WEBVTT
00:00:00.000 --> 00:00:17.790
35C3 preroll music
00:00:17.790 --> 00:00:25.360
Herald Angel: We start the next talk. It's
by Martin Vigo. He stands here. He is a
00:00:25.360 --> 00:00:32.500
product security lead and researcher and
he's responsible for mobile security,
00:00:32.500 --> 00:00:39.860
identity, and authentication. So he helps
people design and secure systems and
00:00:39.860 --> 00:00:46.710
applications. And he has worked on stuff
like breaking password managers or
00:00:46.710 --> 00:00:57.500
exploiting Apple's FaceTime to create a
spy... yeah, a spy program. So give him a
00:00:57.500 --> 00:01:09.360
warm applause for his talk.
Applause
00:01:09.360 --> 00:01:12.650
Martin Vigo: Thank you for joining me in
this talk. I'm super excited to be here.
00:01:12.650 --> 00:01:16.500
It's actually my second year at the
conference, so super super excited that
00:01:16.500 --> 00:01:20.490
the first year I was sitting there, and
the second year I'm sitting here. This is
00:01:20.490 --> 00:01:24.980
me, but an introduction was already made.
Just pointing out that this is me, 9 year
00:01:24.980 --> 00:01:32.640
old, with an Amstrad CPC 6128. You had
this machine before? I see only one hand?
00:01:32.640 --> 00:01:36.480
I think this was sold in Europe, but I was
playing here La Abadía del crímen, which
00:01:36.480 --> 00:01:40.770
is the best video game ever written. If
you guys like abandonware, you should
00:01:40.770 --> 00:01:45.410
definitely check it out. So like any good
research we have to start by looking at
00:01:45.410 --> 00:01:49.860
previous art, right? We can learn a lot
from researchers that did stuff in the
00:01:49.860 --> 00:01:55.800
past. And in this case I went all the way
back to the 80s to understand how freakers
00:01:55.800 --> 00:01:59.590
of the time, when the hacking thing
started, we're doing to actually hack into
00:01:59.590 --> 00:02:06.110
voicemail systems. I condensed everything
I learned in five different paragraphs of
00:02:06.110 --> 00:02:11.670
five different essences, that I actually
got from frac website, which is an amazing
00:02:11.670 --> 00:02:16.870
resource. So, here from the Hacking
Telephone Answering Machines, the
00:02:16.870 --> 00:02:20.840
paragraph that I extracted was that "You
can just enter all 2-digit combinations
00:02:20.840 --> 00:02:25.240
until you get the right one", "A more
sophisticated and fast way to do this is
00:02:25.240 --> 00:02:29.200
to take advantage of the fact that such
machines typically do not read two numbers
00:02:29.200 --> 00:02:33.330
at a time, and discard them, but just look
for the correct sequence". What is this
00:02:33.330 --> 00:02:41.650
about? In older voicemail systems if you
will enter like 1234 for the 2-digit PIN,
00:02:41.650 --> 00:02:47.770
it will not process 12 and 34 to to verify
the PIN, but it will also process 23,
00:02:47.770 --> 00:02:52.280
which is very interesting. In fact, in
Hacking AT&T Answering Machines, again,
00:02:52.280 --> 00:02:56.960
this is amazing from their 90s or 80s, we
actually get the correct sequence to cover
00:02:56.960 --> 00:03:01.230
the entire 2-digit key space. So, if you
enter all these, you are basically brute
00:03:01.230 --> 00:03:05.770
forcing the entire key space, without
having to enter in the entire thing that
00:03:05.770 --> 00:03:11.541
covers it. I also learned, from A Tutorial
of Aspen Voice Mailbox Systems, that in
00:03:11.541 --> 00:03:16.319
the 80s there was default passwords.
Surprise, surprise! But also that as
00:03:16.319 --> 00:03:21.660
humans, we actually have patterns when we
choose PINs. And so we have the classics:
00:03:21.660 --> 00:03:28.230
1111, 9999, 1234. And another thing that I
learned in Hacking Answering Machines in
00:03:28.230 --> 00:03:32.700
the 90s, was that "There is also the old
'change the message' secret to make it say
00:03:32.700 --> 00:03:36.970
something to the effect of this line
accepts all toll charges so you can bill
00:03:36.970 --> 00:03:41.849
third party calls to that number". This is
basically a trick used by inmates to get
00:03:41.849 --> 00:03:46.160
free calls. Basically, they would record
in the voicemail a greeting message "yes,
00:03:46.160 --> 00:03:49.750
yes, yes", so when the automated system
comes in and asks "Do you want to accept
00:03:49.750 --> 00:03:53.890
the toll charges from the call from the
penitentiary, it will go and they will be
00:03:53.890 --> 00:03:59.940
able to do free calls. So, condensing
everything and summarizing what what I
00:03:59.940 --> 00:04:04.350
learned from looking at what previous
hackers did in the 80s: we know that the
00:04:04.350 --> 00:04:08.780
voicemail system security looked like...
there was default PINs, there was common
00:04:08.780 --> 00:04:12.650
PINs, there was bruteforceable PINs, there
was efficient bruteforcing because we can
00:04:12.650 --> 00:04:16.779
enter multiple PINs at the same time, that
the greeting message is actually an attack
00:04:16.779 --> 00:04:21.470
vector. So let's play a game. Let's do
checklist and let's look at the voicemail
00:04:21.470 --> 00:04:26.970
security today. So, I looked at the
American carriers because I live in the
00:04:26.970 --> 00:04:32.340
US, but because I was invited to talk in
Germany, I took some friends to give me
00:04:32.340 --> 00:04:37.190
some SIM cards and I actually wanted to
put about German carriers as well. So,
00:04:37.190 --> 00:04:41.490
checklist time, default PINs: all American
carriers do have default PINs and
00:04:41.490 --> 00:04:45.940
unfortunately they are really not a secret
because most of them is actually the last
00:04:45.940 --> 00:04:51.060
digits of your phone number. When it comes
to German carriers it's actually a much
00:04:51.060 --> 00:04:54.840
better state, for example Vodaphone it's
the last 4 digits of the client number
00:04:54.840 --> 00:04:59.530
which you don't know. I mean, you know as
the customer, not others, it's a secret.
00:04:59.530 --> 00:05:03.650
Or if it comes to the CallYa, that is the
card that I got, it's the last 4 digits of
00:05:03.650 --> 00:05:07.440
the PUK. For Telekom it's the last 4
digits of the card number, which is the
00:05:07.440 --> 00:05:11.590
card you get with the SIM card. For O2,
unfortunately, there is a default PIN,
00:05:11.590 --> 00:05:18.440
which is 8705, which is the only PIN you
can't set, when you choose to set one.
