Results 1 to 3 of 3

Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular voicemail system is ... Blackberry 8800 & 8820 forum

  1. #1
    HughH's Avatar
    HughH no está en línea Stack level 1
    Join Date
    Jun 2007
    Posts
    17

    Cingular/AT&T users be aware of VM security issue

    Advertisement



    Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset (it asks for your voicemail password if you call your number from another cell phone and press * when your voicemail answers). Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it. Because Caller ID can be spoofed easily (see below), anyone can gain access into your voicemail by calling you and spoofing your phone number (it will appear as if you are calling yourself when your phone rings) - should you not answer the call, your voicemail will answer and allow the intruder full access to your messages.
    Here is how to test the vulnerability:
    1. Buy a calling card from Spoofcard. This service lets you spoof your caller ID.
    2. Use another phone and call your cell phone using Spoofcard. When the Spoofcard asks you what number you want to spoof, enter your number again.
    3. Do not pickup your cell phone. When the call goes into voicemail, if you are able to listen to your messages without being prompted for a password, then you are vulnerable.
    Here is how to protect yourself from this vulnerability:
    1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
    2. Press 4 to go to “Personal Options”.
    3. Press 2 to go to “Administrative Options”.
    4. Press 1 to go to “Password”.
    5. Press 2 to turn your password “ON”.
    6. Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.
    I actually created an entry for my voicemail in the address book then inserted one "pause" by pressing the "N" key then typed in my numeric password. I then assigned the letter "W" as the speedial key. The pause which lasts 3 seconds is just enough time for the greeting to finish before the phone sends the password.

    This issue has been around for about a year but since there are so many coming into the BB fold, I though it deserved to be re-posted.

  2. #2
    ziminvades's Avatar
    ziminvades no está en línea Stack level 4
    Join Date
    Oct 2006
    PIN/ID
    Ask Me
    Posts
    702

    Re: Cingular/AT&T users be aware of VM security issue

    Um, I will just activate password control. My handy dandy note book only has 5 pages and my crayon snapped
    ~via BB (wap.pinstack.com)~

  3. #3
    kknopf's Avatar
    kknopf no está en línea Stack level 1
    Join Date
    Apr 2007
    PIN/ID
    24221166
    Posts
    6

    Re: Cingular/AT&T users be aware of VM security issue

    Thanks Hugh... I never would have thought of this security issue. I also appreciate the step-by-step, although I think I knew the process already, it is always nice to have the details to double check.
    Kevin in Culver City, CA
    8820, 8700c

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •