 3. So I may be very very

verbose for this demo. There you see
the last option use PayPal code and I

enter 6 3 5 3. Now the tool is going to
use the pin to log into the voicemail

system, interact with it, change the
greeting message, record the DTMF tones

according to 6 3 5 3 and then it should be
able to fool the call. In this case I'm

asking to call again, because it didn't
have enough time to do that. And in 3 2 1

we should get that we actually compromise
PayPal's account, and there we go. We can

now set our own password.
<i>Applause</i>

M.V.: Thank you. So, I showed you some
vulnerable servers. Let's go very quick

about it because I'm I'm concerned I'm
running out of time. So, I'm just

mentioning Alexa top 100 types of
services, no favoring anything, but... so

for password reset that supports over
phone call: PayPal, Instagram-- no,

Snapchat-- Netflix, Ebay, LinkdIn. I'm
still on Facebook. What can I say? 2FA for

all they major forms so 2FA over phone
call for Apple, Google, Microsoft,

Yahoo... Verification: So basically you
don't register with a username and

password on on WhatsApp or Signal you
actually use directly the phone number,

right? As we saw before and you register
through a phone call or SMS. So you can

compromise this too. Twilio, the own
service that I use for these is actually

really cool because you can own a caller
I.D. by verifying it by getting a phone

call so I can actually own your caller ID
and make calls on your behalf, send texts,

and these all legitimately, right?,
because you've pressed one. Google Voice,

it's actually another interesting service
because it's used a lot by scammers,

right? And this is the same thing: you
have to verify ownership so you can do

those phone calls and you can fool it as
well with this, but I found I was looking

like what other services really take
advantage of this? And this is super

common in San Francisco, where I live. You
can buzz in people like when they want to

enter, right?, they enter your house
number, and then your phone rings and you

press any key to open the door. So we are
talking about physical security now. And

I've seen this in offices as well. They
all work this way, basically because they

want to be able -- for tenants, that you
know, come and go -- be able to switch

that very quickly. So it works just
through the phone that you buzz people in.

But my favorite is consent, because when
we think about consent we think about

lawyers and we think about signing papers
and we think about all of these difficult

things. And I find out about these
location smart service that is not anymore

there and you will see why... But this was
recently in the news because, basically

Brian Krebs wrote a really great article
about it. But I'm going to let you hear

then their YouTube channel, how Location
Smart works.

LS vid speaker 1: The screen that you're
showing, that you're seeing right now is a

demo that we have on our Web site it's at
location smart.com/pride, and I've entered

my name, my email, my mobile phone number,
and it's again going to get my permission

by calling my phone, and then it'll
locate. So let's go ahead and, I clicked

the box to say yes I agree, click the
locate, and the screen now shows that it's

going to call my device to get my
permission.

<i>vid speaker's phone vibrates, sounds like an airhorn in video</i>
LS vid speaker 2: Heh, that's a nice ring

tone --
M.V.: No, it's not--

LS vid speaker 1's phone: To log into
Location Smart Services, press 1 or say

'Yes'. To repeat, press 2 or say 'Repeat'.
LSVS1: Yes

Phone: Congratulations. You have been
opted in to Location Smart Services.

Goodbye
M.V.: So as you see, this service, this

Web site had a free demo, had a free demo
that allow you to put out a phone number

-- yours, of course -- and you will get a
phone call and then you will give

permission by pressing one. So someone
could locate you and keep tracking -- I

mean, I checked with them -- for up to 30
days, real time. So now you know why they

don't exist anymore!
<i>Applause</i>

M.V.: Open source..
<i>More Applause</i>

M.V: Open source. So, and this was with
the permission of the carriers. This was

not some fishy thing. This was actually a
service. So I wanted to release code,

because I want you guys to verify that
what I mentioned is true and have code to

hopefully help push the industry forward
to make a voice mail systems more secure,

right?. We want to push carriers to do so.
A but I didn't want to provide on tool

that works out of the box and anyone can
very easily as we saw like just start to

bruteforce pins, especially because I saw
that there is so many people with the

default PINs out there. So I just removed
the brute forcing, so the tool allows you

to test it on your own. You can test, you
know, you can test the greeting message

you can test the retreiving messages
compromising the services and all that. So

the tool allows you to test on your own
device. I won't give you code to brute

force someone else's device. And feel free
to go to my github repo. So now like all

the talks comes the recommendations, but I
know what you guys are thinking, right?

When someone comes with all this paranoia
and stuff you still think "yeah but you

know still like no one is gonna come after
me. I don't have anything to hide" or

anything like that. So I wanted to give
you reasons why you should still care

about this, and why we need to do better.
Because do carriers set default PINs? Yes,

we saw that. Is testing for default pins
cheap, fast, undetected, and automatable?