00:05:18.440 --> 00:05:23.680
Yeah. So, voicemail security today when it
comes to common PINs: according to like a
00:05:23.680 --> 00:05:28.180
fantastic research from Data Genetics,
this is actually about people choosing
00:05:28.180 --> 00:05:33.530
PINs for their credit cards, but there was
a lot of conclusions that I learned from
00:05:33.530 --> 00:05:38.500
this research and basically, to summarize
the most important regarding this work, is
00:05:38.500 --> 00:05:44.940
that for example by trying the top 20 most
common PINs, you have a 22 percent chance
00:05:44.940 --> 00:05:50.060
of getting the right one. What this means
in other words is for every fourth victim
00:05:50.060 --> 00:05:53.990
that I tried to brute force the PIN from
their voicemail system, I will get it
00:05:53.990 --> 00:05:58.290
right every fourth person. There are other
conclusions that are very interesting
00:05:58.290 --> 00:06:08.660
like, the PINs mostly start by 19. Who has
an idea why is that? Birth year, right? Is
00:06:08.660 --> 00:06:13.819
very common to set as your birth year.
Most of us were born in the 20th
00:06:13.819 --> 00:06:20.440
century... to set it as a PIN.
Bruteforceable PINs. Same thing in Germany
00:06:20.440 --> 00:06:24.650
and in the US, it accepts 4-digit PINs
which, we will see later, is just not
00:06:24.650 --> 00:06:29.970
enough key space. Efficient bruteforcing
all the carriers accept concatenation of
00:06:29.970 --> 00:06:34.880
payload. So, in this case I use it to try
different PINs and I don't even have to
00:06:34.880 --> 00:06:38.919
wait for error messages. I just use the
pound as kind of like an enter in a
00:06:38.919 --> 00:06:43.270
voicemail system and I can try three PINs
at a time. Usually carriers will hang up
00:06:43.270 --> 00:06:46.710
when you enter three PINs wrong, for
security purposes, but we will take
00:06:46.710 --> 00:06:52.289
advantage of that. So with everything that
I learned from the 80s, I verified that it
00:06:52.289 --> 00:06:56.711
was still a problem today. I decided to
write a tool that allows you to brute
00:06:56.711 --> 00:07:01.970
force voicemail system fast, cheap,
easily, efficiently, and undetected. So,
00:07:01.970 --> 00:07:08.179
fast: I used Twilio... who is familiar
with Twilio here? Some of you? So a Twilio
00:07:08.179 --> 00:07:11.950
is basically an online services that
allows you to programmatically interact
00:07:11.950 --> 00:07:15.410
with phone calls. You can make phone
calls, interact with them, and all that.
00:07:15.410 --> 00:07:18.780
So I use it to launch hundreds and
hundreds of calls at the same time in
00:07:18.780 --> 00:07:24.150
order to brute force PINs. It's cheap! The
entire 4-digit keyspace costs 40 dollars.
00:07:24.150 --> 00:07:29.490
So if I want to have a 100 percent chance
of getting your 4-digit PIN, I only have
00:07:29.490 --> 00:07:33.460
to pay 40 bucks. A 50 percent chance,
according to the research from Data
00:07:33.460 --> 00:07:37.370
Genetics, it will cost me five dollars. So
once every two victims, I will get the
00:07:37.370 --> 00:07:41.490
PIN. Actually, if I want to take a
different approach and instead of just
00:07:41.490 --> 00:07:46.620
trying to brute force only yours, I want
to brute force the PIN from everyone here,
00:07:46.620 --> 00:07:50.620
according to Data Genetics, and in this
case, according to the fact that that is
00:07:50.620 --> 00:07:54.570
default PINs... I'm not going to ask how
many of you have O2, now that they know
00:07:54.570 --> 00:07:58.490
that there is a default PIN to their
voicemail system. It will be more
00:07:58.490 --> 00:08:03.320
interesting to actually try a thousand
phone numbers for that default PIN for O2
00:08:03.320 --> 00:08:08.410
customers, only for 13 dollars. It's easy:
fully automated, the tool does everything
00:08:08.410 --> 00:08:11.770
for you, you just have to provide the
victim number, the carrier, and couple
00:08:11.770 --> 00:08:16.091
other parameters and it's efficient! It
optimizes brute forcing, I use the
00:08:16.091 --> 00:08:20.910
research from Data Genetics to favor the
PINs that are most common, and obviously
00:08:20.910 --> 00:08:25.350
it tries different PINs and all that
stuff. But the most important here is
00:08:25.350 --> 00:08:28.750
detection, because think about it. In
order for me to interact with your
00:08:28.750 --> 00:08:33.049
voicemail system I need to call you and
you cannot pick up, because if not, it
00:08:33.049 --> 00:08:36.539
doesn't go to the voicemail system. So I
was trying to find ways, because I need
00:08:36.539 --> 00:08:41.938
to, in the end, make a lot of calls,
trying different PINs. How can I interact
00:08:41.938 --> 00:08:46.100
directly with your voicemail? I try call
flooding like basically doing three calls
00:08:46.100 --> 00:08:49.810
at a time, because the line gets flooded
just with three calls, it goes directly to
00:08:49.810 --> 00:08:54.220
the voicemail, but it wasn't very
reliable. You can use OSINT techniques, a
00:08:54.220 --> 00:08:57.290
lot of people likes to tweet that they,
you know, they go on a trip, they are
00:08:57.290 --> 00:09:01.980
about to board a plane, so it goes into
airplane mode, or you go in a remote area,
00:09:01.980 --> 00:09:06.850
or you are in a movie theater, or at night
you put in Do Not Disturb. Those are all
00:09:06.850 --> 00:09:12.300
situations in which calls go directly to
the voicemail. You can use HLR database to
00:09:12.300 --> 00:09:17.529
find out if mobile devices are
disconnected or the SIM cards have been
00:09:17.529 --> 00:09:21.720
discarded, but they are still assigned to
an account. And you can use online
00:09:21.720 --> 00:09:25.800
services like realphonevalidation.com
which I actually reached out and they
00:09:25.800 --> 00:09:30.300
provide services that allow you to know if
a phone is acutally connected to a tower
00:09:30.300 --> 00:09:34.870
at the moment, so it's basically
available, so you could use that too. You
00:09:34.870 --> 00:09:40.509
can also use class 0 SMS, which gives you
feedback. It's basically a type of SMS
00:09:40.509 --> 00:09:45.570
that will... it has more priority and will
basically display on the screen and you'll
00:09:45.570 --> 00:09:49.519
get the feedback if it was displayed. So,
that's a nice trick to find out if the
00:09:49.519 --> 00:09:55.259
phone actually connected to a tower. But
in reality, I wanted a bullet proof way to
00:09:55.259 --> 00:09:59.480
do this and in the U.S. I found that there
is this concept of backdoor voice mail systems.
00:09:59.480 --> 00:10:03.019
So instead of me calling you, I'm going to
call one of these services that you guys
00:10:03.019 --> 00:10:08.129
have listed here for every carrier and
there I enter the number, in this case the
00:10:08.129 --> 00:10:11.769
number of the victim from the voicemail I
want to interact to. And of course it
00:10:11.769 --> 00:10:16.069
allows you to access to the logging
prompt. Actually in Germany I find it
00:10:16.069 --> 00:10:19.740
interesting that you guys have it as a
service, because in the US it's more a
00:10:19.740 --> 00:10:24.589
secret that I had to found using Google,
but here... Basically if I dial your phone
00:10:24.589 --> 00:10:28.029
number and when it comes to Vodafone
between the area code and the rest of the
00:10:28.029 --> 00:10:33.889
number I put 55, or for Telekom 13, or for
O2 33, I directly go to the voicemail, you
00:10:33.889 --> 00:10:37.469
won't ring your phone. So I can use that.
