Hijacking online accounts through voicemail

When it comes to online accounts, voicemail is a major security hole. Here’s why.

Who uses voicemail these days? “No one” is probably the first response on most people’s lips. That answer is both right and wrong. True, not many people use voicemail now, yet many mobile subscribers have the service — and it’s still in good working order, even if somewhat neglected.

And remember: Just because you don’t use your voicemail doesn’t mean no one else does. In his report “Compromising online accounts by cracking voicemail systems” at DEF CON 26, security researcher Martin Vigo demonstrated that voicemail might be of interest to intruders looking to hack into your online accounts.

In fact, most operators allow access to your voice mailbox not only from your phone, but also using an external phone number — in which case access is protected with a PIN. However voicemail PINs are often far from secure. A lot of subscribers use default codes set by the operator — usually either the last digits of the phone number or something simple like 1111 or 1234.

Moreover, even if the subscriber bothers to change the PIN, the probability of it being guessed is still fairly high: As another research shows, when it comes to thinking up PINs, people are even less inventive than they are with passwords.

First, the PIN is likely to consist of four digits, even if it’s technically possible to make it longer. Second, many users opt for easy-to-remember strings of four identical digits or combinations such as 1234, 9876, 2580 (the middle vertical row on the phone keypad), and the like. PINs beginning with 19xx are also very popular. Knowing these quirks makes it quicker and simpler to crack a voice mailbox.

There is no need to comb through all combinations manually — the job can be done by a script that calls the voicemail number and enters different combinations in tone mode. That means brute-forcing voicemail is not only possible, but also quite resource-light. “So what?” you might say, “There’s nothing valuable in my voicemail.” Or so you think.

How to hack PayPal and WhatsApp through voicemail

When resetting a password, many of the largest online services offer, among other options, to call you on the phone number specified in your profile and supply a verification code.

The attacker’s task is merely to figure out the voicemail PIN and wait until the victim’s phone is turned off or out of range (for example, in airplane mode). Then they simply initiate a password reset in the online service and select as the verification option a call that will go straight to voicemail.

Martin Vigo demonstrated how this technique can be used to hijack a WhatsApp account.

Some online resources employ a slightly different verification process: The service redials the phone number that is associated with the account and prompts the user to enter the numbers displayed on the password reset page as verification. This can be bypassed, however, with the help of a simple trick that involves setting the voicemail greeting message to a recording of the keypad tones that correspond to the digits in the reset code.

One online service with this kind of verification system is PayPal. Martin Vigo successfully cracked that, too:

The above are just a couple of examples. In fact, many more services use an automated voice call to an associated phone number to verify a password reset or to transmit a one-time two-factor authentication code.

How to guard against voicemail-based hacking

  • Consider disabling voicemail altogether; it has little practical use anyway;
  • Use a secure PIN, if you do need voicemail. For a start, it should be longer than four digits. The more, the better. Next, the combination should be hard to guess, and preferably random.
  • Don’t indiscriminately give out the phone number that your online accounts are associated with. The harder it is to match your online identity with a phone number, the better.
  • Try not to associate your phone number with an online service at all if it’s not a precondition or required for two-factor authentication.
  • Use two-factor authentication — ideally an app such as Google Authenticator or a hardware device such as YubiKey.