Yes it is. Is updating reading the message
automatable? Yes it is. Is retrieving you

the newest message automatable? Yes it is.
Is there speech to text description, so

that I can get the sound that I played
before with the code and get it in text?

Yeah. Twilio gives you that as well. So
can the account compromise process be

automatable? Of course you can use
selenium if you want to automate the UI.

Or you can use a Web proxy and look at the
APIs and do it yourself. So it is only a

matter of time that someone actually does
all these steps that I showed you step by

step and just makes it all straight and
starts to go over phone numbers trying the

default PINs, and just automatically
compromising services like WhatsApp like

PayPal and all that. You can do basically,
not a worm, but, you know, you can

compromise a lot of devices without doing
anything. Recommendations for online

services. Don't use automated calls for
security purposes. if not possible detect

answering machines and fail. I mean this
is not very accurate and you can still

trick it. Require user interaction before
providing the secret. I just show you how

to bypass that, but that's with hope that
carriers ban DTMF tones from the greeting

message. I don't see why that should be
supported, right? Recommendations for

carriers. The most important thing: Ban
DTMF tones from the greeting message,

eliminate backdoor mobile services, or at
least a give no access to the login

prompt, right? There is no reason why you
should be able to access your voicemail

directly to leave a message. But then I
can access the login prompt by pressing

star. Voicemail disabled by default. This
is very important and can only be

activated from the actual phone, or
online maybe with a special code. Oh great

I have time for questions. No default
pins. Learn from the German carriers:

don't allow common pins, detect and
prevent brute force attempts, don't

process multiple pins at once.
Recommendations for you which, is in the

end, very important here. disable the
voice mail if you don't use it. I found

though that some carriers you're still
through the backdoor voicemail numbers you

are unable to activate it again. So kind
of sucks. So I guess use the longest

possible random pin. Don't provide phone
numbers to online services unless

required, or is the only way to get 2FA.
2FA is more important. Use a virtual

number to prevent OSINT like a Google
Voice number so no one can you know learn

about your phone number digits by
resetting the password or do SIM swapping.

Use 2FA apps only. And I always like to
finish my talk with ones like that kind of

summarizes everything. Automated phone
calls are a common solution for password

reset, 2FA, verification, and other
services. These can be compromised by

leveraging old weaknesses and current
technology to exploit the weakest link

voicemail systems. Thank you so much.
Danke Schön, CCC!

<i>Applause</i>
Herald Angel: Thank you, Martin. We have

time for questions, so if you have any
questions or if someone in the Internet

has questions just go to these
microphones. Where is the microphone?

You've got it. Yes. You were black and the
microphone too. So maybe you start and we

take the question from the Internet.
Q: Yes I have a question. You mentioned

that the phone needed to be offline. Would
a call like a sim teen's call to the phone

that it would be in what is called in
english - besetzt?- like occupied so let's

say I already called the victim. So the
caller gets, yeah, the line's occupied

that would then go to voicemail, wouldn't
it?

M.V.: So that's a great question. I think
the question is if you are on a call and

someone else calls you, so your attack
will be: I somehow make up a story to keep

the person on the phone call while I
launch other calls... that will work. I

tried that but the problem is usually to
force, I mean that will not be too big of

a deal I guess but it supports two calls
right. They will warn you all there is

another incoming call. But I guess you
could keep doing more. So that's what I

meant a partly with a call flooding. In
that case what I tried was just launching

all of them at the same time. And if the
person picks up I don't care but it's

somewhat related to what you mentioned and
that's definitely possible.

Questioner: Okay. Thank you.
M.V.: Yeah.

Herald: Question from the internet please
Signal Angel: Does this work with the

phone calls that start talking
immediately, will the new code being

recorded then?
M.V.: if I understood the question

correctly it's that when the voicemail
picks up like basically the automated

system that spits out the code already
started to talk. I believe that's the

question.
Herald: We don't know it's from the

Internet.
M.V.: OK so if that is the question I

found actually that, because usually
greeting messages last like 15 seconds so

by the time it starts recording you
already finish the recording that gives

you the code, but you own the greeting
message so you make it as short as one

second. And I never found a problem with
that. You actually recorded DTMF tones for

like two seconds.
Herald: Ladies first let me take your

question.
Q: You talked about how you learned all of

that through reading e-zines. How are they
called, and how do I find them?

M.V: That's the best question I've ever
heard and it deserves an applause,

seriously. I like that because you also
want to learn about it. So that's that's

really fantastic. So the Phrack Web site
is the best resource you can get. I guess

everyone will agree here. So you just look
up google for phrack magazine and there is

a lot a lot of interesting stuff that we
can learn there still today.

