-
35C3 preroll music
-
Herald Angel: We start the next talk. It's
by Martin Vigo. He stands here. He is a
-
product security lead and researcher and
he's responsible for mobile security,
-
identity, and authentication. So he helps
people design and secure systems and
-
applications. And he has worked on stuff
like breaking password managers or
-
exploiting Apple's FaceTime to create a
spy... yeah, a spy program. So give him a
-
warm applause for his talk.
Applause
-
Martin Vigo: Thank you for joining me in
this talk. I'm super excited to be here.
-
It's actually my second year at the
conference, so super super excited that
-
the first year I was sitting there, and
the second year I'm sitting here. This is
-
me, but an introduction was already made.
Just pointing out that this is me, 9 year
-
old, with an Amstrad CPC 6128. You had
this machine before? I see only one hand?
-
I think this was sold in Europe, but I was
playing here La Abadía del crímen, which
-
is the best video game ever written. If
you guys like abandonware, you should
-
definitely check it out. So like any good
research we have to start by looking at
-
previous art, right? We can learn a lot
from researchers that did stuff in the
-
past. And in this case I went all the way
back to the 80s to understand how freakers
-
of the time, when the hacking thing
started, we're doing to actually hack into
-
voicemail systems. I condensed everything
I learned in five different paragraphs of
-
five different essences, that I actually
got from frac website, which is an amazing
-
resource. So, here from the Hacking
Telephone Answering Machines, the
-
paragraph that I extracted was that "You
can just enter all 2-digit combinations
-
until you get the right one", "A more
sophisticated and fast way to do this is
-
to take advantage of the fact that such
machines typically do not read two numbers
-
at a time, and discard them, but just look
for the correct sequence". What is this
-
about? In older voicemail systems if you
will enter like 1234 for the 2-digit PIN,
-
it will not process 12 and 34 to to verify
the PIN, but it will also process 23,
-
which is very interesting. In fact, in
Hacking AT&T Answering Machines, again,
-
this is amazing from their 90s or 80s, we
actually get the correct sequence to cover
-
the entire 2-digit key space. So, if you
enter all these, you are basically brute
-
forcing the entire key space, without
having to enter in the entire thing that
-
covers it. I also learned, from A Tutorial
of Aspen Voice Mailbox Systems, that in
-
the 80s there was default passwords.
Surprise, surprise! But also that as
-
humans, we actually have patterns when we
choose PINs. And so we have the classics:
-
1111, 9999, 1234. And another thing that I
learned in Hacking Answering Machines in
-
the 90s, was that "There is also the old
'change the message' secret to make it say
-
something to the effect of this line
accepts all toll charges so you can bill
-
third party calls to that number". This is
basically a trick used by inmates to get
-
free calls. Basically, they would record
in the voicemail a greeting message "yes,
-
yes, yes", so when the automated system
comes in and asks "Do you want to accept
-
the toll charges from the call from the
penitentiary, it will go and they will be
-
able to do free calls. So, condensing
everything and summarizing what what I
-
learned from looking at what previous
hackers did in the 80s: we know that the
-
voicemail system security looked like...
there was default PINs, there was common
-
PINs, there was bruteforceable PINs, there
was efficient bruteforcing because we can
-
enter multiple PINs at the same time, that
the greeting message is actually an attack
-
vector. So let's play a game. Let's do
checklist and let's look at the voicemail
-
security today. So, I looked at the
American carriers because I live in the
-
US, but because I was invited to talk in
Germany, I took some friends to give me
-
some SIM cards and I actually wanted to
put about German carriers as well. So,
-
checklist time, default PINs: all American
carriers do have default PINs and
-
unfortunately they are really not a secret
because most of them is actually the last
-
digits of your phone number. When it comes
to German carriers it's actually a much
-
better state, for example Vodaphone it's
the last 4 digits of the client number
-
which you don't know. I mean, you know as
the customer, not others, it's a secret.
-
Or if it comes to the CallYa, that is the
card that I got, it's the last 4 digits of
-
the PUK. For Telekom it's the last 4
digits of the card number, which is the
-
card you get with the SIM card. For O2,
unfortunately, there is a default PIN,
-
which is 8705, which is the only PIN you
can't set, when you choose to set one.
