WEBVTT 00:00:00.000 --> 00:00:17.790 35C3 preroll music 00:00:17.790 --> 00:00:25.360 Herald Angel: We start the next talk. It's by Martin Vigo. He stands here. He is a 00:00:25.360 --> 00:00:32.500 product security lead and researcher and he's responsible for mobile security, 00:00:32.500 --> 00:00:39.860 identity, and authentication. So he helps people design and secure systems and 00:00:39.860 --> 00:00:46.710 applications. And he has worked on stuff like breaking password managers or 00:00:46.710 --> 00:00:57.500 exploiting Apple's FaceTime to create a spy... yeah, a spy program. So give him a 00:00:57.500 --> 00:01:09.360 warm applause for his talk. Applause 00:01:09.360 --> 00:01:12.650 Martin Vigo: Thank you for joining me in this talk. I'm super excited to be here. 00:01:12.650 --> 00:01:16.500 It's actually my second year at the conference, so super super excited that 00:01:16.500 --> 00:01:20.490 the first year I was sitting there, and the second year I'm sitting here. This is 00:01:20.490 --> 00:01:24.980 me, but an introduction was already made. Just pointing out that this is me, 9 year 00:01:24.980 --> 00:01:32.640 old, with an Amstrad CPC 6128. You had this machine before? I see only one hand? 00:01:32.640 --> 00:01:36.480 I think this was sold in Europe, but I was playing here La Abadía del crímen, which 00:01:36.480 --> 00:01:40.770 is the best video game ever written. If you guys like abandonware, you should 00:01:40.770 --> 00:01:45.410 definitely check it out. So like any good research we have to start by looking at 00:01:45.410 --> 00:01:49.860 previous art, right? We can learn a lot from researchers that did stuff in the 00:01:49.860 --> 00:01:55.800 past. And in this case I went all the way back to the 80s to understand how freakers 00:01:55.800 --> 00:01:59.590 of the time, when the hacking thing started, we're doing to actually hack into 00:01:59.590 --> 00:02:06.110 voicemail systems. I condensed everything I learned in five different paragraphs of 00:02:06.110 --> 00:02:11.670 five different essences, that I actually got from frac website, which is an amazing 00:02:11.670 --> 00:02:16.870 resource. So, here from the Hacking Telephone Answering Machines, the 00:02:16.870 --> 00:02:20.840 paragraph that I extracted was that "You can just enter all 2-digit combinations 00:02:20.840 --> 00:02:25.240 until you get the right one", "A more sophisticated and fast way to do this is 00:02:25.240 --> 00:02:29.200 to take advantage of the fact that such machines typically do not read two numbers 00:02:29.200 --> 00:02:33.330 at a time, and discard them, but just look for the correct sequence". What is this 00:02:33.330 --> 00:02:41.650 about? In older voicemail systems if you will enter like 1234 for the 2-digit PIN, 00:02:41.650 --> 00:02:47.770 it will not process 12 and 34 to to verify the PIN, but it will also process 23, 00:02:47.770 --> 00:02:52.280 which is very interesting. In fact, in Hacking AT&T Answering Machines, again, 00:02:52.280 --> 00:02:56.960 this is amazing from their 90s or 80s, we actually get the correct sequence to cover 00:02:56.960 --> 00:03:01.230 the entire 2-digit key space. So, if you enter all these, you are basically brute 00:03:01.230 --> 00:03:05.770 forcing the entire key space, without having to enter in the entire thing that 00:03:05.770 --> 00:03:11.541 covers it. I also learned, from A Tutorial of Aspen Voice Mailbox Systems, that in 00:03:11.541 --> 00:03:16.319 the 80s there was default passwords. Surprise, surprise! But also that as 00:03:16.319 --> 00:03:21.660 humans, we actually have patterns when we choose PINs. And so we have the classics: 00:03:21.660 --> 00:03:28.230 1111, 9999, 1234. And another thing that I learned in Hacking Answering Machines in 00:03:28.230 --> 00:03:32.700 the 90s, was that "There is also the old 'change the message' secret to make it say 00:03:32.700 --> 00:03:36.970 something to the effect of this line accepts all toll charges so you can bill 00:03:36.970 --> 00:03:41.849 third party calls to that number". This is basically a trick used by inmates to get 00:03:41.849 --> 00:03:46.160 free calls. Basically, they would record in the voicemail a greeting message "yes, 00:03:46.160 --> 00:03:49.750 yes, yes", so when the automated system comes in and asks "Do you want to accept 00:03:49.750 --> 00:03:53.890 the toll charges from the call from the penitentiary, it will go and they will be 00:03:53.890 --> 00:03:59.940 able to do free calls. So, condensing everything and summarizing what what I 00:03:59.940 --> 00:04:04.350 learned from looking at what previous hackers did in the 80s: we know that the 00:04:04.350 --> 00:04:08.780 voicemail system security looked like... there was default PINs, there was common 00:04:08.780 --> 00:04:12.650 PINs, there was bruteforceable PINs, there was efficient bruteforcing because we can 00:04:12.650 --> 00:04:16.779 enter multiple PINs at the same time, that the greeting message is actually an attack 00:04:16.779 --> 00:04:21.470 vector. So let's play a game. Let's do checklist and let's look at the voicemail 00:04:21.470 --> 00:04:26.970 security today. So, I looked at the American carriers because I live in the 00:04:26.970 --> 00:04:32.340 US, but because I was invited to talk in Germany, I took some friends to give me 00:04:32.340 --> 00:04:37.190 some SIM cards and I actually wanted to put about German carriers as well. So, 00:04:37.190 --> 00:04:41.490 checklist time, default PINs: all American carriers do have default PINs and 00:04:41.490 --> 00:04:45.940 unfortunately they are really not a secret because most of them is actually the last 00:04:45.940 --> 00:04:51.060 digits of your phone number. When it comes to German carriers it's actually a much 00:04:51.060 --> 00:04:54.840 better state, for example Vodaphone it's the last 4 digits of the client number 00:04:54.840 --> 00:04:59.530 which you don't know. I mean, you know as the customer, not others, it's a secret. 