Q: Are there any others?
M.V.: Yeah I mean you can then follow the

classic. I mean I like Twitter to get my
security news because it's very concise so

I kind of get like you know the 140
characters version.. if I'm interested

then I will read it. So I think you can
google for like top security people to

follow. Brian Krebs is great. It depends
also on your technical depth. There is

different people for that. And if not just
you know specialized blogs in magazines.

Q: All right. Thanks.
M.V.: Thank you.

Herald: And your question please.
Q: Hi. And so for me the solution is

obvious: I just turn off my voicemail. But
thinking about some relatives which are

maybe too lazy or don't really care and
still use two factor authentication. I was

thinking about could I easily adapt your
script to automatically turn off voice

boxes or generate random pins?
M.V.: You can automate it to turn off the pin. Like

for example on Vodaphone I don't know why
that allows you to turn off the pin. To turn

off the voicemail... I don't... I haven't
tested that. I think you may have to call

the IT department but you know what. It
would be really great to do that. It would

be really awesome. Great question. I guess
if you can turn it off then you can turn

it on as well. Yeah.
Herald: Your question please.

Q: Did Twilio ban you or did they find out
what you did?

M.V.:I got some emails I got some emails
but they were really cool. I have to say

that. I explained to them what I was
coming from, I gave them my identity...

like I wasn't hiding anything. Actually I
had to pay quite some money and because of

all the calls that I was doing while I was
doing the research, so I do think hide my

identity at all. So, they did detect tact
that I was doing many calls and stuff like

that. So there is I guess at the high
volumes there is some detection, but

Twilio is not the only service. So again
you can switch between services, space it

out, change caller I.D.s, a number of
things.

Herald: And one more question here.
Q: Hi. You talked about being undetected

when making all these calls by going
directly to these direct access numbers.

In Germany it's very common that if
someone calls your voicemail you get an

SMS text even if they don't leave a
message. But I suspect there's some kind

of undocumented API to actually turn that
off through the menus. Have you looked

into that?
M.V.: No I haven't looked into that

specifically. The question is that usually
in Germany for the carriers you'll get an

SMS when you when you get a call. I
wonder... the test that I did on the

German carriers, I was getting a text if I
was leaving a message, not if someone was

calling there. I guess you are talking
about a missed call, that kind of

notification. I'm not sure about it. What
I do want to point out is remember that a

you can do these while the person is
offline maybe on a long trip so you can

time it, and that will be a good probation
I guess to just not launch at any, you

know, at any point in time, but you can
just always time it, and by the time the

person gets a million text it's too late.
Q: Thanks.

M.V.: Yeah.
Herald: One more question over here

please.
Q: Thank you. On apple phones you can

activate with some care the, what they
call visual voicemail. Would that prevent

your attack to work, or..?
M.V.: No there is actually, I believe he

was an Australian researcher, that looked
into the visual voicemail and he was able

to find that in reality uses the IMAP, If
I remember correctly, protocol, and for

some carriers he was able to to launch
brute force attacks because the

authentication wasn't with the same pin as
you get when you dial in. But he found at

least one carrier in Australia I believe
that was vulnerable through visual

voice mail protocol. And I check for
German carriers. I did that, I actually

follow the steps that he did, to see if
that was worth mentioned in here. I didn't

find it to be vulnerable, but that doesn't
mean that that's not the case.

Herald: One more last question.
Q: Thank you for the talk. What is your

recommendation to American carriers to
protect themselves against this attack?

M.V.: I put a slight slide there. Like for
me I guess the most important thing is

really look at what some German carriers
are doing I really like that in the recent

past where it sends it to you over SMS as
soon as it detects that someone dialed,

tried six times the wrong pin. I mean if
you have physical access to a locked

device you could claim that if someone has
the preview turned on the device you could

still see the pin, you know when you get
it so. But then it wouldn't be like a

remote attack anymore, so definitely
detect brute forcing and shut down. I mean

we know that with the caller I.D. is not
working so well for a Telecom, because I

was able to bypass it. But I know that,
because I did some test with HLR records

that you can actually tell the type of
device that it is, if it's a virtual

number. So if carriers could actually look
at the type of phone that is trying to

call in. I think if it's a virtual number,
you know, red flag. If it's not I don't

think someone is going to have... I guess
the government could like, you know have

3333 devices because you try one pin for
the 10000 keyspace, you know. You try 3

pins at a time and just have 3333 SIM
cards and so it will come from real

devices. But then at least it will quite
significantly mitigate it. And then like

again like if you ban DTMF tones from the
greeting message that will help as well.

Herald: Thank you Martin. I have never
provided any telephone number to any

platform and now thanks to you I know why.
Warm applause for Martin Vigo please.

M.V.: Thank you

<i>applause</i>

<i>35c3 postroll music</i>

subtitles created by c3subtitles.de
in the year 2019. Join, and help us!