-
Yeah. So, voicemail security today when it
comes to common PINs: according to like a
-
fantastic research from Data Genetics,
this is actually about people choosing
-
PINs for their credit cards, but there was
a lot of conclusions that I learned from
-
this research and basically, to summarize
the most important regarding this work, is
-
that for example by trying the top 20 most
common PINs, you have a 22 percent chance
-
of getting the right one. What this means
in other words is for every fourth victim
-
that I tried to brute force the PIN from
their voicemail system, I will get it
-
right every fourth person. There are other
conclusions that are very interesting
-
like, the PINs mostly start by 19. Who has
an idea why is that? Birth year, right? Is
-
very common to set as your birth year.
Most of us were born in the 20th
-
century... to set it as a PIN.
Bruteforceable PINs. Same thing in Germany
-
and in the US, it accepts 4-digit PINs
which, we will see later, is just not
-
enough key space. Efficient bruteforcing
all the carriers accept concatenation of
-
payload. So, in this case I use it to try
different PINs and I don't even have to
-
wait for error messages. I just use the
pound as kind of like an enter in a
-
voicemail system and I can try three PINs
at a time. Usually carriers will hang up
-
when you enter three PINs wrong, for
security purposes, but we will take
-
advantage of that. So with everything that
I learned from the 80s, I verified that it
-
was still a problem today. I decided to
write a tool that allows you to brute
-
force voicemail system fast, cheap,
easily, efficiently, and undetected. So,
-
fast: I used Twilio... who is familiar
with Twilio here? Some of you? So a Twilio
-
is basically an online services that
allows you to programmatically interact
-
with phone calls. You can make phone
calls, interact with them, and all that.
-
So I use it to launch hundreds and
hundreds of calls at the same time in
-
order to brute force PINs. It's cheap! The
entire 4-digit keyspace costs 40 dollars.
-
So if I want to have a 100 percent chance
of getting your 4-digit PIN, I only have
-
to pay 40 bucks. A 50 percent chance,
according to the research from Data
-
Genetics, it will cost me five dollars. So
once every two victims, I will get the
-
PIN. Actually, if I want to take a
different approach and instead of just
-
trying to brute force only yours, I want
to brute force the PIN from everyone here,
-
according to Data Genetics, and in this
case, according to the fact that that is
-
default PINs... I'm not going to ask how
many of you have O2, now that they know
-
that there is a default PIN to their
voicemail system. It will be more
-
interesting to actually try a thousand
phone numbers for that default PIN for O2
-
customers, only for 13 dollars. It's easy:
fully automated, the tool does everything
-
for you, you just have to provide the
victim number, the carrier, and couple
-
other parameters and it's efficient! It
optimizes brute forcing, I use the
-
research from Data Genetics to favor the
PINs that are most common, and obviously
-
it tries different PINs and all that
stuff. But the most important here is
-
detection, because think about it. In
order for me to interact with your
-
voicemail system I need to call you and
you cannot pick up, because if not, it
-
doesn't go to the voicemail system. So I
was trying to find ways, because I need
-
to, in the end, make a lot of calls,
trying different PINs. How can I interact
-
directly with your voicemail? I try call
flooding like basically doing three calls
-
at a time, because the line gets flooded
just with three calls, it goes directly to
-
the voicemail, but it wasn't very
reliable. You can use OSINT techniques, a
-
lot of people likes to tweet that they,
you know, they go on a trip, they are
-
about to board a plane, so it goes into
airplane mode, or you go in a remote area,
-
or you are in a movie theater, or at night
you put in Do Not Disturb. Those are all
-
situations in which calls go directly to
the voicemail. You can use HLR database to
-
find out if mobile devices are
disconnected or the SIM cards have been
-
discarded, but they are still assigned to
an account. And you can use online
-
services like realphonevalidation.com
which I actually reached out and they
-
provide services that allow you to know if
a phone is acutally connected to a tower
-
at the moment, so it's basically
available, so you could use that too. You
-
can also use class 0 SMS, which gives you
feedback. It's basically a type of SMS
-
that will... it has more priority and will
basically display on the screen and you'll
-
get the feedback if it was displayed. So,
that's a nice trick to find out if the
-
phone actually connected to a tower. But
in reality, I wanted a bullet proof way to
-
do this and in the U.S. I found that there
is this concept of backdoor voice mail systems.
-
So instead of me calling you, I'm going to
call one of these services that you guys
-
have listed here for every carrier and
there I enter the number, in this case the
-
number of the victim from the voicemail I
want to interact to. And of course it
-
allows you to access to the logging
prompt. Actually in Germany I find it
-
interesting that you guys have it as a
service, because in the US it's more a
-
secret that I had to found using Google,
but here... Basically if I dial your phone
-
number and when it comes to Vodafone
between the area code and the rest of the
-
number I put 55, or for Telekom 13, or for
O2 33, I directly go to the voicemail, you
-
won't ring your phone. So I can use that.