00:04:59.530 --> 00:05:03.650 Or if it comes to the CallYa, that is the card that I got, it's the last 4 digits of 00:05:03.650 --> 00:05:07.440 the PUK. For Telekom it's the last 4 digits of the card number, which is the 00:05:07.440 --> 00:05:11.590 card you get with the SIM card. For O2, unfortunately, there is a default PIN, 00:05:11.590 --> 00:05:18.440 which is 8705, which is the only PIN you can't set, when you choose to set one. 00:05:18.440 --> 00:05:23.680 Yeah. So, voicemail security today when it comes to common PINs: according to like a 00:05:23.680 --> 00:05:28.180 fantastic research from Data Genetics, this is actually about people choosing 00:05:28.180 --> 00:05:33.530 PINs for their credit cards, but there was a lot of conclusions that I learned from 00:05:33.530 --> 00:05:38.500 this research and basically, to summarize the most important regarding this work, is 00:05:38.500 --> 00:05:44.940 that for example by trying the top 20 most common PINs, you have a 22 percent chance 00:05:44.940 --> 00:05:50.060 of getting the right one. What this means in other words is for every fourth victim 00:05:50.060 --> 00:05:53.990 that I tried to brute force the PIN from their voicemail system, I will get it 00:05:53.990 --> 00:05:58.290 right every fourth person. There are other conclusions that are very interesting 00:05:58.290 --> 00:06:08.660 like, the PINs mostly start by 19. Who has an idea why is that? Birth year, right? Is 00:06:08.660 --> 00:06:13.819 very common to set as your birth year. Most of us were born in the 20th 00:06:13.819 --> 00:06:20.440 century... to set it as a PIN. Bruteforceable PINs. Same thing in Germany 00:06:20.440 --> 00:06:24.650 and in the US, it accepts 4-digit PINs which, we will see later, is just not 00:06:24.650 --> 00:06:29.970 enough key space. Efficient bruteforcing all the carriers accept concatenation of 00:06:29.970 --> 00:06:34.880 payload. So, in this case I use it to try different PINs and I don't even have to 00:06:34.880 --> 00:06:38.919 wait for error messages. I just use the pound as kind of like an enter in a 00:06:38.919 --> 00:06:43.270 voicemail system and I can try three PINs at a time. Usually carriers will hang up 00:06:43.270 --> 00:06:46.710 when you enter three PINs wrong, for security purposes, but we will take 00:06:46.710 --> 00:06:52.289 advantage of that. So with everything that I learned from the 80s, I verified that it 00:06:52.289 --> 00:06:56.711 was still a problem today. I decided to write a tool that allows you to brute 00:06:56.711 --> 00:07:01.970 force voicemail system fast, cheap, easily, efficiently, and undetected. So, 00:07:01.970 --> 00:07:08.179 fast: I used Twilio... who is familiar with Twilio here? Some of you? So a Twilio 00:07:08.179 --> 00:07:11.950 is basically an online services that allows you to programmatically interact 00:07:11.950 --> 00:07:15.410 with phone calls. You can make phone calls, interact with them, and all that. 00:07:15.410 --> 00:07:18.780 So I use it to launch hundreds and hundreds of calls at the same time in 00:07:18.780 --> 00:07:24.150 order to brute force PINs. It's cheap! The entire 4-digit keyspace costs 40 dollars. 00:07:24.150 --> 00:07:29.490 So if I want to have a 100 percent chance of getting your 4-digit PIN, I only have 00:07:29.490 --> 00:07:33.460 to pay 40 bucks. A 50 percent chance, according to the research from Data 00:07:33.460 --> 00:07:37.370 Genetics, it will cost me five dollars. So once every two victims, I will get the 00:07:37.370 --> 00:07:41.490 PIN. Actually, if I want to take a different approach and instead of just 00:07:41.490 --> 00:07:46.620 trying to brute force only yours, I want to brute force the PIN from everyone here, 00:07:46.620 --> 00:07:50.620 according to Data Genetics, and in this case, according to the fact that that is 00:07:50.620 --> 00:07:54.570 default PINs... I'm not going to ask how many of you have O2, now that they know 00:07:54.570 --> 00:07:58.490 that there is a default PIN to their voicemail system. It will be more 00:07:58.490 --> 00:08:03.320 interesting to actually try a thousand phone numbers for that default PIN for O2 00:08:03.320 --> 00:08:08.410 customers, only for 13 dollars. It's easy: fully automated, the tool does everything 00:08:08.410 --> 00:08:11.770 for you, you just have to provide the victim number, the carrier, and couple 00:08:11.770 --> 00:08:16.091 other parameters and it's efficient! It optimizes brute forcing, I use the 00:08:16.091 --> 00:08:20.910 research from Data Genetics to favor the PINs that are most common, and obviously 00:08:20.910 --> 00:08:25.350 it tries different PINs and all that stuff. But the most important here is 00:08:25.350 --> 00:08:28.750 detection, because think about it. In order for me to interact with your 00:08:28.750 --> 00:08:33.049 voicemail system I need to call you and you cannot pick up, because if not, it 00:08:33.049 --> 00:08:36.539 doesn't go to the voicemail system. So I was trying to find ways, because I need 00:08:36.539 --> 00:08:41.938 to, in the end, make a lot of calls, trying different PINs. How can I interact 00:08:41.938 --> 00:08:46.100 directly with your voicemail? I try call flooding like basically doing three calls 00:08:46.100 --> 00:08:49.810 at a time, because the line gets flooded just with three calls, it goes directly to 00:08:49.810 --> 00:08:54.220 the voicemail, but it wasn't very reliable. You can use OSINT techniques, a 00:08:54.220 --> 00:08:57.290 lot of people likes to tweet that they, you know, they go on a trip, they are 00:08:57.290 --> 00:09:01.980 about to board a plane, so it goes into airplane mode, or you go in a remote area, 00:09:01.980 --> 00:09:06.850 or you are in a movie theater, or at night you put in Do Not Disturb. Those are all 00:09:06.850 --> 00:09:12.300 situations in which calls go directly to the voicemail. You can use HLR database to 00:09:12.300 --> 00:09:17.529 find out if mobile devices are disconnected or the SIM cards have been 00:09:17.529 --> 00:09:21.720 discarded, but they are still assigned to an account. And you can use online 00:09:21.720 --> 00:09:25.800 services like realphonevalidation.com which I actually reached out and they 00:09:25.800 --> 00:09:30.300 provide services that allow you to know if a phone is acutally connected to a tower 00:09:30.300 --> 00:09:34.870 at the moment, so it's basically available, so you could use that too. You 00:09:34.870 --> 00:09:40.509 can also use class 0 SMS, which gives you feedback. It's basically a type of SMS 00:09:40.509 --> 00:09:45.570 that will... it has more priority and will basically display on the screen and you'll 00:09:45.570 --> 00:09:49.519 get the feedback if it was displayed. So, that's a nice trick to find out if the 00:09:49.519 --> 00:09:55.259 phone actually connected to a tower. But in reality, I wanted a bullet proof way to 00:09:55.259 --> 00:09:59.480 do this and in the U.S. I found that there is this concept of backdoor voice mail systems. 