International Voicemail Security And Bypassing 2FA For Fun And Profit presented at Ruxcon 2014

by Shubham Shah,

Summary : Voicemail systems have been broken into for years. Whether it be through spoofing attacks or social engineering, the general security of voicemail systems around the world has been regarded as some of the weakest. Whilst only fully exposed to the public during the famous News International phone hacking scandal, it seems that a large number of providers are still vulnerable today not only to the techniques already revealed, but also through newer methodologies such as those involving the visual voicemail protocol.
In addition to this, our reliance on telephony as an additional verification factor is also questioned, as through the vulnerabilities discussed, its integrity is lost.
In this talk, we reveal how we:
Broke Optus’s voicemail security via spoofing to vulnerable old endpoints
Obtained any Vodafone customers voicemail pin through bruteforcing Vodafone’s visual voicemail system
Identified overall vulnerabilities in voicemail systems, including vulnerabilties to test for to see if your telco is vulnerable
Bypassed 2FA through the leveraging of voicemail vulnerabilities
We’ll be presenting PoC’s, live demonstrations and new techniques to break into modern voicemail systems around the world.