Who was aware of this, that is from
00:10:37.469 --> 00:10:42.439
Germany? OK, many of you. So that's what I
thought. Like here it's not really like
00:10:42.439 --> 00:10:46.569
something you guys care too much about. In
the U.S. it's actually used a lot for
00:10:46.569 --> 00:10:53.429
scammers or to leave directly voicemail
messages from spammers as well. So,
00:10:53.429 --> 00:10:56.809
voicemailcracker actually takes advantage
of backdoor numbers, so it allows you to
00:10:56.809 --> 00:11:00.119
be undetected. I don't need to call you, I
don't need to wait till you are flying, I
00:11:00.119 --> 00:11:04.399
can do that. And for example for the U.S.
it's great, because when I launch that
00:11:04.399 --> 00:11:08.549
many calls, the line gets flooded even if
you are offline. But when I use these
00:11:08.549 --> 00:11:14.959
backdoor voicemail systems, because they
are meant to be used by everyone, those
00:11:14.959 --> 00:11:19.320
don't get flooded. So I literally make
hundreds and hundreds of calls and it
00:11:19.320 --> 00:11:25.339
never fails.So, but you know like
carriers, or some of them, add a brute
00:11:25.339 --> 00:11:28.799
force protections, right? So that you
can't actually launch brute forcing
00:11:28.799 --> 00:11:32.929
attacks. And I looked at the German
carriers and for example Vodafone, I saw
00:11:32.929 --> 00:11:37.619
that it resets the 6 digit PIN and sends
it over SMS. So, I guess I can flood your
00:11:37.619 --> 00:11:41.260
phone with text but who cares, that's not
a big deal, but I think it's actually a
00:11:41.260 --> 00:11:45.709
pretty effective measure against
voicemail... against brute forcing.
00:11:45.709 --> 00:11:48.660
Telekom blocks the Caller ID from
accessing the mailbox or even leaving
00:11:48.660 --> 00:11:53.220
messages. I tried and after six times that
it's wrong every time, I call it says
00:11:53.220 --> 00:11:56.949
"Hey, you can't do anything", and it hangs
up. And for O2 it connects directly to the
00:11:56.949 --> 00:12:01.059
customer help-line, but someone started
talking German and my German is not that
00:12:01.059 --> 00:12:08.410
good. So brute force, I wanted to be able
to bypass this writing and so if you look
00:12:08.410 --> 00:12:12.869
at telecom I mentioned that it blocks the
caller I.D. but it turns out that Twilio
00:12:12.869 --> 00:12:16.959
you can actually buy caller IDs you can,
well, you can buy phone numbers, right?
00:12:16.959 --> 00:12:22.509
and they are really cheap. So it's very
easy for me to do randomization of caller
00:12:22.509 --> 00:12:28.329
I.D.s for very very cheap and bypass
telecom's brute force protection. So
00:12:28.329 --> 00:12:33.009
voicemailcracker also supports that. It
supports caller ID randomization. So let's
00:12:33.009 --> 00:12:38.490
make the first demo. So as you can see
here on the left is the victim's mobile
00:12:38.490 --> 00:12:43.789
device, and on the right is the tool. And
in this case I'm going to use the brute
00:12:43.789 --> 00:12:47.509
force option. The brute force option
allows me to basically brute force the
00:12:47.509 --> 00:12:51.940
pin. It makes hundreds of calls as I
explain and I'll try to guess it. And
00:12:51.940 --> 00:12:55.070
there is a number of parameters like the
victim number, the carrier... the carrier
00:12:55.070 --> 00:12:58.990
is important because they put their
specific payloads for every single carrier
00:12:58.990 --> 00:13:03.589
because all the voicemail systems are
different, how you interact with them, and
00:13:03.589 --> 00:13:06.869
in this case are using a backdoor number
because he's more efficient. And then
00:13:06.869 --> 00:13:11.109
there is no detection. And in this case I
did the option of top pin. So this is
00:13:11.109 --> 00:13:17.499
basically trying the top 20 pins according
to the research for four digits. So as you
00:13:17.499 --> 00:13:21.639
can see it's trying actually three pins at
a time as I mentioned before rather than
00:13:21.639 --> 00:13:26.959
one. So we have to do a third of the of
the of the calls, right? And how did you
00:13:26.959 --> 00:13:34.390
think that I'm detecting if the pin was
correct or not? Any ideas?
00:13:34.390 --> 00:13:40.170
Unintelligible suggestion from audience
M.V.: OK. So the disconnect and hang up.
00:13:40.170 --> 00:13:43.879
That's what I heard. And that's exactly
right. If you think about it I can look at
00:13:43.879 --> 00:13:48.170
the call duration because when I tried
three pins and it hangs up it's always the
00:13:48.170 --> 00:13:54.379
same call duration. For T-Mobile in this
case it's like 18 seconds. So I instruct
00:13:54.379 --> 00:13:58.110
Twilio to after dialing and putting the
payload to interact with the voicemail
00:13:58.110 --> 00:14:03.109
system trying the pins to wait 10 extra
seconds. So all I got to do, I don't need
00:14:03.109 --> 00:14:07.509
any sound processing to try to guess what
the voicemail voice is telling me if it's
00:14:07.509 --> 00:14:11.069
correct or not. I just use the call
duration. So if the call duration is ten
00:14:11.069 --> 00:14:15.549
times longer then I know that's the right
pin because because it locked in. So as
00:14:15.549 --> 00:14:19.239
you can see it found out one of those
three is actually the correct one: in this
00:14:19.239 --> 00:14:24.649
case it's 1983. So in order to give you
the exact one because at that time it
00:14:24.649 --> 00:14:29.389
tried the three of them, now it's trying
one by one and it may look like it's
00:14:29.389 --> 00:14:35.350
taking longer than it should for only 20
pins but remember failing pins is very
00:14:35.350 --> 00:14:38.989
very quick. It's just that because in the
top 20 found already the right pin it
00:14:38.989 --> 00:14:46.219
takes longer than it should, and there you
go. We got that it's 1983. Awesome. So
00:14:46.219 --> 00:14:50.410
what is the impact really why am I here
talking to you at CCC that has such
00:14:50.410 --> 00:14:55.560
amazing talks, right? And this is really
the thing about this. No one cares about
00:14:55.560 --> 00:15:00.720
the voicemail. Probably if I ask here, who
knows his own voicemail pin?
00:15:00.720 --> 00:15:05.329
laughter
M.V.: Nice. That's what I was expecting.
00:15:05.329 --> 00:15:09.869
Probably less hands here. So some of them
are lying but that's the thing, right? We
00:15:09.869 --> 00:15:13.910
don't care about the voicemail. We don't
even use it, which is the crazy thing
00:15:13.910 --> 00:15:18.309
here. We have we have an open door for
discussing an issue that we don't even
00:15:18.309 --> 00:15:23.290
know about or we don't even remember. So
many people is not familiar with the fact
00:15:23.290 --> 00:15:27.869
that you can a reset passwords over phone
call. We are familiar with resetting
00:15:27.869 --> 00:15:32.699
passwords over e-mail. You get a unique
link maybe over SMS you get a code that
00:15:32.699 --> 00:15:36.809
you that you then have to enter in the UI.