Who was aware of this, that is from
-
Germany? OK, many of you. So that's what I
thought. Like here it's not really like
-
something you guys care too much about. In
the U.S. it's actually used a lot for
-
scammers or to leave directly voicemail
messages from spammers as well. So,
-
voicemailcracker actually takes advantage
of backdoor numbers, so it allows you to
-
be undetected. I don't need to call you, I
don't need to wait till you are flying, I
-
can do that. And for example for the U.S.
it's great, because when I launch that
-
many calls, the line gets flooded even if
you are offline. But when I use these
-
backdoor voicemail systems, because they
are meant to be used by everyone, those
-
don't get flooded. So I literally make
hundreds and hundreds of calls and it
-
never fails.So, but you know like
carriers, or some of them, add a brute
-
force protections, right? So that you
can't actually launch brute forcing
-
attacks. And I looked at the German
carriers and for example Vodafone, I saw
-
that it resets the 6 digit PIN and sends
it over SMS. So, I guess I can flood your
-
phone with text but who cares, that's not
a big deal, but I think it's actually a
-
pretty effective measure against
voicemail... against brute forcing.
-
Telekom blocks the Caller ID from
accessing the mailbox or even leaving
-
messages. I tried and after six times that
it's wrong every time, I call it says
-
"Hey, you can't do anything", and it hangs
up. And for O2 it connects directly to the
-
customer help-line, but someone started
talking German and my German is not that
-
good. So brute force, I wanted to be able
to bypass this writing and so if you look
-
at telecom I mentioned that it blocks the
caller I.D. but it turns out that Twilio
-
you can actually buy caller IDs you can,
well, you can buy phone numbers, right?
-
and they are really cheap. So it's very
easy for me to do randomization of caller
-
I.D.s for very very cheap and bypass
telecom's brute force protection. So
-
voicemailcracker also supports that. It
supports caller ID randomization. So let's
-
make the first demo. So as you can see
here on the left is the victim's mobile
-
device, and on the right is the tool. And
in this case I'm going to use the brute
-
force option. The brute force option
allows me to basically brute force the
-
pin. It makes hundreds of calls as I
explain and I'll try to guess it. And
-
there is a number of parameters like the
victim number, the carrier... the carrier
-
is important because they put their
specific payloads for every single carrier
-
because all the voicemail systems are
different, how you interact with them, and
-
in this case are using a backdoor number
because he's more efficient. And then
-
there is no detection. And in this case I
did the option of top pin. So this is
-
basically trying the top 20 pins according
to the research for four digits. So as you
-
can see it's trying actually three pins at
a time as I mentioned before rather than
-
one. So we have to do a third of the of
the of the calls, right? And how did you
-
think that I'm detecting if the pin was
correct or not? Any ideas?
-
Unintelligible suggestion from audience
M.V.: OK. So the disconnect and hang up.
-
That's what I heard. And that's exactly
right. If you think about it I can look at
-
the call duration because when I tried
three pins and it hangs up it's always the
-
same call duration. For T-Mobile in this
case it's like 18 seconds. So I instruct
-
Twilio to after dialing and putting the
payload to interact with the voicemail
-
system trying the pins to wait 10 extra
seconds. So all I got to do, I don't need
-
any sound processing to try to guess what
the voicemail voice is telling me if it's
-
correct or not. I just use the call
duration. So if the call duration is ten
-
times longer then I know that's the right
pin because because it locked in. So as
-
you can see it found out one of those
three is actually the correct one: in this
-
case it's 1983. So in order to give you
the exact one because at that time it
-
tried the three of them, now it's trying
one by one and it may look like it's
-
taking longer than it should for only 20
pins but remember failing pins is very
-
very quick. It's just that because in the
top 20 found already the right pin it
-
takes longer than it should, and there you
go. We got that it's 1983. Awesome. So
-
what is the impact really why am I here
talking to you at CCC that has such
-
amazing talks, right? And this is really
the thing about this. No one cares about
-
the voicemail. Probably if I ask here, who
knows his own voicemail pin?
-
laughter
M.V.: Nice. That's what I was expecting.
