02-24-2005, 04:48 AM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
More T-Mobile Network Insecurity - Protect Yourself!
http://www.gizmodo.com/gadgets/cellphones/exclusive-tmobile-voice-mail-compromised-how-to-protect-yourself-033996.php
 "It�s very strange to listen to an MP3 recording of your own voice mail. When John Hering of security firm Flexilis told me that they had reversed engineered the exploit that compromised Paris Hilton and Vin Diesel�s T-Mobile voice mail earlier this week, I wanted to see it for myself. I asked John to pop open my voicemail and send me a recording. I called myself with a neighbor�s land line, left myself a voice message, and then gave John my phone number. Twenty minutes later I not only had a recording of that voice mail in my email inbox, but had received two calls�from myself. We had been able to access my voicemail, sure, but had also used the system to make an outgoing call. In effect, my voicemail called me. In reality, John stood at a payphone in a cheap Mexican restaurant in downtown Los Angeles. He could have been anywhere."
8O Scary to say the least. Steps are included to protect yourself, so if you have a T-Mobile account you should head to the Gizmodo link and take the recommended steps. And T-Mobile should get their act together. :evil:
Update: Apparently not all T-Mobile users are on the same voice mail system, so the solution presented may not be available. That also means it is possible not all users are at risk.
|
| |
|
|
|
02-24-2005, 05:23 AM
|
|
Intellectual
Join Date: Mar 2004
Posts: 241
|
|
<expletive deleted> <expletive deleted> <expletive deleted> <expletive deleted> <expletive deleted> <expletive deleted><expletive deleted> <expletive deleted> T-Mobile!
How you say, Aaarrgh!
So I log into my tmobile account, still not a single word about password security or any hint that anything is amiss. I have really lost my faith in this company over the past 6 months.
|
| |
|
|
|
02-24-2005, 05:37 AM
|
|
Neophyte
Join Date: Feb 2005
Posts: 3
|
|
Okay, I don't quite understand this "hack". I just thought everyone was wise enough to have enabled a password for their voicemail. If I call my T-Mobile phone number from my phone or any other phone, I am always asked for my password. I understand that you can turn this feature off for convenience, but why would you do that when that would allow anyone who has physical access to your phone to listen to your voicemail (as well as those who are smart enough to clone your SIM card)? This doesn't seem like a real "hack" at all, but rather an exploit of those who are too lazy to protect themselves. This seems like having an ATM card w/o a PIN number, and believing that you're going to be the only one who will ever use that ATM card.
|
| |
|
|
|
02-24-2005, 05:49 AM
|
|
Intellectual
Join Date: Mar 2004
Posts: 241
|
|
Quote:
|
Originally Posted by Pawge
Okay, I don't quite understand this "hack". I just thought everyone was wise enough to have enabled a password for their voicemail. . . but why would you do that when that would allow anyone who has physical access to your phone to listen to your voicemai
|
Now here's where the tricky stuff comes in. You don't give them your cell phone. They dial into tmobile systems and get into your voicemail without your password. What this entails is fooling tmobiles computer into thinking you are calling from the cell phone, even though you are calling from a payphone. This is called spoofing, and is not quite as easy as getting into voicemail if you have physical access to the phone.
If you dont have a voicemail password set, and you call into it from a payphone, i am not sure what it does, but I am willing to bet there is some blocker there to prevent everyone from getting in with just knowledge of the phone number. but when you connect from your own phone it does not require any password, it uses caller id as the password. this is inherantly insecure, given how easy it is to spoof a number.
Hopefully this will be fixed in the future, but most people really really hate remembering passwords, so I don't expect this general problem will go away soon. :roll:
|
| |
|
|
|
02-24-2005, 06:03 AM
|
|
Intellectual
Join Date: Aug 2004
Posts: 131
|
|
Definitely not a good year for T-Mobile USA. I'm gonna give them a cal and let them know how I feel. You can have all the Customer Service in the world but its nothing without good security.
|
| |
|
|
|
02-24-2005, 06:14 AM
|
|
Neophyte
Join Date: Feb 2005
Posts: 3
|
|
Yeah I agree, I hate remembering a whole bunch of passwords as well. But, there are a few that you really just need to know and use. IMO these include voicemail, ATM/Credit Card pins, bank accounts, e-mail, and any online service that has your personal information (ie. address, credit card number, etc). Eventhough there's a password to this forum, I wouldn't be that upset if someone figured it out and posted all sorts of bad things, b/c in the end it wouldn't affect me in the least. My username may get "flamed" or "banned" on the forum, but I'm not hurt financially, emotionally, physically by it. Anyway, I know that if you enable the password on your T-Mobile voicemail, that if you call it from any phone (whether it be your cell phone or a pay phone) it will ask for the password).
That all being said, I'd like to see cell phone operators start using either a password or a voiceprint recognition system (or both) to access your voicemail. I am kinda surprised why cell phone companies don't allow you to record a voice password/passphrase that it can then use when your checking your voicemail. It seems that this would be a bit more secure than not using a password at all, but with more convenience than having to remember and input a password on your phone keypad. You could also enable both for extra security.
-george
|
| |
|
|
|
02-24-2005, 06:23 AM
|
|
Sage
Join Date: Oct 2006
Posts: 797
|
|
You guys are missing the much more obvious and dangerous / sinister method.
If you're on T-mobile, and you don't have the PIN enabled for retreiving messages, I can jack your voicemail in my sleep.
Here's how.
|
| |
|
|
|
02-24-2005, 06:23 AM
|
|
Intellectual
Join Date: Aug 2006
Posts: 251
|
|
Wow, this is a potentially huge nightmare for T-Mobile. They better act quick to fix this or there will be a mass exodus from their service.
I use Verizon and have to input a password to receive my voicemail.
|
| |
|
|
|
02-24-2005, 06:25 AM
|
|
Sage
Join Date: Oct 2006
Posts: 797
|
|
All you have to do for T-Mobile is turn it on.
Dial your voicemail, take option 4, then option 8.
|
| |
|
|
|
02-24-2005, 06:35 AM
|
|
Sage
Join Date: Oct 2006
Posts: 797
|
|
Oh, and before you guys get your undies in a wad over T-Mobile, keep in mind, Sprint PCS has the exact same vulnerability.
|
| |
|
|
|
|
|
Linear Mode
