There are many ways to secure an account, and with that many ways, there are security holes that can be exploited.
From Google, Microsoft, Apple, WhatsApp, Signal and many other online services, have their own measures to secure users' accounts. But still, they all have one weakness that can pose catastrophe to users, and that is voicemail that can be compromised to steal online identity.
Speaking to hackers and security researchers at the annual DEF CON convention in Las Vegas, Spanish hacker Martin Vigo explained how he managed to reset passwords for a wide-ranging set of online accounts using only voicemail.
He explained that when requesting a password reset for online services, users have the option to request a reset code using a text message, which can be then used into the app to reset their login credential.
But if users happen to miss the phone call - for instance, while they are flying, or on an underground train, or if they want to - that message can be pushed to voicemail.
This is certainly a convenience. But what if the person trying to reset the password isn't the person who own the account, but a hacker?
Hackers can in fact get access to people's voicemail.
This is because voicemails are poorly secured, Vigo said, with many of the same weaknesses first documented decades ago were largely unchanged in the backends of mobile carriers.
Even when users change their passwords, this only add little extra security. The reason is because most carriers limit protection to short numeric codes, with the minimum being just four digits. What's more, they usually don’t have any prevention against brute force attacks.
Using an automated script, hackers, even script kiddies, can effortlessly bruteforce most voicemail passwords, without the phone's owner ever knowing. Succeeding in doing that, the hackers can get an online account's password reset code and, consequently, control of the account itself.
This method also allows hackers to bypass two-factor authentication (2FA).
Vigo laid out the basic strategy for the attack:
- Bruteforce voicemail system.
- Ensure that all calls go straight to voicemail using call flooding, OSINT, HLR.
- Start password reset process using "Call me" feature.
- Listen to the message to get the secret code.
In a demo, Vigo showed a variation of this attack on a PayPal account. "In three, two, one, boom — there it is," Vigo said to audience. "We just compromised PayPal."
"What services are vulnerable? Password reset for PayPal, Instagram, Netflix, eBay, LinkedIn," Vigo said. "Authentication for WhatsApp, Signal, Twilio, Google Voice."
Vigo noted that he responsibly disclosed the vulnerabilities to online services, telling them to stop using automated calls for security purposes. He also called carriers to end the practice of using a default password for voicemails.
But he initially received less than satisfactory response from many of them.
Vigo posted a modified version of his code to Github. He altered the code so that researchers can verify that the flaw exists, and also to prevent script kiddies to use it to reset people's password.
To prevent this thing from happening, Vigo urges people to disable their voicemail.
But if users can't disable their voicemail for whatever reason, they can alternatively use the longest possible PIN code that is also random. Then, they should not provide their phone number to online services, unless it's absolutely needed for 2FA.
In general, it's wiser to use authenticator apps instead of using SMS-based 2FA.
One popular breach that happened because of this similar security hole, was when hackers breached Reddit's internal system by using SMS intercept attacks on some of the company’s employees.