-
Probably less hands here. So some of them
are lying but that's the thing, right? We
-
don't care about the voicemail. We don't
even use it, which is the crazy thing
-
here. We have we have an open door for
discussing an issue that we don't even
-
know about or we don't even remember. So
many people is not familiar with the fact
-
that you can a reset passwords over phone
call. We are familiar with resetting
-
passwords over e-mail. You get a unique
link maybe over SMS you get a code that
-
you that you then have to enter in the UI.
But a lot of people cannot receive SMS, or
-
that's what services claim. So they allow
you to provide that temporary code over a
-
phone call, and that's exactly what we
take advantage of, because I ask you what
-
what happens if you don't pick up the
phone if basically I go to a service,
-
enter your e-mail or your phone number and
reset a password, and everyone can do
-
that. Anyone can reset it, initiate the
reset password process, and I know that
-
you are not going to pick up the phone. I
know that thanks to my tool I got access
-
to your voicemail system. So basically the
voicemail system will pick up the call and
-
it will start recording, so it will record
the voice spelling out the code that I
-
need to basically reset your account and
get access to it. So -- oops! -- and I
-
press play here.
Static
-
M.V.: Okay, so, what does the attack
vector look like? You brute force the
-
voicemail system using the tool ideally
using backdoor numbers. For that
-
particular call -- that is, the call that
the victim will receive once you initiate
-
the password reset -- that one it cannot
go through the backdoor number, right?,
-
because it's gonna-- PayPal is gonna
directly call the victim. So for that one
-
you need to make sure that the victim is
not connected to a tower through all the
-
methods that I showed before. You start
the password reset process using the
-
economy feature. You listen to the
recorded message, secret code and profit.
-
You hijacked that account, and
Voicemailcracker can do all that for you.
-
Let's compromise Whatsapp. So on the left
you see my number, right?, with a secret
-
lover group, and a secret group, and all
that stuff. On the right notice that I'm
-
not even using an actual device. It's an
android emulator that I installed, an APK.
-
And there is some sound to this, and you
are gonna see -- so again on your left
-
it's the victims number. On the right is
an emulator of the attacker. So you'll see
-
that I'm going to use my tool with the
message payload, with the message option.
-
So in this case what I'm doing is I'm
setting the victim's phone to airplane
-
mode, simulating that it's now offline for
some reason, and I detected that. So if
-
you see, WhatsApp allows sends you a text
to actually register as a WhatsApp user,
-
but if you don't reply in a minute it
allows you-- it gives you an option to
-
call, to call me, right? And that's
exactly what I click. So now WhatsApp is
-
basically calling the victim which is
again in airplane mode, because he went on
-
a remote trip or on a plane, and so I'm
using Voicemailcracker with the option
-
"message" to automatically retrieve that
newest message. So the tool is gonna
-
provide me as you can see the last option
is the pin, because I brute forced it
-
before. So it's going to give me a URL
with the recording of the newest message,
-
which, hopefully -- it's a recorded demo
-- hopefully contains actually the code.
-
So let's see... I got the URL.
Phone alert sound
-
Computerized phone voice: New Message! --
M.V.: It's interacting with the voicemail
-
system right now.
Phone voice: -- your verification code is:
-
3 6 5 9 1 5. Your verification code is: 3
6 5 9 1 5. Your ver--
-
M.V.: And that simple. We just hijacked
that person's WhatsApp, and I -- here I'm
-
fast forwarding just to show you--
Applause
-
M.V: --that you get actually that. Thank
you. I do want to point out that WhatsApp
-
is super secure, it like-- end to end
encryption all that -- and there is a
-
number of things that you can notice this
attack. For example you wouldn't be able
-
to see the previous messages that were
there but you can just hold on and ask
-
people, right? The groups will pop up. So
you hijacked that WhatsApp account. There
-
is also fingerprinting. But who really
pays attention to the fingerprinting when
-
someone changes the device, right? So are
we done? Not yet. Because the truth is,
-
some researchers talked about this in the
past then and actually services tried to
-
slowly pick up. So that is actually
something that I found in several
-
services. That is what I call the user
interaction based protection. So when you
-
received that phone call that provides you
with the temporary code in reality it's
-
not giving it away. You have to press a
key. It comes in three different flavors
-
from what I found from my tests. Please
press any key to hear the code, so when
-
you get the call, you have to press, and
then it will tell you the code; please
-
press a random key so specifically please
press 1, please press 2, or please enter
-
the code. PayPal does that, and instead of
you having to press a key to hear the code
-
when you reset the password you will see a
four digits code that you have to enter
-
when you receive the call and then it will
reset the password. So I'm going to get
-
the help from all of you guys. Can we beat
this currently recommended protection what
-
is nowadays recommended to prevent these
kind of attacks? And we're going to play a
-
game. I'm going to give you two hints.
