Feb 23 2005
How T-Mobile and Sprint Screwed Up, and What You Can Do to Protect Yourself
It’s very easy to get your voicemail without your knowledge. T-Mobile and Sprint, in the interests of convenience have decided to leave a gaping security hole in their network enabled by default. However, with one quick change, you can close the hole and protect your privacy.
In the interest of convenience for their customers, Sprint and T-Mobile, by default, do not require you to enter your PIN when dialing in from your phone to check your voicemail. Instead, they both authenticate your password by reading the Caller ID on the incoming call, and if it matches the number of the mailbox, the call is transferred to the main menu of the voicemail system for that user instead of playing the outgoing greeting and allowing you to record a message.
This wouldn’t be a problem, except that now you can spoof Caller ID with little or no effort whatsoever.
I demonstrated this hack to my friends at work. First I went into my phone system at work and changed the outgoing caller ID on my extension to a friend’s T-Mobile mobile number. Then, I called their mobile number. Man, were they freaked out when their own number showed up on their screen.
It gets worse, though, because once the ringing stopped, the real fun began. Instead of hearing “Hi you’ve reached _________________________, at the tone please leave a message…” we heard, “You have 5 new voicemail messages. To get your messages, press 1.”
The flaw is an obvious one. The security of your voicemail depends on something as insecure as Caller ID authentication. Years ago, this was not an issue, but with the advent of easily accessible spoofing methods, this is a major gaping hole. Someone with only your mobile number can swipe your email quite easily.
This is quite an easy thing for either carrier to fix. All the carrier would have to do is note whether or not the call was made in-network. For example, on T-Mobile, Cingular, Sprint, and Verizon, there is some sort of plan that allows you to only make calls from within the network. A simple verification of the number on T-Mobile’s network to make sure it really is a T-Mobile call from within the network and not a spoofed outside number, would eliminate this vulnerability altogether. I imagine this is already being worked on; or at least I hope it is.
To fix the problem for T-Mobile: Log into your voicemail, press 4 for Personal Options, and 8 for Enable Password.
If you know how to fix the issue on Sprint, please send it to me and I’ll post it also.
Be safe out there people. If something is a “convenience,” it’s probably not safe or secure.
February 23rd, 2005 at 10:13 pm
I tried.
My T-mobile voicemail does not have an option 8 or any other choice to “enable password”. I did “change password”, but after doing so, when calling from my cell phone, it does not prompt me for it. Same old shit.
Thanks for the heads up though dude.
February 24th, 2005 at 6:20 am
You’re just upset because Paris Hilton leaked your cell phone number. Admit it.
February 24th, 2005 at 7:39 am
Thanks for mentioning that on a site my wife reads! Now I gotta go find the video
February 24th, 2005 at 4:21 pm
I believe it’s downloadable from the Consilium website, under the title: “Paris And Her Ferrari…”
February 24th, 2005 at 4:24 pm
Don’t let the Cannuck fool ya… I’ve never spent a night in Paris!
May 18th, 2008 at 8:21 pm
Sprint overcharged our small company over $50,000.00. We caught them and asked for the over-payments to be refunded. they have refused. Read the full story on http://www.sprint-really-sucks.com