00:09:59.480 --> 00:10:03.019 So instead of me calling you, I'm going to call one of these services that you guys 00:10:03.019 --> 00:10:08.129 have listed here for every carrier and there I enter the number, in this case the 00:10:08.129 --> 00:10:11.769 number of the victim from the voicemail I want to interact to. And of course it 00:10:11.769 --> 00:10:16.069 allows you to access to the logging prompt. Actually in Germany I find it 00:10:16.069 --> 00:10:19.740 interesting that you guys have it as a service, because in the US it's more a 00:10:19.740 --> 00:10:24.589 secret that I had to found using Google, but here... Basically if I dial your phone 00:10:24.589 --> 00:10:28.029 number and when it comes to Vodafone between the area code and the rest of the 00:10:28.029 --> 00:10:33.889 number I put 55, or for Telekom 13, or for O2 33, I directly go to the voicemail, you 00:10:33.889 --> 00:10:37.469 won't ring your phone. So I can use that. Who was aware of this, that is from 00:10:37.469 --> 00:10:42.439 Germany? OK, many of you. So that's what I thought. Like here it's not really like 00:10:42.439 --> 00:10:46.569 something you guys care too much about. In the U.S. it's actually used a lot for 00:10:46.569 --> 00:10:53.429 scammers or to leave directly voicemail messages from spammers as well. So, 00:10:53.429 --> 00:10:56.809 voicemailcracker actually takes advantage of backdoor numbers, so it allows you to 00:10:56.809 --> 00:11:00.119 be undetected. I don't need to call you, I don't need to wait till you are flying, I 00:11:00.119 --> 00:11:04.399 can do that. And for example for the U.S. it's great, because when I launch that 00:11:04.399 --> 00:11:08.549 many calls, the line gets flooded even if you are offline. But when I use these 00:11:08.549 --> 00:11:14.959 backdoor voicemail systems, because they are meant to be used by everyone, those 00:11:14.959 --> 00:11:19.320 don't get flooded. So I literally make hundreds and hundreds of calls and it 00:11:19.320 --> 00:11:25.339 never fails.So, but you know like carriers, or some of them, add a brute 00:11:25.339 --> 00:11:28.799 force protections, right? So that you can't actually launch brute forcing 00:11:28.799 --> 00:11:32.929 attacks. And I looked at the German carriers and for example Vodafone, I saw 00:11:32.929 --> 00:11:37.619 that it resets the 6 digit PIN and sends it over SMS. So, I guess I can flood your 00:11:37.619 --> 00:11:41.260 phone with text but who cares, that's not a big deal, but I think it's actually a 00:11:41.260 --> 00:11:45.709 pretty effective measure against voicemail... against brute forcing. 00:11:45.709 --> 00:11:48.660 Telekom blocks the Caller ID from accessing the mailbox or even leaving 00:11:48.660 --> 00:11:53.220 messages. I tried and after six times that it's wrong every time, I call it says 00:11:53.220 --> 00:11:56.949 "Hey, you can't do anything", and it hangs up. And for O2 it connects directly to the 00:11:56.949 --> 00:12:01.059 customer help-line, but someone started talking German and my German is not that 00:12:01.059 --> 00:12:08.410 good. So brute force, I wanted to be able to bypass this writing and so if you look 00:12:08.410 --> 00:12:12.869 at telecom I mentioned that it blocks the caller I.D. but it turns out that Twilio 00:12:12.869 --> 00:12:16.959 you can actually buy caller IDs you can, well, you can buy phone numbers, right? 00:12:16.959 --> 00:12:22.509 and they are really cheap. So it's very easy for me to do randomization of caller 00:12:22.509 --> 00:12:28.329 I.D.s for very very cheap and bypass telecom's brute force protection. So 00:12:28.329 --> 00:12:33.009 voicemailcracker also supports that. It supports caller ID randomization. So let's 00:12:33.009 --> 00:12:38.490 make the first demo. So as you can see here on the left is the victim's mobile 00:12:38.490 --> 00:12:43.789 device, and on the right is the tool. And in this case I'm going to use the brute 00:12:43.789 --> 00:12:47.509 force option. The brute force option allows me to basically brute force the 00:12:47.509 --> 00:12:51.940 pin. It makes hundreds of calls as I explain and I'll try to guess it. And 00:12:51.940 --> 00:12:55.070 there is a number of parameters like the victim number, the carrier... the carrier 00:12:55.070 --> 00:12:58.990 is important because they put their specific payloads for every single carrier 00:12:58.990 --> 00:13:03.589 because all the voicemail systems are different, how you interact with them, and 00:13:03.589 --> 00:13:06.869 in this case are using a backdoor number because he's more efficient. And then 00:13:06.869 --> 00:13:11.109 there is no detection. And in this case I did the option of top pin. So this is 00:13:11.109 --> 00:13:17.499 basically trying the top 20 pins according to the research for four digits. So as you 00:13:17.499 --> 00:13:21.639 can see it's trying actually three pins at a time as I mentioned before rather than 00:13:21.639 --> 00:13:26.959 one. So we have to do a third of the of the of the calls, right? And how did you 00:13:26.959 --> 00:13:34.390 think that I'm detecting if the pin was correct or not? Any ideas? 00:13:34.390 --> 00:13:40.170 Unintelligible suggestion from audience M.V.: OK. So the disconnect and hang up. 00:13:40.170 --> 00:13:43.879 That's what I heard. And that's exactly right. If you think about it I can look at 00:13:43.879 --> 00:13:48.170 the call duration because when I tried three pins and it hangs up it's always the 00:13:48.170 --> 00:13:54.379 same call duration. For T-Mobile in this case it's like 18 seconds. So I instruct 00:13:54.379 --> 00:13:58.110 Twilio to after dialing and putting the payload to interact with the voicemail 00:13:58.110 --> 00:14:03.109 system trying the pins to wait 10 extra seconds. So all I got to do, I don't need 00:14:03.109 --> 00:14:07.509 any sound processing to try to guess what the voicemail voice is telling me if it's 00:14:07.509 --> 00:14:11.069 correct or not. I just use the call duration. So if the call duration is ten 00:14:11.069 --> 00:14:15.549 times longer then I know that's the right pin because because it locked in. So as 00:14:15.549 --> 00:14:19.239 you can see it found out one of those three is actually the correct one: in this 00:14:19.239 --> 00:14:24.649 case it's 1983. So in order to give you the exact one because at that time it 00:14:24.649 --> 00:14:29.389 tried the three of them, now it's trying one by one and it may look like it's 00:14:29.389 --> 00:14:35.350 taking longer than it should for only 20 pins but remember failing pins is very 00:14:35.350 --> 00:14:38.989 very quick. It's just that because in the top 20 found already the right pin it 00:14:38.989 --> 00:14:46.219 takes longer than it should, and there you go. We got that it's 1983. Awesome. So 00:14:46.219 --> 00:14:50.410 what is the impact really why am I here talking to you at CCC that has such 00:14:50.410 --> 00:14:55.560 amazing talks, right? And this is really the thing about this. No one cares about 00:14:55.560 --> 00:15:00.720 the voicemail. Probably if I ask here, who knows his own voicemail pin? 00:15:00.720 --> 00:15:05.329 laughter M.V.: Nice. That's what I was expecting. 