This is the first one. So, you probably
-
guys are familiar with this, but Captain
Crunch. Again we go back today it is we
-
can learn so much from them, use this to
generate specific sounds at a specific
-
frequency to basically -- you can go and
read it -- to get free international
-
calls. So he will create that sound and
the system will process it on the on the
-
line. And the second one is that I
cheated. When we did the checklist, I
-
actually skipped one , which was the
greeting message is an attack vector. So I
-
ask you guys how can we bypass the
protection that requires user interaction
-
in order to get the code recorded on the
voicemail system?
-
Inaudible suggestion from audience
M.V.: What was that?... Exactly. Record
-
DTMF tones as the greeting message. We own
the voice mail system so we can alter the
-
greeting message. So this is exactly how
it works: We just alter the greeting
-
message we call the DTMF that the system
is expecting and it works every single
-
time. The best thing of this is what
really is so awesome about about all of us
-
that really care about technology. We want
to have a deep understanding because when
-
I was asking people when when you know I
wanted to show them this I was asking them
-
how does this protection really work. And
they will say well you have to press a key
-
and then you know it will give you the
code. But that's not really true. That's
-
what you have to do is to provide a
specific sound that the system is
-
expecting. That is different than saying
you have to press a key, because if you
-
say I have to press a key that requires
physical access. If you say I have to
-
provide a sound, now we know it doesn't
require physical access. That is why
-
hackers are so cool, because we really
want to understand what is happening
-
backstage, and we take advantage of that.
So how does the attack vector look like?
-
Bruteforcing voicemail systems as before.
So basically we have an extra step which
-
is update the greeting message according
to the account to be hacked in voicemail.
-
Cracker can do that for you. Let's
compromise PayPal.
-
Laughter
M.V.: So on the left side you see that as
-
before I brute force the pin of the voice
mail. And in this case on the right side
-
I'm going to start a password reset for
that account. So I do that and I choose
-
"please call me with a temporary code".
But in this case PayPal works differently
-
because it will show me a four digits code
that I need to enter when I receive the
-
call in order to reset the password. So
you see that here I'm using the greeting
-
option. So the greeting is going to allow
me to enter a payload that I want to
-
record as the greeting message. In this
case is 6 3 5 3. So I may be very very
-
verbose for this demo. There you see
the last option use PayPal code and I
-
enter 6 3 5 3. Now the tool is going to
use the pin to log into the voicemail
-
system, interact with it, change the
greeting message, record the DTMF tones
-
according to 6 3 5 3 and then it should be
able to fool the call. In this case I'm
-
asking to call again, because it didn't
have enough time to do that. And in 3 2 1
-
we should get that we actually compromise
PayPal's account, and there we go. We can
-
now set our own password.
Applause
-
M.V.: Thank you. So, I showed you some
vulnerable servers. Let's go very quick
-
about it because I'm I'm concerned I'm
running out of time. So, I'm just
-
mentioning Alexa top 100 types of
services, no favoring anything, but... so
-
for password reset that supports over
phone call: PayPal, Instagram-- no,
-
Snapchat-- Netflix, Ebay, LinkdIn. I'm
still on Facebook. What can I say? 2FA for
-
all they major forms so 2FA over phone
call for Apple, Google, Microsoft,
-
Yahoo... Verification: So basically you
don't register with a username and
-
password on on WhatsApp or Signal you
actually use directly the phone number,
-
right? As we saw before and you register
through a phone call or SMS. So you can
-
compromise this too. Twilio, the own
service that I use for these is actually
-
really cool because you can own a caller
I.D. by verifying it by getting a phone
-
call so I can actually own your caller ID
and make calls on your behalf, send texts,
-
and these all legitimately, right?,
because you've pressed one. Google Voice,
-
it's actually another interesting service
because it's used a lot by scammers,
-
right? And this is the same thing: you
have to verify ownership so you can do
-
those phone calls and you can fool it as
well with this, but I found I was looking
-
like what other services really take
advantage of this? And this is super
-
common in San Francisco, where I live. You
can buzz in people like when they want to
-
enter, right?, they enter your house
number, and then your phone rings and you
-
press any key to open the door. So we are
talking about physical security now. And
-
I've seen this in offices as well. They
all work this way, basically because they
-
want to be able -- for tenants, that you
know, come and go -- be able to switch
-
that very quickly. So it works just
through the phone that you buzz people in.