But a lot of people cannot receive SMS, or
00:15:36.809 --> 00:15:41.990
that's what services claim. So they allow
you to provide that temporary code over a
00:15:41.990 --> 00:15:46.559
phone call, and that's exactly what we
take advantage of, because I ask you what
00:15:46.559 --> 00:15:50.909
what happens if you don't pick up the
phone if basically I go to a service,
00:15:50.909 --> 00:15:55.209
enter your e-mail or your phone number and
reset a password, and everyone can do
00:15:55.209 --> 00:16:01.989
that. Anyone can reset it, initiate the
reset password process, and I know that
00:16:01.989 --> 00:16:05.709
you are not going to pick up the phone. I
know that thanks to my tool I got access
00:16:05.709 --> 00:16:09.759
to your voicemail system. So basically the
voicemail system will pick up the call and
00:16:09.759 --> 00:16:15.309
it will start recording, so it will record
the voice spelling out the code that I
00:16:15.309 --> 00:16:22.569
need to basically reset your account and
get access to it. So -- oops! -- and I
00:16:22.569 --> 00:16:26.570
press play here.
Static
00:16:26.570 --> 00:16:31.319
M.V.: Okay, so, what does the attack
vector look like? You brute force the
00:16:31.319 --> 00:16:35.799
voicemail system using the tool ideally
using backdoor numbers. For that
00:16:35.799 --> 00:16:38.779
particular call -- that is, the call that
the victim will receive once you initiate
00:16:38.779 --> 00:16:42.369
the password reset -- that one it cannot
go through the backdoor number, right?,
00:16:42.369 --> 00:16:45.849
because it's gonna-- PayPal is gonna
directly call the victim. So for that one
00:16:45.849 --> 00:16:50.149
you need to make sure that the victim is
not connected to a tower through all the
00:16:50.149 --> 00:16:53.979
methods that I showed before. You start
the password reset process using the
00:16:53.979 --> 00:16:57.799
economy feature. You listen to the
recorded message, secret code and profit.
00:16:57.799 --> 00:17:01.679
You hijacked that account, and
Voicemailcracker can do all that for you.
00:17:01.679 --> 00:17:09.549
Let's compromise Whatsapp. So on the left
you see my number, right?, with a secret
00:17:09.549 --> 00:17:13.939
lover group, and a secret group, and all
that stuff. On the right notice that I'm
00:17:13.939 --> 00:17:19.709
not even using an actual device. It's an
android emulator that I installed, an APK.
00:17:19.709 --> 00:17:23.809
And there is some sound to this, and you
are gonna see -- so again on your left
00:17:23.809 --> 00:17:27.898
it's the victims number. On the right is
an emulator of the attacker. So you'll see
00:17:27.898 --> 00:17:33.919
that I'm going to use my tool with the
message payload, with the message option.
00:17:33.919 --> 00:17:38.520
So in this case what I'm doing is I'm
setting the victim's phone to airplane
00:17:38.520 --> 00:17:43.880
mode, simulating that it's now offline for
some reason, and I detected that. So if
00:17:43.880 --> 00:17:50.680
you see, WhatsApp allows sends you a text
to actually register as a WhatsApp user,
00:17:50.680 --> 00:17:54.880
but if you don't reply in a minute it
allows you-- it gives you an option to
00:17:54.880 --> 00:17:59.430
call, to call me, right? And that's
exactly what I click. So now WhatsApp is
00:17:59.430 --> 00:18:04.080
basically calling the victim which is
again in airplane mode, because he went on
00:18:04.080 --> 00:18:08.600
a remote trip or on a plane, and so I'm
using Voicemailcracker with the option
00:18:08.600 --> 00:18:14.059
"message" to automatically retrieve that
newest message. So the tool is gonna
00:18:14.059 --> 00:18:17.589
provide me as you can see the last option
is the pin, because I brute forced it
00:18:17.589 --> 00:18:21.960
before. So it's going to give me a URL
with the recording of the newest message,
00:18:21.960 --> 00:18:29.529
which, hopefully -- it's a recorded demo
-- hopefully contains actually the code.
00:18:29.529 --> 00:18:46.079
So let's see... I got the URL.
Phone alert sound
00:18:46.079 --> 00:18:48.760
Computerized phone voice: New Message! --
M.V.: It's interacting with the voicemail
00:18:48.760 --> 00:18:50.550
system right now.
Phone voice: -- your verification code is:
00:18:50.550 --> 00:19:01.440
3 6 5 9 1 5. Your verification code is: 3
6 5 9 1 5. Your ver--
00:19:01.440 --> 00:19:06.059
M.V.: And that simple. We just hijacked
that person's WhatsApp, and I -- here I'm
00:19:06.059 --> 00:19:08.819
fast forwarding just to show you--
Applause
00:19:08.819 --> 00:19:18.760
M.V: --that you get actually that. Thank
you. I do want to point out that WhatsApp
00:19:18.760 --> 00:19:21.841
is super secure, it like-- end to end
encryption all that -- and there is a
00:19:21.841 --> 00:19:25.179
number of things that you can notice this
attack. For example you wouldn't be able
00:19:25.179 --> 00:19:28.690
to see the previous messages that were
there but you can just hold on and ask
00:19:28.690 --> 00:19:32.910
people, right? The groups will pop up. So
you hijacked that WhatsApp account. There
00:19:32.910 --> 00:19:37.559
is also fingerprinting. But who really
pays attention to the fingerprinting when
00:19:37.559 --> 00:19:43.440
someone changes the device, right? So are
we done? Not yet. Because the truth is,
00:19:43.440 --> 00:19:48.029
some researchers talked about this in the
past then and actually services tried to
00:19:48.029 --> 00:19:52.159
slowly pick up. So that is actually
something that I found in several
00:19:52.159 --> 00:19:56.710
services. That is what I call the user
interaction based protection. So when you
00:19:56.710 --> 00:20:01.060
received that phone call that provides you
with the temporary code in reality it's
00:20:01.060 --> 00:20:04.700
not giving it away. You have to press a
key. It comes in three different flavors
00:20:04.700 --> 00:20:08.530
from what I found from my tests. Please
press any key to hear the code, so when
00:20:08.530 --> 00:20:11.679
you get the call, you have to press, and
then it will tell you the code; please
00:20:11.679 --> 00:20:15.950
press a random key so specifically please
press 1, please press 2, or please enter
00:20:15.950 --> 00:20:20.090
the code. PayPal does that, and instead of
you having to press a key to hear the code
00:20:20.090 --> 00:20:24.289
when you reset the password you will see a
four digits code that you have to enter
00:20:24.289 --> 00:20:29.140
when you receive the call and then it will
reset the password. So I'm going to get
00:20:29.140 --> 00:20:33.680
the help from all of you guys. Can we beat
this currently recommended protection what
00:20:33.680 --> 00:20:37.920
is nowadays recommended to prevent these
kind of attacks? And we're going to play a
00:20:37.920 --> 00:20:44.590
game. I'm going to give you two hints.