00:15:05.329 --> 00:15:09.869 Probably less hands here. So some of them are lying but that's the thing, right? We 00:15:09.869 --> 00:15:13.910 don't care about the voicemail. We don't even use it, which is the crazy thing 00:15:13.910 --> 00:15:18.309 here. We have we have an open door for discussing an issue that we don't even 00:15:18.309 --> 00:15:23.290 know about or we don't even remember. So many people is not familiar with the fact 00:15:23.290 --> 00:15:27.869 that you can a reset passwords over phone call. We are familiar with resetting 00:15:27.869 --> 00:15:32.699 passwords over e-mail. You get a unique link maybe over SMS you get a code that 00:15:32.699 --> 00:15:36.809 you that you then have to enter in the UI. But a lot of people cannot receive SMS, or 00:15:36.809 --> 00:15:41.990 that's what services claim. So they allow you to provide that temporary code over a 00:15:41.990 --> 00:15:46.559 phone call, and that's exactly what we take advantage of, because I ask you what 00:15:46.559 --> 00:15:50.909 what happens if you don't pick up the phone if basically I go to a service, 00:15:50.909 --> 00:15:55.209 enter your e-mail or your phone number and reset a password, and everyone can do 00:15:55.209 --> 00:16:01.989 that. Anyone can reset it, initiate the reset password process, and I know that 00:16:01.989 --> 00:16:05.709 you are not going to pick up the phone. I know that thanks to my tool I got access 00:16:05.709 --> 00:16:09.759 to your voicemail system. So basically the voicemail system will pick up the call and 00:16:09.759 --> 00:16:15.309 it will start recording, so it will record the voice spelling out the code that I 00:16:15.309 --> 00:16:22.569 need to basically reset your account and get access to it. So -- oops! -- and I 00:16:22.569 --> 00:16:26.570 press play here. Static 00:16:26.570 --> 00:16:31.319 M.V.: Okay, so, what does the attack vector look like? You brute force the 00:16:31.319 --> 00:16:35.799 voicemail system using the tool ideally using backdoor numbers. For that 00:16:35.799 --> 00:16:38.779 particular call -- that is, the call that the victim will receive once you initiate 00:16:38.779 --> 00:16:42.369 the password reset -- that one it cannot go through the backdoor number, right?, 00:16:42.369 --> 00:16:45.849 because it's gonna-- PayPal is gonna directly call the victim. So for that one 00:16:45.849 --> 00:16:50.149 you need to make sure that the victim is not connected to a tower through all the 00:16:50.149 --> 00:16:53.979 methods that I showed before. You start the password reset process using the 00:16:53.979 --> 00:16:57.799 economy feature. You listen to the recorded message, secret code and profit. 00:16:57.799 --> 00:17:01.679 You hijacked that account, and Voicemailcracker can do all that for you. 00:17:01.679 --> 00:17:09.549 Let's compromise Whatsapp. So on the left you see my number, right?, with a secret 00:17:09.549 --> 00:17:13.939 lover group, and a secret group, and all that stuff. On the right notice that I'm 00:17:13.939 --> 00:17:19.709 not even using an actual device. It's an android emulator that I installed, an APK. 00:17:19.709 --> 00:17:23.809 And there is some sound to this, and you are gonna see -- so again on your left 00:17:23.809 --> 00:17:27.898 it's the victims number. On the right is an emulator of the attacker. So you'll see 00:17:27.898 --> 00:17:33.919 that I'm going to use my tool with the message payload, with the message option. 00:17:33.919 --> 00:17:38.520 So in this case what I'm doing is I'm setting the victim's phone to airplane 00:17:38.520 --> 00:17:43.880 mode, simulating that it's now offline for some reason, and I detected that. So if 00:17:43.880 --> 00:17:50.680 you see, WhatsApp allows sends you a text to actually register as a WhatsApp user, 00:17:50.680 --> 00:17:54.880 but if you don't reply in a minute it allows you-- it gives you an option to 00:17:54.880 --> 00:17:59.430 call, to call me, right? And that's exactly what I click. So now WhatsApp is 00:17:59.430 --> 00:18:04.080 basically calling the victim which is again in airplane mode, because he went on 00:18:04.080 --> 00:18:08.600 a remote trip or on a plane, and so I'm using Voicemailcracker with the option 00:18:08.600 --> 00:18:14.059 "message" to automatically retrieve that newest message. So the tool is gonna 00:18:14.059 --> 00:18:17.589 provide me as you can see the last option is the pin, because I brute forced it 00:18:17.589 --> 00:18:21.960 before. So it's going to give me a URL with the recording of the newest message, 00:18:21.960 --> 00:18:29.529 which, hopefully -- it's a recorded demo -- hopefully contains actually the code. 00:18:29.529 --> 00:18:46.079 So let's see... I got the URL. Phone alert sound 00:18:46.079 --> 00:18:48.760 Computerized phone voice: New Message! -- M.V.: It's interacting with the voicemail 00:18:48.760 --> 00:18:50.550 system right now. Phone voice: -- your verification code is: 00:18:50.550 --> 00:19:01.440 3 6 5 9 1 5. Your verification code is: 3 6 5 9 1 5. Your ver-- 00:19:01.440 --> 00:19:06.059 M.V.: And that simple. We just hijacked that person's WhatsApp, and I -- here I'm 00:19:06.059 --> 00:19:08.819 fast forwarding just to show you-- Applause 00:19:08.819 --> 00:19:18.760 M.V: --that you get actually that. Thank you. I do want to point out that WhatsApp 00:19:18.760 --> 00:19:21.841 is super secure, it like-- end to end encryption all that -- and there is a 00:19:21.841 --> 00:19:25.179 number of things that you can notice this attack. For example you wouldn't be able 00:19:25.179 --> 00:19:28.690 to see the previous messages that were there but you can just hold on and ask 00:19:28.690 --> 00:19:32.910 people, right? The groups will pop up. So you hijacked that WhatsApp account. There 00:19:32.910 --> 00:19:37.559 is also fingerprinting. But who really pays attention to the fingerprinting when 00:19:37.559 --> 00:19:43.440 someone changes the device, right? So are we done? Not yet. Because the truth is, 00:19:43.440 --> 00:19:48.029 some researchers talked about this in the past then and actually services tried to 00:19:48.029 --> 00:19:52.159 slowly pick up. So that is actually something that I found in several 00:19:52.159 --> 00:19:56.710 services. That is what I call the user interaction based protection. So when you 00:19:56.710 --> 00:20:01.060 received that phone call that provides you with the temporary code in reality it's 00:20:01.060 --> 00:20:04.700 not giving it away. You have to press a key. It comes in three different flavors 00:20:04.700 --> 00:20:08.530 from what I found from my tests. Please press any key to hear the code, so when 00:20:08.530 --> 00:20:11.679 you get the call, you have to press, and then it will tell you the code; please 00:20:11.679 --> 00:20:15.950 press a random key so specifically please press 1, please press 2, or please enter 00:20:15.950 --> 00:20:20.090 the code. PayPal does that, and instead of you having to press a key to hear the code 00:20:20.090 --> 00:20:24.289 when you reset the password you will see a four digits code that you have to enter 00:20:24.289 --> 00:20:29.140 when you receive the call and then it will reset the password. So I'm going to get 00:20:29.140 --> 00:20:33.680 the help from all of you guys. Can we beat this