-
But my favorite is consent, because when
we think about consent we think about
-
lawyers and we think about signing papers
and we think about all of these difficult
-
things. And I find out about these
location smart service that is not anymore
-
there and you will see why... But this was
recently in the news because, basically
-
Brian Krebs wrote a really great article
about it. But I'm going to let you hear
-
then their YouTube channel, how Location
Smart works.
-
LS vid speaker 1: The screen that you're
showing, that you're seeing right now is a
-
demo that we have on our Web site it's at
location smart.com/pride, and I've entered
-
my name, my email, my mobile phone number,
and it's again going to get my permission
-
by calling my phone, and then it'll
locate. So let's go ahead and, I clicked
-
the box to say yes I agree, click the
locate, and the screen now shows that it's
-
going to call my device to get my
permission.
-
vid speaker's phone vibrates, sounds like an airhorn in video
LS vid speaker 2: Heh, that's a nice ring
-
tone --
M.V.: No, it's not--
-
LS vid speaker 1's phone: To log into
Location Smart Services, press 1 or say
-
'Yes'. To repeat, press 2 or say 'Repeat'.
LSVS1: Yes
-
Phone: Congratulations. You have been
opted in to Location Smart Services.
-
Goodbye
M.V.: So as you see, this service, this
-
Web site had a free demo, had a free demo
that allow you to put out a phone number
-
-- yours, of course -- and you will get a
phone call and then you will give
-
permission by pressing one. So someone
could locate you and keep tracking -- I
-
mean, I checked with them -- for up to 30
days, real time. So now you know why they
-
don't exist anymore!
Applause
-
M.V.: Open source..
More Applause
-
M.V: Open source. So, and this was with
the permission of the carriers. This was
-
not some fishy thing. This was actually a
service. So I wanted to release code,
-
because I want you guys to verify that
what I mentioned is true and have code to
-
hopefully help push the industry forward
to make a voice mail systems more secure,
-
right?. We want to push carriers to do so.
A but I didn't want to provide on tool
-
that works out of the box and anyone can
very easily as we saw like just start to
-
bruteforce pins, especially because I saw
that there is so many people with the
-
default PINs out there. So I just removed
the brute forcing, so the tool allows you
-
to test it on your own. You can test, you
know, you can test the greeting message
-
you can test the retreiving messages
compromising the services and all that. So
-
the tool allows you to test on your own
device. I won't give you code to brute
-
force someone else's device. And feel free
to go to my github repo. So now like all
-
the talks comes the recommendations, but I
know what you guys are thinking, right?
-
When someone comes with all this paranoia
and stuff you still think "yeah but you
-
know still like no one is gonna come after
me. I don't have anything to hide" or
-
anything like that. So I wanted to give
you reasons why you should still care
-
about this, and why we need to do better.
Because do carriers set default PINs? Yes,
-
we saw that. Is testing for default pins
cheap, fast, undetected, and automatable?
-
Yes it is. Is updating reading the message
automatable? Yes it is. Is retrieving you
-
the newest message automatable? Yes it is.
Is there speech to text description, so
-
that I can get the sound that I played
before with the code and get it in text?
-
Yeah. Twilio gives you that as well. So
can the account compromise process be
-
automatable? Of course you can use
selenium if you want to automate the UI.
-
Or you can use a Web proxy and look at the
APIs and do it yourself. So it is only a
-
matter of time that someone actually does
all these steps that I showed you step by
-
step and just makes it all straight and
starts to go over phone numbers trying the
-
default PINs, and just automatically
compromising services like WhatsApp like
-
PayPal and all that. You can do basically,
not a worm, but, you know, you can
-
compromise a lot of devices without doing
anything. Recommendations for online
-
services. Don't use automated calls for
security purposes. if not possible detect
-
answering machines and fail. I mean this
is not very accurate and you can still
-
trick it. Require user interaction before
providing the secret. I just show you how
-
to bypass that, but that's with hope that
carriers ban DTMF tones from the greeting
-
message. I don't see why that should be
supported, right? Recommendations for
-
carriers. The most important thing: Ban
DTMF tones from the greeting message,
-
eliminate backdoor mobile services, or at
least a give no access to the login
-
prompt, right? There is no reason why you
should be able to access your voicemail
-
directly to leave a message. But then I
can access the login prompt by pressing
-
star. Voicemail disabled by default. This
is very important and can only be
-
activated from the actual phone, or
online maybe with a special code. Oh great
-
I have time for questions. No default
pins. Learn from the German carriers:
-
don't allow common pins, detect and
prevent brute force attempts, don't
-
process multiple pins at once.
