Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Customers of Telco Companies Face Privacy Breach

By flaws in News
Sun Aug 15, 2004 at 04:14:12 AM EST
Tags: Security (all tags)

A security advisory posted on Bugtraq demonstrates how hackers can compromise customers of T-mobile wireless and Verizon (landline) voicemail boxes. The advisory talks about the use of Caller-ID spoofing the customers number, allowing a bypass of the PIN code since the voicemail thinks that the customer is calling to check their own voicemail. According to Secure Science Corporation, there has been no response from the vendors. Comments have been posted that T-Mobile has optional PIN code protection off by default. Better turn it on.

The sudden abundance of Voice-over-IP products out there grants hackers the ability to take what was once proprietary telephone technology and bring it to their own networks. This opens a whole new door for telecommunication security, including Caller-ID privacy screening and Caller-ID spoofing trivially by anyone with a VOIP phone and some packet-modification tools. The securityfocus advisory demonstrates that Caller-ID, similar to e-mail, is now a questionable communication protocol and has already affected the telecommunications companies. With the onslaught of spam, scams and phishing, this may be a new territory of exploitation for the bad guys as well.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o Bugtraq
o T-mobile
o Verizon
o Secure Science Corporation
o Voice-over -IP
o securityfo cus
o Also by flaws

Display: Sort:
Customers of Telco Companies Face Privacy Breach | 28 comments (12 topical, 16 editorial, 0 hidden)
I have to PIN each time for Verizon wireless. -nt (none / 0) (#2)
by MrLarch on Fri Aug 13, 2004 at 04:01:16 PM EST

Verizon Northwest (none / 0) (#4)
by flaws on Fri Aug 13, 2004 at 04:11:10 PM EST

According to the advisory, the verizon is verizon northwest (Formerly GTE) landlines.

[ Parent ]
More are vulnarable (3.00 / 2) (#20)
by xL on Sat Aug 14, 2004 at 07:57:20 AM EST

I've worked for a consultancy company that serviced wireless telcos for a couple of months. The product I was supposed to support handled voicemail, email and fax calls for 3G networks. It was a nightmare. There is still a mindset within designer of telco systems that assumes that data reaching the systems will be perfectly valid and can be trusted. This particular system not only had the exact same problem as the verizon issue discussed here (offering PIN-less access to a voicemail box if the calling party's MSISDN matches), but made the same mistake with internet address data (trusting a MAIL FROM address passing an unauthenticated SMTP session enough to use it for billing, for example). I've spent a fair part of a two month uphill battle to even get the developers to acknowledge this, they don't want to hear this stuff unless if the customers make a point of it (and they won't because they are clueless telcos).

On the internet, most of us learned not to make such mistakes. Never blindly assume that the party you are talking to will play by the rules. The telco industry never had to deal with this problem before. They're screwed.

[ Parent ]

ROR (3.00 / 5) (#10)
by cuz on Fri Aug 13, 2004 at 04:30:55 PM EST

I can just imagine some phone spammer wardialing for vulnerable mailboxes and changing the outgoing messages to viagra ads. +1FP

Telcos scare the shit out of me (3.00 / 19) (#19)
by xL on Sat Aug 14, 2004 at 07:23:12 AM EST

I spent a fair part of my life either working for telcos or for companies owned by telcos. The amount of ignorance to be found in such organizations is absolutely staggering. There probably were better times, when there were few telcos around and a lot of them were bureaucratic monopolies. The phone networks they were responsible for were mostly under control, the only people with meaningful access to those networks were the big telcos themselves.

It's not that, back in the old days, telco networks didn't have their fair share of security problems. Google around for 'blueboxing' and 'phreaking' to get a glimpse of that. These problems were mostly known, though, the telco's problems with mitigating them had little to do with a lack of understanding on their side, but more with the cost of upgrading infrastructure and the general slowness of the organization.

With the rise of SS7 and out-of-band signalling, telcos grew confident that they had their security problems tackled. All the historical efforts against security were geared towards rogue end users screwing things up from the short end of a circuit. The inner network was seen as a Black Box. Then telco deregulation and the internet came along and they never realized the gravity of their mistake.

Look at the inner LAN of any telco organization and you will find racks and racks of Sun and Cisco gear. Rolled in by bloated consultancy organizations and maintained by yet other bloated companies over fatass support contracts. These are immensely complex overengineered solutions and people understanding them in their entirety are far and between. Everybody else is scared to touch the network and gear unless if absolutely necessary and even then only if accompanied by a Change Request form filled in threefold. So Solaris never gets patched. IOS stays at the release it got when routers were installed. Only if actual outages occur because of an OS issue will you see any updates.