currently recommended protection what 00:20:33.680 --> 00:20:37.920 is nowadays recommended to prevent these kind of attacks? And we're going to play a 00:20:37.920 --> 00:20:44.590 game. I'm going to give you two hints. This is the first one. So, you probably 00:20:44.590 --> 00:20:48.510 guys are familiar with this, but Captain Crunch. Again we go back today it is we 00:20:48.510 --> 00:20:54.509 can learn so much from them, use this to generate specific sounds at a specific 00:20:54.509 --> 00:20:58.169 frequency to basically -- you can go and read it -- to get free international 00:20:58.169 --> 00:21:02.549 calls. So he will create that sound and the system will process it on the on the 00:21:02.549 --> 00:21:07.430 line. And the second one is that I cheated. When we did the checklist, I 00:21:07.430 --> 00:21:11.750 actually skipped one , which was the greeting message is an attack vector. So I 00:21:11.750 --> 00:21:16.549 ask you guys how can we bypass the protection that requires user interaction 00:21:16.549 --> 00:21:20.129 in order to get the code recorded on the voicemail system? 00:21:20.129 --> 00:21:26.269 Inaudible suggestion from audience M.V.: What was that?... Exactly. Record 00:21:26.269 --> 00:21:31.470 DTMF tones as the greeting message. We own the voice mail system so we can alter the 00:21:31.470 --> 00:21:36.729 greeting message. So this is exactly how it works: We just alter the greeting 00:21:36.729 --> 00:21:42.260 message we call the DTMF that the system is expecting and it works every single 00:21:42.260 --> 00:21:48.039 time. The best thing of this is what really is so awesome about about all of us 00:21:48.039 --> 00:21:52.169 that really care about technology. We want to have a deep understanding because when 00:21:52.169 --> 00:21:57.049 I was asking people when when you know I wanted to show them this I was asking them 00:21:57.049 --> 00:22:01.480 how does this protection really work. And they will say well you have to press a key 00:22:01.480 --> 00:22:05.789 and then you know it will give you the code. But that's not really true. That's 00:22:05.789 --> 00:22:09.490 what you have to do is to provide a specific sound that the system is 00:22:09.490 --> 00:22:13.990 expecting. That is different than saying you have to press a key, because if you 00:22:13.990 --> 00:22:18.520 say I have to press a key that requires physical access. If you say I have to 00:22:18.520 --> 00:22:22.460 provide a sound, now we know it doesn't require physical access. That is why 00:22:22.460 --> 00:22:26.490 hackers are so cool, because we really want to understand what is happening 00:22:26.490 --> 00:22:30.720 backstage, and we take advantage of that. So how does the attack vector look like? 00:22:30.720 --> 00:22:34.090 Bruteforcing voicemail systems as before. So basically we have an extra step which 00:22:34.090 --> 00:22:38.121 is update the greeting message according to the account to be hacked in voicemail. 00:22:38.121 --> 00:22:40.929 Cracker can do that for you. Let's compromise PayPal. 00:22:40.929 --> 00:22:46.990 Laughter M.V.: So on the left side you see that as 00:22:46.990 --> 00:22:53.330 before I brute force the pin of the voice mail. And in this case on the right side 00:22:53.330 --> 00:23:00.769 I'm going to start a password reset for that account. So I do that and I choose 00:23:00.769 --> 00:23:05.799 "please call me with a temporary code". But in this case PayPal works differently 00:23:05.799 --> 00:23:10.139 because it will show me a four digits code that I need to enter when I receive the 00:23:10.139 --> 00:23:15.690 call in order to reset the password. So you see that here I'm using the greeting 00:23:15.690 --> 00:23:20.310 option. So the greeting is going to allow me to enter a payload that I want to 00:23:20.310 --> 00:23:26.270 record as the greeting message. In this case is 6 3 5 3. So I may be very very 00:23:26.270 --> 00:23:31.500 verbose for this demo. There you see the last option use PayPal code and I 00:23:31.500 --> 00:23:36.989 enter 6 3 5 3. Now the tool is going to use the pin to log into the voicemail 00:23:36.989 --> 00:23:42.350 system, interact with it, change the greeting message, record the DTMF tones 00:23:42.350 --> 00:23:50.759 according to 6 3 5 3 and then it should be able to fool the call. In this case I'm 00:23:50.759 --> 00:23:55.860 asking to call again, because it didn't have enough time to do that. And in 3 2 1 00:23:55.860 --> 00:24:00.690 we should get that we actually compromise PayPal's account, and there we go. We can 00:24:00.690 --> 00:24:05.200 now set our own password. Applause 00:24:05.200 --> 00:24:14.580 M.V.: Thank you. So, I showed you some vulnerable servers. Let's go very quick 00:24:14.580 --> 00:24:19.240 about it because I'm I'm concerned I'm running out of time. So, I'm just 00:24:19.240 --> 00:24:23.490 mentioning Alexa top 100 types of services, no favoring anything, but... so 00:24:23.490 --> 00:24:27.610 for password reset that supports over phone call: PayPal, Instagram-- no, 00:24:27.610 --> 00:24:35.059 Snapchat-- Netflix, Ebay, LinkdIn. I'm still on Facebook. What can I say? 2FA for 00:24:35.059 --> 00:24:38.279 all they major forms so 2FA over phone call for Apple, Google, Microsoft, 00:24:38.279 --> 00:24:42.289 Yahoo... Verification: So basically you don't register with a username and 00:24:42.289 --> 00:24:47.020 password on on WhatsApp or Signal you actually use directly the phone number, 00:24:47.020 --> 00:24:50.790 right? As we saw before and you register through a phone call or SMS. So you can 00:24:50.790 --> 00:24:54.710 compromise this too. Twilio, the own service that I use for these is actually 00:24:54.710 --> 00:25:00.519 really cool because you can own a caller I.D. by verifying it by getting a phone 00:25:00.519 --> 00:25:05.460 call so I can actually own your caller ID and make calls on your behalf, send texts, 00:25:05.460 --> 00:25:10.039 and these all legitimately, right?, because you've pressed one. Google Voice, 00:25:10.039 --> 00:25:13.289 it's actually another interesting service because it's used a lot by scammers, 00:25:13.289 --> 00:25:17.009 right? And this is the same thing: you have to verify ownership so you can do 00:25:17.009 --> 00:25:21.549 those phone calls and you can fool it as well with this, but I found I was looking 00:25:21.549 --> 00:25:24.730 like what other services really take advantage of this? And this is super 00:25:24.730 --> 00:25:30.789 common in San Francisco, where I live. You can buzz in people like when they want to 00:25:30.789 --> 00:25:35.279 enter, right?, they enter your house number, and then your phone rings and you 00:25:35.279 --> 00:25:39.449 press any key to open the door. So we are talking about physical security now. And 00:25:39.449 --> 00:25:44.019 I've seen this in offices as well. They all work this way, basically because they 00:25:44.019 --> 00:25:47.769 want to be able -- for tenants, that you know, come and go -- be able to switch 00:25:47.769 --> 00:25:52.620 that very quickly. So it works just through the phone that you buzz people in. 00:25:52.620 --> 00:25:56.710 But my favorite is consent, because when we think about consent we think about 00:25:56.710 --> 00:26:00.779 lawyers and we think about signing papers and we think about all of these difficult 00:26:00.779 --> 00:26:07.799 things. And I find out about these location smart service that is not anymore 00:26:07.799 --> 00:26:15.190 there and you will see why... But this was recently in the news because, basically 00:26:15.190 --> 00:26:19.690 Brian Krebs wrote a really great article about it. But I'm going to let you hear 00:26:19.690 --> 00:26:23.389 then their YouTube channel, how Location Smart works. 