Recommendations for you which, is in the
-
end, very important here. disable the
voice mail if you don't use it. I found
-
though that some carriers you're still
through the backdoor voicemail numbers you
-
are unable to activate it again. So kind
of sucks. So I guess use the longest
-
possible random pin. Don't provide phone
numbers to online services unless
-
required, or is the only way to get 2FA.
2FA is more important. Use a virtual
-
number to prevent OSINT like a Google
Voice number so no one can you know learn
-
about your phone number digits by
resetting the password or do SIM swapping.
-
Use 2FA apps only. And I always like to
finish my talk with ones like that kind of
-
summarizes everything. Automated phone
calls are a common solution for password
-
reset, 2FA, verification, and other
services. These can be compromised by
-
leveraging old weaknesses and current
technology to exploit the weakest link
-
voicemail systems. Thank you so much.
Danke Schön, CCC!
-
Applause
Herald Angel: Thank you, Martin. We have
-
time for questions, so if you have any
questions or if someone in the Internet
-
has questions just go to these
microphones. Where is the microphone?
-
You've got it. Yes. You were black and the
microphone too. So maybe you start and we
-
take the question from the Internet.
Q: Yes I have a question. You mentioned
-
that the phone needed to be offline. Would
a call like a sim teen's call to the phone
-
that it would be in what is called in
english - besetzt?- like occupied so let's
-
say I already called the victim. So the
caller gets, yeah, the line's occupied
-
that would then go to voicemail, wouldn't
it?
-
M.V.: So that's a great question. I think
the question is if you are on a call and
-
someone else calls you, so your attack
will be: I somehow make up a story to keep
-
the person on the phone call while I
launch other calls... that will work. I
-
tried that but the problem is usually to
force, I mean that will not be too big of
-
a deal I guess but it supports two calls
right. They will warn you all there is
-
another incoming call. But I guess you
could keep doing more. So that's what I
-
meant a partly with a call flooding. In
that case what I tried was just launching
-
all of them at the same time. And if the
person picks up I don't care but it's
-
somewhat related to what you mentioned and
that's definitely possible.
-
Questioner: Okay. Thank you.
M.V.: Yeah.
-
Herald: Question from the internet please
Signal Angel: Does this work with the
-
phone calls that start talking
immediately, will the new code being
-
recorded then?
M.V.: if I understood the question
-
correctly it's that when the voicemail
picks up like basically the automated
-
system that spits out the code already
started to talk. I believe that's the
-
question.
Herald: We don't know it's from the
-
Internet.
M.V.: OK so if that is the question I
-
found actually that, because usually
greeting messages last like 15 seconds so
-
by the time it starts recording you
already finish the recording that gives
-
you the code, but you own the greeting
message so you make it as short as one
-
second. And I never found a problem with
that. You actually recorded DTMF tones for
-
like two seconds.
Herald: Ladies first let me take your
-
question.
Q: You talked about how you learned all of
-
that through reading e-zines. How are they
called, and how do I find them?
-
M.V: That's the best question I've ever
heard and it deserves an applause,
-
seriously. I like that because you also
want to learn about it. So that's that's
-
really fantastic. So the Phrack Web site
is the best resource you can get. I guess
-
everyone will agree here. So you just look
up google for phrack magazine and there is
-
a lot a lot of interesting stuff that we
can learn there still today.
-
Q: Are there any others?
M.V.: Yeah I mean you can then follow the
-
classic. I mean I like Twitter to get my
security news because it's very concise so
-
I kind of get like you know the 140
characters version.. if I'm interested
-
then I will read it. So I think you can
google for like top security people to
-
follow. Brian Krebs is great. It depends
also on your technical depth. There is
-
different people for that. And if not just
you know specialized blogs in magazines.
-
Q: All right. Thanks.
M.V.: Thank you.
-
Herald: And your question please.
Q: Hi. And so for me the solution is
-
obvious: I just turn off my voicemail. But
thinking about some relatives which are
-
maybe too lazy or don't really care and
still use two factor authentication. I was
-
thinking about could I easily adapt your
script to automatically turn off voice
-
boxes or generate random pins?