This is the first one. So, you probably
00:20:44.590 --> 00:20:48.510
guys are familiar with this, but Captain
Crunch. Again we go back today it is we
00:20:48.510 --> 00:20:54.509
can learn so much from them, use this to
generate specific sounds at a specific
00:20:54.509 --> 00:20:58.169
frequency to basically -- you can go and
read it -- to get free international
00:20:58.169 --> 00:21:02.549
calls. So he will create that sound and
the system will process it on the on the
00:21:02.549 --> 00:21:07.430
line. And the second one is that I
cheated. When we did the checklist, I
00:21:07.430 --> 00:21:11.750
actually skipped one , which was the
greeting message is an attack vector. So I
00:21:11.750 --> 00:21:16.549
ask you guys how can we bypass the
protection that requires user interaction
00:21:16.549 --> 00:21:20.129
in order to get the code recorded on the
voicemail system?
00:21:20.129 --> 00:21:26.269
Inaudible suggestion from audience
M.V.: What was that?... Exactly. Record
00:21:26.269 --> 00:21:31.470
DTMF tones as the greeting message. We own
the voice mail system so we can alter the
00:21:31.470 --> 00:21:36.729
greeting message. So this is exactly how
it works: We just alter the greeting
00:21:36.729 --> 00:21:42.260
message we call the DTMF that the system
is expecting and it works every single
00:21:42.260 --> 00:21:48.039
time. The best thing of this is what
really is so awesome about about all of us
00:21:48.039 --> 00:21:52.169
that really care about technology. We want
to have a deep understanding because when
00:21:52.169 --> 00:21:57.049
I was asking people when when you know I
wanted to show them this I was asking them
00:21:57.049 --> 00:22:01.480
how does this protection really work. And
they will say well you have to press a key
00:22:01.480 --> 00:22:05.789
and then you know it will give you the
code. But that's not really true. That's
00:22:05.789 --> 00:22:09.490
what you have to do is to provide a
specific sound that the system is
00:22:09.490 --> 00:22:13.990
expecting. That is different than saying
you have to press a key, because if you
00:22:13.990 --> 00:22:18.520
say I have to press a key that requires
physical access. If you say I have to
00:22:18.520 --> 00:22:22.460
provide a sound, now we know it doesn't
require physical access. That is why
00:22:22.460 --> 00:22:26.490
hackers are so cool, because we really
want to understand what is happening
00:22:26.490 --> 00:22:30.720
backstage, and we take advantage of that.
So how does the attack vector look like?
00:22:30.720 --> 00:22:34.090
Bruteforcing voicemail systems as before.
So basically we have an extra step which
00:22:34.090 --> 00:22:38.121
is update the greeting message according
to the account to be hacked in voicemail.
00:22:38.121 --> 00:22:40.929
Cracker can do that for you. Let's
compromise PayPal.
00:22:40.929 --> 00:22:46.990
Laughter
M.V.: So on the left side you see that as
00:22:46.990 --> 00:22:53.330
before I brute force the pin of the voice
mail. And in this case on the right side
00:22:53.330 --> 00:23:00.769
I'm going to start a password reset for
that account. So I do that and I choose
00:23:00.769 --> 00:23:05.799
"please call me with a temporary code".
But in this case PayPal works differently
00:23:05.799 --> 00:23:10.139
because it will show me a four digits code
that I need to enter when I receive the
00:23:10.139 --> 00:23:15.690
call in order to reset the password. So
you see that here I'm using the greeting
00:23:15.690 --> 00:23:20.310
option. So the greeting is going to allow
me to enter a payload that I want to
00:23:20.310 --> 00:23:26.270
record as the greeting message. In this
case is 6 3 5 3. So I may be very very
00:23:26.270 --> 00:23:31.500
verbose for this demo. There you see
the last option use PayPal code and I
00:23:31.500 --> 00:23:36.989
enter 6 3 5 3. Now the tool is going to
use the pin to log into the voicemail
00:23:36.989 --> 00:23:42.350
system, interact with it, change the
greeting message, record the DTMF tones
00:23:42.350 --> 00:23:50.759
according to 6 3 5 3 and then it should be
able to fool the call. In this case I'm
00:23:50.759 --> 00:23:55.860
asking to call again, because it didn't
have enough time to do that. And in 3 2 1
00:23:55.860 --> 00:24:00.690
we should get that we actually compromise
PayPal's account, and there we go. We can
00:24:00.690 --> 00:24:05.200
now set our own password.
Applause
00:24:05.200 --> 00:24:14.580
M.V.: Thank you. So, I showed you some
vulnerable servers. Let's go very quick
00:24:14.580 --> 00:24:19.240
about it because I'm I'm concerned I'm
running out of time. So, I'm just
00:24:19.240 --> 00:24:23.490
mentioning Alexa top 100 types of
services, no favoring anything, but... so
00:24:23.490 --> 00:24:27.610
for password reset that supports over
phone call: PayPal, Instagram-- no,
00:24:27.610 --> 00:24:35.059
Snapchat-- Netflix, Ebay, LinkdIn. I'm
still on Facebook. What can I say? 2FA for
00:24:35.059 --> 00:24:38.279
all they major forms so 2FA over phone
call for Apple, Google, Microsoft,
00:24:38.279 --> 00:24:42.289
Yahoo... Verification: So basically you
don't register with a username and
00:24:42.289 --> 00:24:47.020
password on on WhatsApp or Signal you
actually use directly the phone number,
00:24:47.020 --> 00:24:50.790
right? As we saw before and you register
through a phone call or SMS. So you can
00:24:50.790 --> 00:24:54.710
compromise this too. Twilio, the own
service that I use for these is actually
00:24:54.710 --> 00:25:00.519
really cool because you can own a caller
I.D. by verifying it by getting a phone
00:25:00.519 --> 00:25:05.460
call so I can actually own your caller ID
and make calls on your behalf, send texts,
00:25:05.460 --> 00:25:10.039
and these all legitimately, right?,
because you've pressed one. Google Voice,
00:25:10.039 --> 00:25:13.289
it's actually another interesting service
because it's used a lot by scammers,
00:25:13.289 --> 00:25:17.009
right? And this is the same thing: you
have to verify ownership so you can do
00:25:17.009 --> 00:25:21.549
those phone calls and you can fool it as
well with this, but I found I was looking
00:25:21.549 --> 00:25:24.730
like what other services really take
advantage of this? And this is super
00:25:24.730 --> 00:25:30.789
common in San Francisco, where I live. You
can buzz in people like when they want to
00:25:30.789 --> 00:25:35.279
enter, right?, they enter your house
number, and then your phone rings and you
00:25:35.279 --> 00:25:39.449
press any key to open the door. So we are
talking about physical security now. And
00:25:39.449 --> 00:25:44.019
I've seen this in offices as well. They
all work this way, basically because they
00:25:44.019 --> 00:25:47.769
want to be able -- for tenants, that you
know, come and go -- be able to switch
00:25:47.769 --> 00:25:52.620
that very quickly. So it works just
through the phone that you buzz people in.