00:26:23.389 --> 00:26:30.380 LS vid speaker 1: The screen that you're showing, that you're seeing right now is a 00:26:30.380 --> 00:26:36.800 demo that we have on our Web site it's at location smart.com/pride, and I've entered 00:26:36.800 --> 00:26:43.190 my name, my email, my mobile phone number, and it's again going to get my permission 00:26:43.190 --> 00:26:48.470 by calling my phone, and then it'll locate. So let's go ahead and, I clicked 00:26:48.470 --> 00:26:55.100 the box to say yes I agree, click the locate, and the screen now shows that it's 00:26:55.100 --> 00:26:58.170 going to call my device to get my permission. 00:26:58.170 --> 00:27:03.680 vid speaker's phone vibrates, sounds like an airhorn in video LS vid speaker 2: Heh, that's a nice ring 00:27:03.680 --> 00:27:05.610 tone -- M.V.: No, it's not-- 00:27:05.610 --> 00:27:09.620 LS vid speaker 1's phone: To log into Location Smart Services, press 1 or say 00:27:09.620 --> 00:27:16.870 'Yes'. To repeat, press 2 or say 'Repeat'. LSVS1: Yes 00:27:16.870 --> 00:27:21.809 Phone: Congratulations. You have been opted in to Location Smart Services. 00:27:21.809 --> 00:27:23.419 Goodbye M.V.: So as you see, this service, this 00:27:23.419 --> 00:27:30.091 Web site had a free demo, had a free demo that allow you to put out a phone number 00:27:30.091 --> 00:27:33.639 -- yours, of course -- and you will get a phone call and then you will give 00:27:33.639 --> 00:27:38.499 permission by pressing one. So someone could locate you and keep tracking -- I 00:27:38.499 --> 00:27:47.970 mean, I checked with them -- for up to 30 days, real time. So now you know why they 00:27:47.970 --> 00:27:51.580 don't exist anymore! Applause 00:27:51.580 --> 00:28:00.810 M.V.: Open source.. More Applause 00:28:00.810 --> 00:28:05.490 M.V: Open source. So, and this was with the permission of the carriers. This was 00:28:05.490 --> 00:28:11.740 not some fishy thing. This was actually a service. So I wanted to release code, 00:28:11.740 --> 00:28:15.009 because I want you guys to verify that what I mentioned is true and have code to 00:28:15.009 --> 00:28:20.490 hopefully help push the industry forward to make a voice mail systems more secure, 00:28:20.490 --> 00:28:24.990 right?. We want to push carriers to do so. A but I didn't want to provide on tool 00:28:24.990 --> 00:28:29.639 that works out of the box and anyone can very easily as we saw like just start to 00:28:29.639 --> 00:28:32.929 bruteforce pins, especially because I saw that there is so many people with the 00:28:32.929 --> 00:28:37.280 default PINs out there. So I just removed the brute forcing, so the tool allows you 00:28:37.280 --> 00:28:41.220 to test it on your own. You can test, you know, you can test the greeting message 00:28:41.220 --> 00:28:45.010 you can test the retreiving messages compromising the services and all that. So 00:28:45.010 --> 00:28:48.221 the tool allows you to test on your own device. I won't give you code to brute 00:28:48.221 --> 00:28:54.220 force someone else's device. And feel free to go to my github repo. So now like all 00:28:54.220 --> 00:28:59.309 the talks comes the recommendations, but I know what you guys are thinking, right? 00:28:59.309 --> 00:29:02.509 When someone comes with all this paranoia and stuff you still think "yeah but you 00:29:02.509 --> 00:29:07.080 know still like no one is gonna come after me. I don't have anything to hide" or 00:29:07.080 --> 00:29:11.330 anything like that. So I wanted to give you reasons why you should still care 00:29:11.330 --> 00:29:17.490 about this, and why we need to do better. Because do carriers set default PINs? Yes, 00:29:17.490 --> 00:29:23.350 we saw that. Is testing for default pins cheap, fast, undetected, and automatable? 00:29:23.350 --> 00:29:28.899 Yes it is. Is updating reading the message automatable? Yes it is. Is retrieving you 00:29:28.899 --> 00:29:34.929 the newest message automatable? Yes it is. Is there speech to text description, so 00:29:34.929 --> 00:29:39.190 that I can get the sound that I played before with the code and get it in text? 00:29:39.190 --> 00:29:45.920 Yeah. Twilio gives you that as well. So can the account compromise process be 00:29:45.920 --> 00:29:49.640 automatable? Of course you can use selenium if you want to automate the UI. 00:29:49.640 --> 00:29:55.549 Or you can use a Web proxy and look at the APIs and do it yourself. So it is only a 00:29:55.549 --> 00:30:00.629 matter of time that someone actually does all these steps that I showed you step by 00:30:00.629 --> 00:30:05.350 step and just makes it all straight and starts to go over phone numbers trying the 00:30:05.350 --> 00:30:10.389 default PINs, and just automatically compromising services like WhatsApp like 00:30:10.389 --> 00:30:16.140 PayPal and all that. You can do basically, not a worm, but, you know, you can 00:30:16.140 --> 00:30:20.700 compromise a lot of devices without doing anything. Recommendations for online 00:30:20.700 --> 00:30:24.879 services. Don't use automated calls for security purposes. if not possible detect 00:30:24.879 --> 00:30:28.270 answering machines and fail. I mean this is not very accurate and you can still 00:30:28.270 --> 00:30:33.630 trick it. Require user interaction before providing the secret. I just show you how 00:30:33.630 --> 00:30:39.630 to bypass that, but that's with hope that carriers ban DTMF tones from the greeting 00:30:39.630 --> 00:30:44.370 message. I don't see why that should be supported, right? Recommendations for 00:30:44.370 --> 00:30:48.119 carriers. The most important thing: Ban DTMF tones from the greeting message, 00:30:48.119 --> 00:30:53.250 eliminate backdoor mobile services, or at least a give no access to the login 00:30:53.250 --> 00:30:57.080 prompt, right? There is no reason why you should be able to access your voicemail 00:30:57.080 --> 00:31:01.710 directly to leave a message. But then I can access the login prompt by pressing 00:31:01.710 --> 00:31:05.749 star. Voicemail disabled by default. This is very important and can only be 00:31:05.749 --> 00:31:10.100 activated from the actual phone, or online maybe with a special code. Oh great 00:31:10.100 --> 00:31:15.730 I have time for questions. No default pins. Learn from the German carriers: 00:31:15.730 --> 00:31:19.399 don't allow common pins, detect and prevent brute force attempts, don't 00:31:19.399 --> 00:31:23.619 process multiple pins at once. Recommendations for you which, is in the 00:31:23.619 --> 00:31:28.389 end, very important here. disable the voice mail if you don't use it. I found 00:31:28.389 --> 00:31:31.760 though that some carriers you're still through the backdoor voicemail numbers you 00:31:31.760 --> 00:31:37.330 are unable to activate it again. So kind of sucks. So I guess use the longest 00:31:37.330 --> 00:31:41.649 possible random pin. Don't provide phone numbers to online services unless 00:31:41.649 --> 00:31:45.680 required, or is the only way to get 2FA. 2FA is more important. Use a virtual 00:31:45.680 --> 00:31:50.250 number to prevent OSINT like a Google Voice number so no one can you know learn 00:31:50.250 --> 00:31:55.399 about your phone number digits by resetting the password or do SIM swapping. 00:31:55.399 --> 00:31:59.660 Use 2FA apps only. And I always like to finish my talk with ones like that kind of 00:31:59.660 --> 00:32:03.519 summarizes everything. Automated phone calls are a common solution for password 00:32:03.519 --> 00:32:07.129 reset, 2FA, verification, and other services. These can be compromised by 00:32:07.129 --> 00:32:11.379 leveraging old weaknesses and current technology to exploit the weakest link 00:32:11.379 --> 00:32:15.050 voicemail systems. Thank you so much. Danke Schön, CCC! 00:32:15.050 --> 00:32:33.129 Applause Herald Angel: Thank you, Martin. We have 00:32:33.129 --> 00:32:37.450 time for questions, so if you have any questions or if someone in the Internet 00:32:37.450 --> 00:32:44.989 has questions just go to these microphones. Where is the microphone? 00:32:44.989 --> 00:32:50.020 You've got it. Yes. You were black and the microphone too. So maybe you start and we 00:32:50.020 --> 00:32:55.830 take the question from the Internet. Q: Yes I have a question. You mentioned 00:32:55.830 --> 00:33:02.510 that the phone needed to be offline. Would a call like a sim teen's call to the phone 00:33:02.510 --> 00:33:11.049 that it would be in what is called in english - besetzt?- like occupied so let's 00:33:11.049 --> 00:33:19.720 say I already called the victim. So the caller gets, yeah, the line's occupied 00:33:19.720 --> 00:33:21.960 that would then go to voicemail, wouldn't it? 00:33:21.960 --> 00:33:26.350 M.V.: So that's a great question. I think the question is if you are on a call and 00:33:26.350 --> 00:33:31.429 someone else calls you, so your attack will be: I somehow make up a story to keep 00:33:31.429 --> 00:33:34.980 the person on the phone call while I launch other calls... that will work. I 00:33:34.980 --> 00:33:38.850 tried that but the problem is usually to force, I mean that will not be too big of 00:33:38.850 --> 00:33:41.860 a deal I guess but it supports two calls right. They will warn you all there is 00:33:41.860 --> 00:33:45.719 another incoming call. But I guess you could keep doing more. So that's what I 00:33:45.719 --> 00:33:50.509 meant a partly with a call flooding. In that case what I tried was just launching 00:33:50.509 --> 00:33:53.909 all of them at the same time. And if the person picks up I don't care but it's 00:33:53.909 --> 00:33:57.490 somewhat related to what you mentioned and that's definitely possible. 00:33:57.490 --> 00:33:59.300 Questioner: Okay. Thank you. M.V.: Yeah. 00:33:59.300 --> 00:34:03.739 Herald: Question from the internet please Signal Angel: Does this work with the 00:34:03.739 --> 00:34:07.879 phone calls that start talking immediately, will the new code being 00:34:07.879 --> 00:34:12.159 recorded then? M.V.: if I understood the question 00:34:12.159 --> 00:34:16.429 correctly it's that when the voicemail picks up like basically the automated 00:34:16.429 --> 00:34:21.230 system that spits out the code already started to talk. I believe that's the 00:34:21.230 --> 00:34:23.230 question. Herald: We don't know it's from the 00:34:23.230 --> 00:34:27.030 Internet. M.V.: OK so if that is the question I 00:34:27.030 --> 00:34:30.739 found actually that, because usually greeting messages last like 15 seconds so 00:34:30.739 --> 00:34:35.460 by the time it starts recording you already finish the recording that gives 00:34:35.460 --> 00:34:39.199 you the code, but you own the greeting message so you make it as short as one 00:34:39.199 --> 00:34:44.469 second. And I never found a problem with that. You actually recorded DTMF tones for 00:34:44.469 --> 00:34:47.729 like two seconds. Herald: Ladies first let me take your 00:34:47.729 --> 00:34:54.799 question. Q: You talked about how you learned all of 00:34:54.799 --> 00:35:07.589 that through reading e-zines. How are they called, and how do I find them? 00:35:07.589 --> 00:35:10.979 M.V: That's the best question I've ever heard and it deserves an applause, 00:35:10.979 --> 00:35:15.770 seriously. I like that because you also want to learn about it. So that's that's 00:35:15.770 --> 00:35:20.190 really fantastic. So the Phrack Web site is the best resource you can get. I guess 00:35:20.190 --> 00:35:26.730 everyone will agree here. So you just look up google for phrack magazine and there is 00:35:26.730 --> 00:35:32.040 a lot a lot of interesting stuff that we can learn there still today. 00:35:32.040 --> 00:35:36.120 Q: Are there any others? M.V.: Yeah I mean you can then follow the 00:35:36.120 --> 00:35:42.040 classic. I mean I like Twitter to get my security news because it's very concise so 00:35:42.040 --> 00:35:47.180 I kind of get like you know the 140 characters version.. if I'm interested 00:35:47.180 --> 00:35:51.980 then I will read it. So I think you can google for like top security people to 00:35:51.980 --> 00:35:57.510 follow. Brian Krebs is great. It depends also on your technical depth. There is 00:35:57.510 --> 00:36:03.970 different people for that. And if not just you know specialized blogs in magazines. 