M.V.: You can automate it to turn off the pin. Like
-
for example on Vodaphone I don't know why
that allows you to turn off the pin. To turn
-
off the voicemail... I don't... I haven't
tested that. I think you may have to call
-
the IT department but you know what. It
would be really great to do that. It would
-
be really awesome. Great question. I guess
if you can turn it off then you can turn
-
it on as well. Yeah.
Herald: Your question please.
-
Q: Did Twilio ban you or did they find out
what you did?
-
M.V.:I got some emails I got some emails
but they were really cool. I have to say
-
that. I explained to them what I was
coming from, I gave them my identity...
-
like I wasn't hiding anything. Actually I
had to pay quite some money and because of
-
all the calls that I was doing while I was
doing the research, so I do think hide my
-
identity at all. So, they did detect tact
that I was doing many calls and stuff like
-
that. So there is I guess at the high
volumes there is some detection, but
-
Twilio is not the only service. So again
you can switch between services, space it
-
out, change caller I.D.s, a number of
things.
-
Herald: And one more question here.
Q: Hi. You talked about being undetected
-
when making all these calls by going
directly to these direct access numbers.
-
In Germany it's very common that if
someone calls your voicemail you get an
-
SMS text even if they don't leave a
message. But I suspect there's some kind
-
of undocumented API to actually turn that
off through the menus. Have you looked
-
into that?
M.V.: No I haven't looked into that
-
specifically. The question is that usually
in Germany for the carriers you'll get an
-
SMS when you when you get a call. I
wonder... the test that I did on the
-
German carriers, I was getting a text if I
was leaving a message, not if someone was
-
calling there. I guess you are talking
about a missed call, that kind of
-
notification. I'm not sure about it. What
I do want to point out is remember that a
-
you can do these while the person is
offline maybe on a long trip so you can
-
time it, and that will be a good probation
I guess to just not launch at any, you
-
know, at any point in time, but you can
just always time it, and by the time the
-
person gets a million text it's too late.
Q: Thanks.
-
M.V.: Yeah.
Herald: One more question over here
-
please.
Q: Thank you. On apple phones you can
-
activate with some care the, what they
call visual voicemail. Would that prevent
-
your attack to work, or..?
M.V.: No there is actually, I believe he
-
was an Australian researcher, that looked
into the visual voicemail and he was able
-
to find that in reality uses the IMAP, If
I remember correctly, protocol, and for
-
some carriers he was able to to launch
brute force attacks because the
-
authentication wasn't with the same pin as
you get when you dial in. But he found at
-
least one carrier in Australia I believe
that was vulnerable through visual
-
voice mail protocol. And I check for
German carriers. I did that, I actually
-
follow the steps that he did, to see if
that was worth mentioned in here. I didn't
-
find it to be vulnerable, but that doesn't
mean that that's not the case.
-
Herald: One more last question.
Q: Thank you for the talk. What is your
-
recommendation to American carriers to
protect themselves against this attack?
-
M.V.: I put a slight slide there. Like for
me I guess the most important thing is
-
really look at what some German carriers
are doing I really like that in the recent
-
past where it sends it to you over SMS as
soon as it detects that someone dialed,
-
tried six times the wrong pin. I mean if
you have physical access to a locked
-
device you could claim that if someone has
the preview turned on the device you could
-
still see the pin, you know when you get
it so. But then it wouldn't be like a
-
remote attack anymore, so definitely
detect brute forcing and shut down. I mean
-
we know that with the caller I.D. is not
working so well for a Telecom, because I
-
was able to bypass it. But I know that,
because I did some test with HLR records
-
that you can actually tell the type of
device that it is, if it's a virtual
-
number. So if carriers could actually look
at the type of phone that is trying to
-
call in. I think if it's a virtual number,
you know, red flag. If it's not I don't
-
think someone is going to have... I guess
the government could like, you know have
-
3333 devices because you try one pin for
the 10000 keyspace, you know. You try 3
-
pins at a time and just have 3333 SIM
cards and so it will come from real
-
devices. But then at least it will quite
significantly mitigate it. And then like
-
again like if you ban DTMF tones from the
greeting message that will help as well.
-
Herald: Thank you Martin. I have never
provided any telephone number to any
-
platform and now thanks to you I know why.
Warm applause for Martin Vigo please.
-
M.V.: Thank you
-
applause
-
35c3 postroll music
-
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!
