Stanford Creates Database Of Patent Litigation
Wrongfully Blaming Hackers For Rainforest Deforestation
Chill Out On The Texting While Walking Bans, Says Professor
Mobile Operators Say Inauguration Will Tax Systems, Provide PR Fodder

AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability

Wireless

from the caller-id-spoofing dept

Mon, Dec 15th 2008 10:50pmMike Masnick
Many mobile phones' voicemail systems have worked on the basis of checking the caller ID of the incoming caller -- and if it matched the number of the voicemail box, it would automatically push the caller through to the admin interface. The idea was that if the owner of the box was calling, he or she shouldn't have to put in the passcode to get to the messages. The only problem with this was that, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile such voicemail attacks, many mobile operators urged customers to change their voicemail preferences to require a passcode, no matter what. Still, there were some operations out there, that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.

That seems a bit strange, and the article is woefully short on details, unfortunately. Pretty much anything is hackable given certain circumstances, and it always seems a bit odd to totally blame a hacking victim for being hacked. So it would be good to know why T-Mobile and AT&T, in particular, were fined in this case. Did they not even allow passcodes to be enabled for those who wanted to avoid this potential hack?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack, voicemail
Companies: at&t, t-mobile

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Brad, 16 Dec 2008 @ 12:23am

    Maybe it's the sim cards?

    Since both AT&T and T-Mobile are SIM-based operators, I wouldn't be surprised if they were more (or exclusively) susceptible to these sorts of attacks. Verizon and Sprint both authenticate all kinds of information (possibly including identity for voicemail) based on the phone's ESN. It's possible that it's much more difficult to spoof an ESN, or even get your hands on it.

    This is also why stolen Sprint / Verizon phones have little to no value on the black market, where ATT phones fetch a nice premium. Slip in a SIM card and you're free to go, no matter who the device came from. Verizon / Sprint track phones based on ESN and owner, so you can't activate a phone that's been reported stolen.

    link to this | view in chronology ]

    • identicon
      OneDisciple, 16 Dec 2008 @ 3:29am

      Re: Maybe it's the sim cards?

      I could be wrong, but I am going to say it anyway. I believe that AT&T and T-Mobile both use the ESN for the same purposes. The problem is that customers do not report the ESN as belonging to them. so when their phone is stolen it can not be tracked. However if as the customer you follow the rules of your agreement with said company and register the ESN can be tracked.

      link to this | view in chronology ]

      • identicon
        Jeff, 16 Dec 2008 @ 4:14am

        Re: Re: Maybe it's the sim cards?

        (addressing the theft/esn issue and i dunno what this has to do with anything, but here we go) and there's also the fact that these companies don't tell their customers what to do when they sell their old mobiles on ebay or craigstlist. they just tell them not to sell them and expect people to be out the cost of the old phone when they buy a new one. they aren't told about how to clear the esn and other information off of the phone before they sell it EVEN WHEN THEY REGISTER A NEW MOBILE ON THEIR ACCOUNTS. i bought a sprint blackberry on craigslist once...i could have just continued using the phone exactly as it was and have all of the use billed to the previous owner. it had their full address/phone book still on it, tons of personal information, a few hundred texts containing personal info on people other than the seller...granted, sprint is unlike other providers in that their customer service is a pile of smelly elephant assholes and it's all operated by people who barely speak english and simply use a piece of software to tell them exactly how to interact with customers...but...c'mon.

        link to this | view in chronology ]

      • identicon
        billybob., 25 Dec 2008 @ 10:43pm

        Re: Re: Maybe it's the sim cards?

        I work for at&t in sales, and I don't think this is the case. As far as I know, there is no way to remotely kill a stolen phone, aside from using special executive work programs like Good. Its best to contact ATT as soon as possible after your phone is stolen and have them put a hold on the account, killing the SIM card.

        link to this | view in chronology ]

    • identicon
      Nate, 16 Dec 2008 @ 5:10am

      Re: Maybe it's the sim cards?

      Nah, it's really easy to pull a phone's IMEI. On any handset, just type *#06# for instance, and it'll cough it up. You don't even need to pop the battery out to look for it. I don't think would be a good idea to authenticate based on this number.

      link to this | view in chronology ]

      • identicon
        nasch, 16 Dec 2008 @ 8:17am

        Re: Re: Maybe it's the sim cards?

        How easy is it to get another phone to report that as its own number?

        link to this | view in chronology ]

        • identicon
          JD, 16 Dec 2008 @ 6:11pm

          Re: Re: Re: Maybe it's the sim cards?

          My Linksys VoIP box can set CallerID to whatever I want. I guess this should work.

          link to this | view in chronology ]

  • identicon
    ooer, 16 Dec 2008 @ 2:21am

    misleading about their susceptibility to the hack

    Microsoft next, then Google, then xxxx, etc...

    Nice precedence to set...

    link to this | view in chronology ]

  • identicon
    AJ, 16 Dec 2008 @ 4:37am

    Ever notice...

    Ever notice how AT*Ts logo looks like the Death Star from Star Wars? No coincidence there, now is there?

    link to this | view in chronology ]

  • identicon
    Stephen, 16 Dec 2008 @ 5:53am

    odd

    I've been a T-Mobile customer for a good while now and it's always asked me to enter a 6 digit pass code to check my voicemail.

    link to this | view in chronology ]

  • icon
    Jasen (profile), 16 Dec 2008 @ 7:41am

    Re: odd

    Once upon a time, the default on T-mobile was no passcode, although you could set one if you chose to. Now, T-mobile makes you set a passcode, with the option to not have one if you choose.

    It's kinda like when Microsoft included a firewall in Windows XP but left it off by default, then turned around and made it on by default in SP2.

    I have been using T-mobile for a few years now. I like not having a passcode set. I have no interesting voicemails, so I'm not worried about someone hacking them. LOL

    link to this | view in chronology ]

  • identicon
    Steevo, 17 Dec 2008 @ 11:33pm

    The real problem is the CID is insecure

    The real problem is the CID is insecure and can be spoofed. That's the only problem and the problem that needs fixing.

    The telcos made an insecure system and they should be prohibited from delivering calling party data that is not correct. If there were a fine for delivering false Caller ID data they would have to either secure those systems or stop selling Caller ID at all. Either solution would be appropriate.

    link to this | view in chronology ]

  • identicon
    scc4fun, 5 Jan 2009 @ 8:52am

    Cingular/ATT statement

    I'm late to the comment party for this story, but here goes:
    I remember reading a statement from Cingular/AT&T that their voicemail always required a passcode--which was totally incorrect as, at that time and now, I was able to get into my voicemail without entering a passcode.

    link to this | view in chronology ]


Stanford Creates Database Of Patent Litigation
Wrongfully Blaming Hackers For Rainforest Deforestation
Chill Out On The Texting While Walking Bans, Says Professor
Mobile Operators Say Inauguration Will Tax Systems, Provide PR Fodder
Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

Friday

19:39 Important Announcement: Techdirt Is Migrating To A New Platform (0)
More arrow

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.