00:36:03.970 --> 00:36:06.590 Q: All right. Thanks. M.V.: Thank you. 00:36:06.590 --> 00:36:10.810 Herald: And your question please. Q: Hi. And so for me the solution is 00:36:10.810 --> 00:36:14.700 obvious: I just turn off my voicemail. But thinking about some relatives which are 00:36:14.700 --> 00:36:19.170 maybe too lazy or don't really care and still use two factor authentication. I was 00:36:19.170 --> 00:36:24.450 thinking about could I easily adapt your script to automatically turn off voice 00:36:24.450 --> 00:36:37.569 boxes or generate random pins? M.V.: You can automate it to turn off the pin. Like 00:36:37.569 --> 00:36:41.600 for example on Vodaphone I don't know why that allows you to turn off the pin. To turn 00:36:41.600 --> 00:36:47.430 off the voicemail... I don't... I haven't tested that. I think you may have to call 00:36:47.430 --> 00:36:51.569 the IT department but you know what. It would be really great to do that. It would 00:36:51.569 --> 00:36:55.630 be really awesome. Great question. I guess if you can turn it off then you can turn 00:36:55.630 --> 00:37:00.040 it on as well. Yeah. Herald: Your question please. 00:37:00.040 --> 00:37:03.109 Q: Did Twilio ban you or did they find out what you did? 00:37:03.109 --> 00:37:09.700 M.V.:I got some emails I got some emails but they were really cool. I have to say 00:37:09.700 --> 00:37:13.740 that. I explained to them what I was coming from, I gave them my identity... 00:37:13.740 --> 00:37:18.180 like I wasn't hiding anything. Actually I had to pay quite some money and because of 00:37:18.180 --> 00:37:21.650 all the calls that I was doing while I was doing the research, so I do think hide my 00:37:21.650 --> 00:37:27.049 identity at all. So, they did detect tact that I was doing many calls and stuff like 00:37:27.049 --> 00:37:31.809 that. So there is I guess at the high volumes there is some detection, but 00:37:31.809 --> 00:37:35.970 Twilio is not the only service. So again you can switch between services, space it 00:37:35.970 --> 00:37:40.330 out, change caller I.D.s, a number of things. 00:37:40.330 --> 00:37:45.549 Herald: And one more question here. Q: Hi. You talked about being undetected 00:37:45.549 --> 00:37:50.400 when making all these calls by going directly to these direct access numbers. 00:37:50.400 --> 00:37:56.030 In Germany it's very common that if someone calls your voicemail you get an 00:37:56.030 --> 00:38:00.460 SMS text even if they don't leave a message. But I suspect there's some kind 00:38:00.460 --> 00:38:05.370 of undocumented API to actually turn that off through the menus. Have you looked 00:38:05.370 --> 00:38:08.710 into that? M.V.: No I haven't looked into that 00:38:08.710 --> 00:38:14.230 specifically. The question is that usually in Germany for the carriers you'll get an 00:38:14.230 --> 00:38:18.220 SMS when you when you get a call. I wonder... the test that I did on the 00:38:18.220 --> 00:38:22.250 German carriers, I was getting a text if I was leaving a message, not if someone was 00:38:22.250 --> 00:38:26.420 calling there. I guess you are talking about a missed call, that kind of 00:38:26.420 --> 00:38:32.089 notification. I'm not sure about it. What I do want to point out is remember that a 00:38:32.089 --> 00:38:35.609 you can do these while the person is offline maybe on a long trip so you can 00:38:35.609 --> 00:38:40.750 time it, and that will be a good probation I guess to just not launch at any, you 00:38:40.750 --> 00:38:44.300 know, at any point in time, but you can just always time it, and by the time the 00:38:44.300 --> 00:38:47.850 person gets a million text it's too late. Q: Thanks. 00:38:47.850 --> 00:38:50.189 M.V.: Yeah. Herald: One more question over here 00:38:50.189 --> 00:38:55.200 please. Q: Thank you. On apple phones you can 00:38:55.200 --> 00:39:00.540 activate with some care the, what they call visual voicemail. Would that prevent 00:39:00.540 --> 00:39:04.950 your attack to work, or..? M.V.: No there is actually, I believe he 00:39:04.950 --> 00:39:11.550 was an Australian researcher, that looked into the visual voicemail and he was able 00:39:11.550 --> 00:39:16.770 to find that in reality uses the IMAP, If I remember correctly, protocol, and for 00:39:16.770 --> 00:39:23.110 some carriers he was able to to launch brute force attacks because the 00:39:23.110 --> 00:39:28.450 authentication wasn't with the same pin as you get when you dial in. But he found at 00:39:28.450 --> 00:39:34.819 least one carrier in Australia I believe that was vulnerable through visual 00:39:34.819 --> 00:39:37.930 voice mail protocol. And I check for German carriers. I did that, I actually 00:39:37.930 --> 00:39:43.010 follow the steps that he did, to see if that was worth mentioned in here. I didn't 00:39:43.010 --> 00:39:49.100 find it to be vulnerable, but that doesn't mean that that's not the case. 00:39:49.100 --> 00:39:53.750 Herald: One more last question. Q: Thank you for the talk. What is your 00:39:53.750 --> 00:39:58.090 recommendation to American carriers to protect themselves against this attack? 00:39:58.090 --> 00:40:03.460 M.V.: I put a slight slide there. Like for me I guess the most important thing is 00:40:03.460 --> 00:40:07.839 really look at what some German carriers are doing I really like that in the recent 00:40:07.839 --> 00:40:12.940 past where it sends it to you over SMS as soon as it detects that someone dialed, 00:40:12.940 --> 00:40:17.730 tried six times the wrong pin. I mean if you have physical access to a locked 00:40:17.730 --> 00:40:22.619 device you could claim that if someone has the preview turned on the device you could 00:40:22.619 --> 00:40:26.910 still see the pin, you know when you get it so. But then it wouldn't be like a 00:40:26.910 --> 00:40:33.900 remote attack anymore, so definitely detect brute forcing and shut down. I mean 00:40:33.900 --> 00:40:38.490 we know that with the caller I.D. is not working so well for a Telecom, because I 00:40:38.490 --> 00:40:43.440 was able to bypass it. But I know that, because I did some test with HLR records 00:40:43.440 --> 00:40:46.850 that you can actually tell the type of device that it is, if it's a virtual 00:40:46.850 --> 00:40:51.400 number. So if carriers could actually look at the type of phone that is trying to 00:40:51.400 --> 00:40:55.830 call in. I think if it's a virtual number, you know, red flag. If it's not I don't 00:40:55.830 --> 00:40:59.400 think someone is going to have... I guess the government could like, you know have 00:40:59.400 --> 00:41:05.810 3333 devices because you try one pin for the 10000 keyspace, you know. You try 3 00:41:05.810 --> 00:41:10.889 pins at a time and just have 3333 SIM cards and so it will come from real 00:41:10.889 --> 00:41:15.990 devices. But then at least it will quite significantly mitigate it. And then like 00:41:15.990 --> 00:41:22.850 again like if you ban DTMF tones from the greeting message that will help as well. 00:41:22.850 --> 00:41:26.270 Herald: Thank you Martin. I have never provided any telephone number to any 00:41:26.270 --> 00:41:32.230 platform and now thanks to you I know why. Warm applause for Martin Vigo please. 00:41:32.230 --> 00:41:33.552 M.V.: Thank you 00:41:33.552 --> 00:41:39.532 applause 00:41:39.532 --> 00:41:45.100 35c3 postroll music 00:41:45.100 --> 00:42:02.000 subtitles created by c3subtitles.de in the year 2019. Join, and help us!