00:25:52.620 --> 00:25:56.710
But my favorite is consent, because when
we think about consent we think about
00:25:56.710 --> 00:26:00.779
lawyers and we think about signing papers
and we think about all of these difficult
00:26:00.779 --> 00:26:07.799
things. And I find out about these
location smart service that is not anymore
00:26:07.799 --> 00:26:15.190
there and you will see why... But this was
recently in the news because, basically
00:26:15.190 --> 00:26:19.690
Brian Krebs wrote a really great article
about it. But I'm going to let you hear
00:26:19.690 --> 00:26:23.389
then their YouTube channel, how Location
Smart works.
00:26:23.389 --> 00:26:30.380
LS vid speaker 1: The screen that you're
showing, that you're seeing right now is a
00:26:30.380 --> 00:26:36.800
demo that we have on our Web site it's at
location smart.com/pride, and I've entered
00:26:36.800 --> 00:26:43.190
my name, my email, my mobile phone number,
and it's again going to get my permission
00:26:43.190 --> 00:26:48.470
by calling my phone, and then it'll
locate. So let's go ahead and, I clicked
00:26:48.470 --> 00:26:55.100
the box to say yes I agree, click the
locate, and the screen now shows that it's
00:26:55.100 --> 00:26:58.170
going to call my device to get my
permission.
00:26:58.170 --> 00:27:03.680
vid speaker's phone vibrates, sounds like an airhorn in video
LS vid speaker 2: Heh, that's a nice ring
00:27:03.680 --> 00:27:05.610
tone --
M.V.: No, it's not--
00:27:05.610 --> 00:27:09.620
LS vid speaker 1's phone: To log into
Location Smart Services, press 1 or say
00:27:09.620 --> 00:27:16.870
'Yes'. To repeat, press 2 or say 'Repeat'.
LSVS1: Yes
00:27:16.870 --> 00:27:21.809
Phone: Congratulations. You have been
opted in to Location Smart Services.
00:27:21.809 --> 00:27:23.419
Goodbye
M.V.: So as you see, this service, this
00:27:23.419 --> 00:27:30.091
Web site had a free demo, had a free demo
that allow you to put out a phone number
00:27:30.091 --> 00:27:33.639
-- yours, of course -- and you will get a
phone call and then you will give
00:27:33.639 --> 00:27:38.499
permission by pressing one. So someone
could locate you and keep tracking -- I
00:27:38.499 --> 00:27:47.970
mean, I checked with them -- for up to 30
days, real time. So now you know why they
00:27:47.970 --> 00:27:51.580
don't exist anymore!
Applause
00:27:51.580 --> 00:28:00.810
M.V.: Open source..
More Applause
00:28:00.810 --> 00:28:05.490
M.V: Open source. So, and this was with
the permission of the carriers. This was
00:28:05.490 --> 00:28:11.740
not some fishy thing. This was actually a
service. So I wanted to release code,
00:28:11.740 --> 00:28:15.009
because I want you guys to verify that
what I mentioned is true and have code to
00:28:15.009 --> 00:28:20.490
hopefully help push the industry forward
to make a voice mail systems more secure,
00:28:20.490 --> 00:28:24.990
right?. We want to push carriers to do so.
A but I didn't want to provide on tool
00:28:24.990 --> 00:28:29.639
that works out of the box and anyone can
very easily as we saw like just start to
00:28:29.639 --> 00:28:32.929
bruteforce pins, especially because I saw
that there is so many people with the
00:28:32.929 --> 00:28:37.280
default PINs out there. So I just removed
the brute forcing, so the tool allows you
00:28:37.280 --> 00:28:41.220
to test it on your own. You can test, you
know, you can test the greeting message
00:28:41.220 --> 00:28:45.010
you can test the retreiving messages
compromising the services and all that. So
00:28:45.010 --> 00:28:48.221
the tool allows you to test on your own
device. I won't give you code to brute
00:28:48.221 --> 00:28:54.220
force someone else's device. And feel free
to go to my github repo. So now like all
00:28:54.220 --> 00:28:59.309
the talks comes the recommendations, but I
know what you guys are thinking, right?
00:28:59.309 --> 00:29:02.509
When someone comes with all this paranoia
and stuff you still think "yeah but you
00:29:02.509 --> 00:29:07.080
know still like no one is gonna come after
me. I don't have anything to hide" or
00:29:07.080 --> 00:29:11.330
anything like that. So I wanted to give
you reasons why you should still care
00:29:11.330 --> 00:29:17.490
about this, and why we need to do better.
Because do carriers set default PINs? Yes,
00:29:17.490 --> 00:29:23.350
we saw that. Is testing for default pins
cheap, fast, undetected, and automatable?
00:29:23.350 --> 00:29:28.899
Yes it is. Is updating reading the message
automatable? Yes it is. Is retrieving you
00:29:28.899 --> 00:29:34.929
the newest message automatable? Yes it is.
Is there speech to text description, so
00:29:34.929 --> 00:29:39.190
that I can get the sound that I played
before with the code and get it in text?
00:29:39.190 --> 00:29:45.920
Yeah. Twilio gives you that as well. So
can the account compromise process be
00:29:45.920 --> 00:29:49.640
automatable? Of course you can use
selenium if you want to automate the UI.
00:29:49.640 --> 00:29:55.549
Or you can use a Web proxy and look at the
APIs and do it yourself. So it is only a
00:29:55.549 --> 00:30:00.629
matter of time that someone actually does
all these steps that I showed you step by
00:30:00.629 --> 00:30:05.350
step and just makes it all straight and
starts to go over phone numbers trying the
00:30:05.350 --> 00:30:10.389
default PINs, and just automatically
compromising services like WhatsApp like
00:30:10.389 --> 00:30:16.140
PayPal and all that. You can do basically,
not a worm, but, you know, you can
00:30:16.140 --> 00:30:20.700
compromise a lot of devices without doing
anything. Recommendations for online
00:30:20.700 --> 00:30:24.879
services. Don't use automated calls for
security purposes. if not possible detect
00:30:24.879 --> 00:30:28.270
answering machines and fail. I mean this
is not very accurate and you can still
00:30:28.270 --> 00:30:33.630
trick it. Require user interaction before
providing the secret. I just show you how
00:30:33.630 --> 00:30:39.630
to bypass that, but that's with hope that
carriers ban DTMF tones from the greeting
00:30:39.630 --> 00:30:44.370
message. I don't see why that should be
supported, right? Recommendations for
00:30:44.370 --> 00:30:48.119
carriers. The most important thing: Ban
DTMF tones from the greeting message,
00:30:48.119 --> 00:30:53.250
eliminate backdoor mobile services, or at
least a give no access to the login
00:30:53.250 --> 00:30:57.080
prompt, right? There is no reason why you
should be able to access your voicemail
00:30:57.080 --> 00:31:01.710
directly to leave a message. But then I
can access the login prompt by pressing
00:31:01.710 --> 00:31:05.749
star. Voicemail disabled by default. This
is very important and can only be
00:31:05.749 --> 00:31:10.100
activated from the actual phone, or
online maybe with a special code. Oh great
00:31:10.100 --> 00:31:15.730
I have time for questions. No default
pins. Learn from the German carriers:
00:31:15.730 --> 00:31:19.399
don't allow common pins, detect and
prevent brute force attempts, don't
00:31:19.399 --> 00:31:23.619
process multiple pins at once.