Management is done over telnet. The large support organizations doing the maintenance for the telco need to be able to do that without hassle, so generally there are root logins with tremendously simple passwords that are known throughout the entire company and they rarely change. You won't need to have taken classes in social engineering to get your hands on a lot of that kind of inside information. Security within telco networks is rotten to the core.

Add to this factor the rise of the multi-tier reseller business model that has risen out of the internet age and you have a recipe for disaster. More and more companies gain responsibility over a larger part of the traffic going towards end users than ever before. Instead of hundreds, there are now thousands and thousands of organizations that hook into the international SS7 signalling network, either directly or through a bigger telco. But guess what, the international telco network was never designed with the idea in mind that rogue organizations could tap into it directly. It is not at all clear to the telcos what kind of risks are associated with this loss of control they never anticipated.

Nail. Hammer. Head. Thank You. (2.75 / 4) (#23)
by actmodern on Sun Aug 15, 2004 at 10:13:38 PM EST

The part about workorders in triplicates is so accurate it caused a shiver to run down my spine. As someone who worked for telcos all my life, I can tell you that Solaris box in rack 71A is not going to get patched anytime soon because even if the workorder is written properly I can expect to spend gazillions of hours talking my way through layers and layers of incompetent "analysts" and "specialists" until I finally send a "just copy and paste this into your shell account. kthanx."

LilDebbie challenge: produce the water sports scene from bable or stfu. It does not exist.
[ Parent ]
Same here (3.00 / 2) (#24)
by IAmNos on Mon Aug 16, 2004 at 11:34:13 AM EST

No kidding. I know a telco that updated a .dat (virus definition file) for the virus scanner on one of 7 machines dedicated to scanning incoming email. When, and only when it had run without problems for two weeks did they patch the other 6. So for two weeks, customers emails had a 1 in 7 chance of being scanned with a relatively new .dat.
[ Parent ]
T-Mobile customer here (none / 1) (#21)
by Xoder on Sat Aug 14, 2004 at 07:53:07 PM EST

Thanks for the heads up. I've got T-Mobile, and I've been meaning to do this, and in the search of the right option (8, for those who want to do it), I managed to enable automatic message playback mode so that when I have messages I don't have to hit 1 first, which is real nice.

In other news, they gave me free wireless web (WAP) access for the first 8 months, got me hooked, and now I don't want to pay US$5/mo to get it back. Farking drug dealers!

Lately I've been hearing that god's on our side But rumor has it, there's one on their side too So what I'd like to know is, when it comes down to it, can my god kick their god's ass or what?

Re: your mini-print tagline (3.00 / 3) (#22)
by metalfan on Sun Aug 15, 2004 at 10:49:50 AM EST

That has got to be the stupidest idea I have ever heard from any government.  Ever.

[ Parent ]
No new, though (none / 1) (#25)
by ebonkyre on Mon Aug 16, 2004 at 02:36:03 PM EST

I think Illinois was first with the "illegal drug tax" stamps.
According to them, most of their sales are to [straight-face]"stamp collectors"[/straight-face]...

The truth hurts sometimes... Nothing beats a nice fat cock. ShiftyStoner
[ Parent ]
Another Example of VOIP flaws (none / 0) (#26)
by flaws on Mon Aug 16, 2004 at 05:23:19 PM EST

Ureach is a web service that provides 1800 numbers to people, integrated with web, some optional software and phone lines. An example of another easy spoof is in one of their cgi features called call-back.

This feature allows you to call people back that have called you, but if you do a tcpdump on it, you can see that this can be taken advantage of.


http://www21.ureach.com/7700d01OJT/cgi-bin/addrbk?func=di&greet1=2&greet 2=0&local=1234567890&remote=222-222-2222&name=You%20Suck&invis=1

This is obviously per session, so the 7700d01OJT will change per user, but within a session with ureach, you can actually input this in your browser, and it will call two numbers and connect them together. You can arbitrarily specify what numbers call what, but it's a primitive example of how Caller-ID spoofing is possible with just a few mistakes with some VOIP web cgi's.

ooh (none / 0) (#27)
by flaws on Mon Aug 16, 2004 at 07:46:25 PM EST

now that I think of it, the phone spam is just interesting. Change the greet1=0 and greet2=0 and Put your spam message in name= and spoof your sender, ooh, Pham! :)

[ Parent ]
Customers of Telco Companies Face Privacy Breach | 28 comments (12 topical, 16 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!