Ruxcon Sydney penetration tester Shubham 'Shubs' Shah has urged US and European researchers to probe their telco's voicemail security after he found accounts held by local telcos Vodafone and Optus were open to attack.
The two telcos were vulnerable because design flaws mean neither limited the number of password guessing attempts in their visual voicemail services.
Shubham and fellow Snapchat hacker Huey Peardreported the flaws to Optus earlier this year via the Sydney Morning Herald and later to Vodafone but was unable to travel to the US or Europe to examine local telco security arrangements there.
"If you guys have an opportunity to test this overseas, do it," Shah (@infosecau) told the Ruxcon security conference last week.
"If anyone breaches these visual voicemail servers, they are going to get access to a lot of voicemail accounts, I mean a lot.
"Brute forcing visual voicemail is only 31 lines (of Python) and you could (prior to a fix being implemented) have accessed anyone's voicemail account for Vodafone."
Shubham Shah. ©The Register
Vodafone in June implemented a password rate-limiter for visual voicemail but Shah found it allowed for denial of service attacks that could lock out millions of subscribers by way of a simple script that would enumerate phone numbers and attempt brute force password guessing, therefore exceeding the threshold and triggering en-masse bans.
Worse, he said telecommunications providers in Australia which he declined to name had without consent automatically created visual voicemail accounts for millions of subscribers protected only with the users' basic often four-digit voicemail PIN.
This exposed entire user bases of certain Australian telcos to compromise or account lock-out via brute force password guessing over IMAP.
"The worst case is where they [telcos] use your PIN to protect visual voicemail, Shah said. "We found that a lot of service providers already added your account to this IMAP system for visual voicemail without your permission. So there is a chance that your PIN has been compromised," Shah said.
In one instance prior to a May fix, Shah said Optus voicemails could be accessed using an international number that validated users by their phone number and did not check PINs.
One of Shah's presentation slides.
Attackers usually had to be on the same network as their victims to target voicemail accounts, due to the vagaries of network configurations. Once on their targets' networks, attackers could then utilise phone number spoofing to tap account log-in portals or, as was previously the case with Optus, gain unchallenged access.
It was this reason why Shah could not yet determine the exposure of US and European telcos to the attack.
The researcher informed the GSM Association about the vulnerability but doubted along with other security pros present at Ruxcon that the disclosure would result in widespread patching.
His voicemail vector also served as a rung in multi-faceted targeted attacks. Ne'er-do-wells could retrieve second factor authentication codes from a victim's voicemail inboxes should websites such as Google or formerly LinkedIn and Facebook be configured to send the PINs by phone call rather than SMS. ®