Recommendations for you which, is in the
00:31:23.619 --> 00:31:28.389
end, very important here. disable the
voice mail if you don't use it. I found
00:31:28.389 --> 00:31:31.760
though that some carriers you're still
through the backdoor voicemail numbers you
00:31:31.760 --> 00:31:37.330
are unable to activate it again. So kind
of sucks. So I guess use the longest
00:31:37.330 --> 00:31:41.649
possible random pin. Don't provide phone
numbers to online services unless
00:31:41.649 --> 00:31:45.680
required, or is the only way to get 2FA.
2FA is more important. Use a virtual
00:31:45.680 --> 00:31:50.250
number to prevent OSINT like a Google
Voice number so no one can you know learn
00:31:50.250 --> 00:31:55.399
about your phone number digits by
resetting the password or do SIM swapping.
00:31:55.399 --> 00:31:59.660
Use 2FA apps only. And I always like to
finish my talk with ones like that kind of
00:31:59.660 --> 00:32:03.519
summarizes everything. Automated phone
calls are a common solution for password
00:32:03.519 --> 00:32:07.129
reset, 2FA, verification, and other
services. These can be compromised by
00:32:07.129 --> 00:32:11.379
leveraging old weaknesses and current
technology to exploit the weakest link
00:32:11.379 --> 00:32:15.050
voicemail systems. Thank you so much.
Danke Schön, CCC!
00:32:15.050 --> 00:32:33.129
Applause
Herald Angel: Thank you, Martin. We have
00:32:33.129 --> 00:32:37.450
time for questions, so if you have any
questions or if someone in the Internet
00:32:37.450 --> 00:32:44.989
has questions just go to these
microphones. Where is the microphone?
00:32:44.989 --> 00:32:50.020
You've got it. Yes. You were black and the
microphone too. So maybe you start and we
00:32:50.020 --> 00:32:55.830
take the question from the Internet.
Q: Yes I have a question. You mentioned
00:32:55.830 --> 00:33:02.510
that the phone needed to be offline. Would
a call like a sim teen's call to the phone
00:33:02.510 --> 00:33:11.049
that it would be in what is called in
english - besetzt?- like occupied so let's
00:33:11.049 --> 00:33:19.720
say I already called the victim. So the
caller gets, yeah, the line's occupied
00:33:19.720 --> 00:33:21.960
that would then go to voicemail, wouldn't
it?
00:33:21.960 --> 00:33:26.350
M.V.: So that's a great question. I think
the question is if you are on a call and
00:33:26.350 --> 00:33:31.429
someone else calls you, so your attack
will be: I somehow make up a story to keep
00:33:31.429 --> 00:33:34.980
the person on the phone call while I
launch other calls... that will work. I
00:33:34.980 --> 00:33:38.850
tried that but the problem is usually to
force, I mean that will not be too big of
00:33:38.850 --> 00:33:41.860
a deal I guess but it supports two calls
right. They will warn you all there is
00:33:41.860 --> 00:33:45.719
another incoming call. But I guess you
could keep doing more. So that's what I
00:33:45.719 --> 00:33:50.509
meant a partly with a call flooding. In
that case what I tried was just launching
00:33:50.509 --> 00:33:53.909
all of them at the same time. And if the
person picks up I don't care but it's
00:33:53.909 --> 00:33:57.490
somewhat related to what you mentioned and
that's definitely possible.
00:33:57.490 --> 00:33:59.300
Questioner: Okay. Thank you.
M.V.: Yeah.
00:33:59.300 --> 00:34:03.739
Herald: Question from the internet please
Signal Angel: Does this work with the
00:34:03.739 --> 00:34:07.879
phone calls that start talking
immediately, will the new code being
00:34:07.879 --> 00:34:12.159
recorded then?
M.V.: if I understood the question
00:34:12.159 --> 00:34:16.429
correctly it's that when the voicemail
picks up like basically the automated
00:34:16.429 --> 00:34:21.230
system that spits out the code already
started to talk. I believe that's the
00:34:21.230 --> 00:34:23.230
question.
Herald: We don't know it's from the
00:34:23.230 --> 00:34:27.030
Internet.
M.V.: OK so if that is the question I
00:34:27.030 --> 00:34:30.739
found actually that, because usually
greeting messages last like 15 seconds so
00:34:30.739 --> 00:34:35.460
by the time it starts recording you
already finish the recording that gives
00:34:35.460 --> 00:34:39.199
you the code, but you own the greeting
message so you make it as short as one
00:34:39.199 --> 00:34:44.469
second. And I never found a problem with
that. You actually recorded DTMF tones for
00:34:44.469 --> 00:34:47.729
like two seconds.
Herald: Ladies first let me take your
00:34:47.729 --> 00:34:54.799
question.
Q: You talked about how you learned all of
00:34:54.799 --> 00:35:07.589
that through reading e-zines. How are they
called, and how do I find them?
00:35:07.589 --> 00:35:10.979
M.V: That's the best question I've ever
heard and it deserves an applause,
00:35:10.979 --> 00:35:15.770
seriously. I like that because you also
want to learn about it. So that's that's
00:35:15.770 --> 00:35:20.190
really fantastic. So the Phrack Web site
is the best resource you can get. I guess
00:35:20.190 --> 00:35:26.730
everyone will agree here. So you just look
up google for phrack magazine and there is
00:35:26.730 --> 00:35:32.040
a lot a lot of interesting stuff that we
can learn there still today.
00:35:32.040 --> 00:35:36.120
Q: Are there any others?
M.V.: Yeah I mean you can then follow the
00:35:36.120 --> 00:35:42.040
classic. I mean I like Twitter to get my
security news because it's very concise so
00:35:42.040 --> 00:35:47.180
I kind of get like you know the 140
characters version.. if I'm interested
00:35:47.180 --> 00:35:51.980
then I will read it. So I think you can
google for like top security people to
00:35:51.980 --> 00:35:57.510
follow. Brian Krebs is great. It depends
also on your technical depth. There is
00:35:57.510 --> 00:36:03.970
different people for that. And if not just
you know specialized blogs in magazines.
00:36:03.970 --> 00:36:06.590
Q: All right. Thanks.
M.V.: Thank you.
00:36:06.590 --> 00:36:10.810
Herald: And your question please.
Q: Hi. And so for me the solution is
00:36:10.810 --> 00:36:14.700
obvious: I just turn off my voicemail. But
thinking about some relatives which are
00:36:14.700 --> 00:36:19.170
maybe too lazy or don't really care and
still use two factor authentication. I was
00:36:19.170 --> 00:36:24.450
thinking about could I easily adapt your
script to automatically turn off voice
00:36:24.450 --> 00:36:37.569
boxes or generate random pins?
