AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability

from the caller-id-spoofing dept

Mon, Dec 15th 2008 10:50pm — Mike Masnick

Many mobile phones' voicemail systems have worked on the basis of checking the caller ID of the incoming caller -- and if it matched the number of the voicemail box, it would automatically push the caller through to the admin interface. The idea was that if the owner of the box was calling, he or she shouldn't have to put in the passcode to get to the messages. The only problem with this was that, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile such voicemail attacks, many mobile operators urged customers to change their voicemail preferences to require a passcode, no matter what. Still, there were some operations out there, that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.

That seems a bit strange, and the article is woefully short on details, unfortunately. Pretty much anything is hackable given certain circumstances, and it always seems a bit odd to totally blame a hacking victim for being hacked. So it would be good to know why T-Mobile and AT&T, in particular, were fined in this case. Did they not even allow passcodes to be enabled for those who wanted to avoid this potential hack?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack, voicemail
Companies: at&t, t-mobile

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Brad, 16 Dec 2008 @ 12:23am

Maybe it's the sim cards?
Since both AT&T and T-Mobile are SIM-based operators, I wouldn't be surprised if they were more (or exclusively) susceptible to these sorts of attacks. Verizon and Sprint both authenticate all kinds of information (possibly including identity for voicemail) based on the phone's ESN. It's possible that it's much more difficult to spoof an ESN, or even get your hands on it.

This is also why stolen Sprint / Verizon phones have little to no value on the black market, where ATT phones fetch a nice premium. Slip in a SIM card and you're free to go, no matter who the device came from. Verizon / Sprint track phones based on ESN and owner, so you can't activate a phone that's been reported stolen.
[ link to this | view in chronology ]
- OneDisciple, 16 Dec 2008 @ 3:29am
  
  Re: Maybe it's the sim cards?
  I could be wrong, but I am going to say it anyway. I believe that AT&T and T-Mobile both use the ESN for the same purposes. The problem is that customers do not report the ESN as belonging to them. so when their phone is stolen it can not be tracked. However if as the customer you follow the rules of your agreement with said company and register the ESN can be tracked.
  [ link to this | view in chronology ]
  - Jeff, 16 Dec 2008 @ 4:14am
    
    Re: Re: Maybe it's the sim cards?
    (addressing the theft/esn issue and i dunno what this has to do with anything, but here we go) and there's also the fact that these companies don't tell their customers what to do when they sell their old mobiles on ebay or craigstlist. they just tell them not to sell them and expect people to be out the cost of the old phone when they buy a new one. they aren't told about how to clear the esn and other information off of the phone before they sell it EVEN WHEN THEY REGISTER A NEW MOBILE ON THEIR ACCOUNTS. i bought a sprint blackberry on craigslist once...i could have just continued using the phone exactly as it was and have all of the use billed to the previous owner. it had their full address/phone book still on it, tons of personal information, a few hundred texts containing personal info on people other than the seller...granted, sprint is unlike other providers in that their customer service is a pile of smelly elephant assholes and it's all operated by people who barely speak english and simply use a piece of software to tell them exactly how to interact with customers...but...c'mon.
    [ link to this | view in chronology ]
  - billybob., 25 Dec 2008 @ 10:43pm
    
    Re: Re: Maybe it's the sim cards?
    I work for at&t in sales, and I don't think this is the case. As far as I know, there is no way to remotely kill a stolen phone, aside from using special executive work programs like Good. Its best to contact ATT as soon as possible after your phone is stolen and have them put a hold on the account, killing the SIM card.
    [ link to this | view in chronology ]
- Nate, 16 Dec 2008 @ 5:10am
  
  Re: Maybe it's the sim cards?
  Nah, it's really easy to pull a phone's IMEI. On any handset, just type *#06# for instance, and it'll cough it up. You don't even need to pop the battery out to look for it. I don't think would be a good idea to authenticate based on this number.
  [ link to this | view in chronology ]
  - nasch, 16 Dec 2008 @ 8:17am
    
    Re: Re: Maybe it's the sim cards?
    How easy is it to get another phone to report that as its own number?
    [ link to this | view in chronology ]
    - JD, 16 Dec 2008 @ 6:11pm
      
      Re: Re: Re: Maybe it's the sim cards?
      My Linksys VoIP box can set CallerID to whatever I want. I guess this should work.
      [ link to this | view in chronology ]
ooer, 16 Dec 2008 @ 2:21am

misleading about their susceptibility to the hack
Microsoft next, then Google, then xxxx, etc...

Nice precedence to set...
[ link to this | view in chronology ]
AJ, 16 Dec 2008 @ 4:37am

Ever notice...
Ever notice how AT*Ts logo looks like the Death Star from Star Wars? No coincidence there, now is there?
[ link to this | view in chronology ]
Stephen, 16 Dec 2008 @ 5:53am

odd
I've been a T-Mobile customer for a good while now and it's always asked me to enter a 6 digit pass code to check my voicemail.
[ link to this | view in chronology ]
Jasen (profile), 16 Dec 2008 @ 7:41am

Re: odd
Once upon a time, the default on T-mobile was no passcode, although you could set one if you chose to. Now, T-mobile makes you set a passcode, with the option to not have one if you choose.

It's kinda like when Microsoft included a firewall in Windows XP but left it off by default, then turned around and made it on by default in SP2.

I have been using T-mobile for a few years now. I like not having a passcode set. I have no interesting voicemails, so I'm not worried about someone hacking them. LOL
[ link to this | view in chronology ]
Steevo, 17 Dec 2008 @ 11:33pm

The real problem is the CID is insecure
The real problem is the CID is insecure and can be spoofed. That's the only problem and the problem that needs fixing.

The telcos made an insecure system and they should be prohibited from delivering calling party data that is not correct. If there were a fine for delivering false Caller ID data they would have to either secure those systems or stop selling Caller ID at all. Either solution would be appropriate.
[ link to this | view in chronology ]
scc4fun, 5 Jan 2009 @ 8:52am

Cingular/ATT statement
I'm late to the comment party for this story, but here goes:
I remember reading a statement from Cingular/AT&T that their voicemail always required a passcode--which was totally incorrect as, at that time and now, I was able to get into my voicemail without entering a passcode.
[ link to this | view in chronology ]