M.V.: You can automate it to turn off the pin. Like
00:36:37.569 --> 00:36:41.600
for example on Vodaphone I don't know why
that allows you to turn off the pin. To turn
00:36:41.600 --> 00:36:47.430
off the voicemail... I don't... I haven't
tested that. I think you may have to call
00:36:47.430 --> 00:36:51.569
the IT department but you know what. It
would be really great to do that. It would
00:36:51.569 --> 00:36:55.630
be really awesome. Great question. I guess
if you can turn it off then you can turn
00:36:55.630 --> 00:37:00.040
it on as well. Yeah.
Herald: Your question please.
00:37:00.040 --> 00:37:03.109
Q: Did Twilio ban you or did they find out
what you did?
00:37:03.109 --> 00:37:09.700
M.V.:I got some emails I got some emails
but they were really cool. I have to say
00:37:09.700 --> 00:37:13.740
that. I explained to them what I was
coming from, I gave them my identity...
00:37:13.740 --> 00:37:18.180
like I wasn't hiding anything. Actually I
had to pay quite some money and because of
00:37:18.180 --> 00:37:21.650
all the calls that I was doing while I was
doing the research, so I do think hide my
00:37:21.650 --> 00:37:27.049
identity at all. So, they did detect tact
that I was doing many calls and stuff like
00:37:27.049 --> 00:37:31.809
that. So there is I guess at the high
volumes there is some detection, but
00:37:31.809 --> 00:37:35.970
Twilio is not the only service. So again
you can switch between services, space it
00:37:35.970 --> 00:37:40.330
out, change caller I.D.s, a number of
things.
00:37:40.330 --> 00:37:45.549
Herald: And one more question here.
Q: Hi. You talked about being undetected
00:37:45.549 --> 00:37:50.400
when making all these calls by going
directly to these direct access numbers.
00:37:50.400 --> 00:37:56.030
In Germany it's very common that if
someone calls your voicemail you get an
00:37:56.030 --> 00:38:00.460
SMS text even if they don't leave a
message. But I suspect there's some kind
00:38:00.460 --> 00:38:05.370
of undocumented API to actually turn that
off through the menus. Have you looked
00:38:05.370 --> 00:38:08.710
into that?
M.V.: No I haven't looked into that
00:38:08.710 --> 00:38:14.230
specifically. The question is that usually
in Germany for the carriers you'll get an
00:38:14.230 --> 00:38:18.220
SMS when you when you get a call. I
wonder... the test that I did on the
00:38:18.220 --> 00:38:22.250
German carriers, I was getting a text if I
was leaving a message, not if someone was
00:38:22.250 --> 00:38:26.420
calling there. I guess you are talking
about a missed call, that kind of
00:38:26.420 --> 00:38:32.089
notification. I'm not sure about it. What
I do want to point out is remember that a
00:38:32.089 --> 00:38:35.609
you can do these while the person is
offline maybe on a long trip so you can
00:38:35.609 --> 00:38:40.750
time it, and that will be a good probation
I guess to just not launch at any, you
00:38:40.750 --> 00:38:44.300
know, at any point in time, but you can
just always time it, and by the time the
00:38:44.300 --> 00:38:47.850
person gets a million text it's too late.
Q: Thanks.
00:38:47.850 --> 00:38:50.189
M.V.: Yeah.
Herald: One more question over here
00:38:50.189 --> 00:38:55.200
please.
Q: Thank you. On apple phones you can
00:38:55.200 --> 00:39:00.540
activate with some care the, what they
call visual voicemail. Would that prevent
00:39:00.540 --> 00:39:04.950
your attack to work, or..?
M.V.: No there is actually, I believe he
00:39:04.950 --> 00:39:11.550
was an Australian researcher, that looked
into the visual voicemail and he was able
00:39:11.550 --> 00:39:16.770
to find that in reality uses the IMAP, If
I remember correctly, protocol, and for
00:39:16.770 --> 00:39:23.110
some carriers he was able to to launch
brute force attacks because the
00:39:23.110 --> 00:39:28.450
authentication wasn't with the same pin as
you get when you dial in. But he found at
00:39:28.450 --> 00:39:34.819
least one carrier in Australia I believe
that was vulnerable through visual
00:39:34.819 --> 00:39:37.930
voice mail protocol. And I check for
German carriers. I did that, I actually
00:39:37.930 --> 00:39:43.010
follow the steps that he did, to see if
that was worth mentioned in here. I didn't
00:39:43.010 --> 00:39:49.100
find it to be vulnerable, but that doesn't
mean that that's not the case.
00:39:49.100 --> 00:39:53.750
Herald: One more last question.
Q: Thank you for the talk. What is your
00:39:53.750 --> 00:39:58.090
recommendation to American carriers to
protect themselves against this attack?
00:39:58.090 --> 00:40:03.460
M.V.: I put a slight slide there. Like for
me I guess the most important thing is
00:40:03.460 --> 00:40:07.839
really look at what some German carriers
are doing I really like that in the recent
00:40:07.839 --> 00:40:12.940
past where it sends it to you over SMS as
soon as it detects that someone dialed,
00:40:12.940 --> 00:40:17.730
tried six times the wrong pin. I mean if
you have physical access to a locked
00:40:17.730 --> 00:40:22.619
device you could claim that if someone has
the preview turned on the device you could
00:40:22.619 --> 00:40:26.910
still see the pin, you know when you get
it so. But then it wouldn't be like a
00:40:26.910 --> 00:40:33.900
remote attack anymore, so definitely
detect brute forcing and shut down. I mean
00:40:33.900 --> 00:40:38.490
we know that with the caller I.D. is not
working so well for a Telecom, because I
00:40:38.490 --> 00:40:43.440
was able to bypass it. But I know that,
because I did some test with HLR records
00:40:43.440 --> 00:40:46.850
that you can actually tell the type of
device that it is, if it's a virtual
00:40:46.850 --> 00:40:51.400
number. So if carriers could actually look
at the type of phone that is trying to
00:40:51.400 --> 00:40:55.830
call in. I think if it's a virtual number,
you know, red flag. If it's not I don't
00:40:55.830 --> 00:40:59.400
think someone is going to have... I guess
the government could like, you know have
00:40:59.400 --> 00:41:05.810
3333 devices because you try one pin for
the 10000 keyspace, you know. You try 3
00:41:05.810 --> 00:41:10.889
pins at a time and just have 3333 SIM
cards and so it will come from real
00:41:10.889 --> 00:41:15.990
devices. But then at least it will quite
significantly mitigate it. And then like
00:41:15.990 --> 00:41:22.850
again like if you ban DTMF tones from the
greeting message that will help as well.
00:41:22.850 --> 00:41:26.270
Herald: Thank you Martin. I have never
provided any telephone number to any
00:41:26.270 --> 00:41:32.230
platform and now thanks to you I know why.
Warm applause for Martin Vigo please.
00:41:32.230 --> 00:41:33.552
M.V.: Thank you
00:41:33.552 --> 00:41:39.532
applause
00:41:39.532 --> 00:41:45.100
35c3 postroll music
00:41:45.100 --> 00:42:02.000
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!