<a href="http://www.gizmodo.com/gadgets/cellphones/exclusive-tmobile-voice-mail-compromised-how-to-protect-yourself-033996.php">http://www.gizmodo.com/gadgets/cellphones/exclusive-tmobile-voice-mail-compromised-how-to-protect-yourself-033996.php</a><br /><br /><img src="http://www.pocketpcthoughts.com/images/hansberry/redalertstatic.gif" /><i>"It’s very strange to listen to an MP3 recording of your own voice mail. When John Hering of security firm Flexilis told me that they had reversed engineered the exploit that compromised Paris Hilton and Vin Diesel’s T-Mobile voice mail earlier this week, I wanted to see it for myself. I asked John to pop open my voicemail and send me a recording. I called myself with a neighbor’s land line, left myself a voice message, and then gave John my phone number. Twenty minutes later I not only had a recording of that voice mail in my email inbox, but had received two calls—from myself. We had been able to access my voicemail, sure, but had also used the system to make an outgoing call. In effect, my voicemail called me. In reality, John stood at a payphone in a cheap Mexican restaurant in downtown Los Angeles. He could have been anywhere."</i><br /><br />8O Scary to say the least. Steps are included to protect yourself, so if you have a T-Mobile account you should head to the Gizmodo link and take the recommended steps. And T-Mobile should get their act together. :evil:<br /><br /><b>Update:</b> Apparently not all T-Mobile users are on the same voice mail system, so the solution presented may not be available. That also means it is <i>possible</i> not all users are at risk.

&lt;expletive deleted> &lt;expletive deleted> &lt;expletive deleted> &lt;expletive deleted> &lt;expletive deleted> &lt;expletive deleted>&lt;expletive deleted> &lt;expletive deleted> T-Mobile!

How you say, Aaarrgh!

So I log into my tmobile account, still not a single word about password security or any hint that anything is amiss. I have really lost my faith in this company over the past 6 months.

Okay, I don't quite understand this "hack". I just thought everyone was wise enough to have enabled a password for their voicemail. If I call my T-Mobile phone number from my phone or any other phone, I am always asked for my password. I understand that you can turn this feature off for convenience, but why would you do that when that would allow anyone who has physical access to your phone to listen to your voicemail (as well as those who are smart enough to clone your SIM card)? This doesn't seem like a real "hack" at all, but rather an exploit of those who are too lazy to protect themselves. This seems like having an ATM card w/o a PIN number, and believing that you're going to be the only one who will ever use that ATM card.

Okay, I don't quite understand this "hack". I just thought everyone was wise enough to have enabled a password for their voicemail. . . but why would you do that when that would allow anyone who has physical access to your phone to listen to your voicemai

Now here's where the tricky stuff comes in. You don't give them your cell phone. They dial into tmobile systems and get into your voicemail without your password. What this entails is fooling tmobiles computer into thinking you are calling from the cell phone, even though you are calling from a payphone. This is called spoofing, and is not quite as easy as getting into voicemail if you have physical access to the phone.

If you dont have a voicemail password set, and you call into it from a payphone, i am not sure what it does, but I am willing to bet there is some blocker there to prevent everyone from getting in with just knowledge of the phone number. but when you connect from your own phone it does not require any password, it uses caller id as the password. this is inherantly insecure, given how easy it is to spoof a number.

Hopefully this will be fixed in the future, but most people really really hate remembering passwords, so I don't expect this general problem will go away soon. :roll:

Definitely not a good year for T-Mobile USA. I'm gonna give them a cal and let them know how I feel. You can have all the Customer Service in the world but its nothing without good security.

Yeah I agree, I hate remembering a whole bunch of passwords as well. But, there are a few that you really just need to know and use. IMO these include voicemail, ATM/Credit Card pins, bank accounts, e-mail, and any online service that has your personal information (ie. address, credit card number, etc). Eventhough there's a password to this forum, I wouldn't be that upset if someone figured it out and posted all sorts of bad things, b/c in the end it wouldn't affect me in the least. My username may get "flamed" or "banned" on the forum, but I'm not hurt financially, emotionally, physically by it. Anyway, I know that if you enable the password on your T-Mobile voicemail, that if you call it from any phone (whether it be your cell phone or a pay phone) it will ask for the password).

That all being said, I'd like to see cell phone operators start using either a password or a voiceprint recognition system (or both) to access your voicemail. I am kinda surprised why cell phone companies don't allow you to record a voice password/passphrase that it can then use when your checking your voicemail. It seems that this would be a bit more secure than not using a password at all, but with more convenience than having to remember and input a password on your phone keypad. You could also enable both for extra security.

-george

You guys are missing the much more obvious and dangerous / sinister method.

If you're on T-mobile, and you don't have the PIN enabled for retreiving messages, I can jack your voicemail in my sleep.

Here's how. (http://insignificantthoughts.com/index.php?p=925)

Wow, this is a potentially huge nightmare for T-Mobile. They better act quick to fix this or there will be a mass exodus from their service.

I use Verizon and have to input a password to receive my voicemail.

All you have to do for T-Mobile is turn it on.

Dial your voicemail, take option 4, then option 8.

Oh, and before you guys get your undies in a wad over T-Mobile, keep in mind, Sprint PCS has the exact same vulnerability.

All you have to do for T-Mobile is turn it on.

Dial your voicemail, take option 4, then option 8.

Exactly, this is my point. When I first got my T-Mobile phone and initially setup my voicemail, I remember it asking me whether I wanted to enable a password for voicemail (there was a "wizard-like" stepwise process to go through). I'm sure many people just don't enable it out of convenience, but it is their own fault for not thinking it through. Hell, I know alot of people don't even setup their voicemail when they first get their phone. They just let the generic "You've reached..." message to remain as their voicemail greeting etc. I fault the user for being lazy more than T-Mobile.

I'm just pissed that T-Mobile is catching all this hell, and yet Sprint PCS is catching none with the same vulnerability.

I know it's my T-Mobile bias.

I know it's cause of who I work for...

But still... Why isn't anyone screaming at the top of their lungs about "SPRINT NETWORK INSECURITY?"

But still... Why isn't anyone screaming at the top of their lungs about "SPRINT NETWORK INSECURITY?"
I think we all know the answer to that: Paris Hilton. Grimace, hunker down, tell everyone to PIN-protect their voicemail and choose intelligent reminder questions. There's unfortunately not much else that can be done.

http://www.pocketpcthoughts.com/images/hansberry/redalert.gifWho was it again that hated those flashing bluetooth LEDs? :lol:

*shrugs* Whoever is lazy enough to not put a password on their voicemail (Which from what I've read is the root of the problem.) Deserves all the problems this entails. I'm sorry if that sounds overly harsh and if that personally stings some of you, but really. Who leaves any system that may have potentially sensitive info passwordless? Who out there makes their ATM pin 1234? Who out there has their computer password [blank]. It’s a standard security measure everyone should take no matter what system and frankly I don’t blame T-mobile I blame lazy people. Harsh? Maybe. Accurate. I personally think so.

BORDER=0 ALIGN="LEFT">Who was it again that hated those flashing bluetooth LEDs? :lol:[/quote]


Thank god there isn't a competing RedTooth standard. Blue...Red....Blue...Red...Blue...Red ARRRGH!!! 8O

One thing I learned as a member of my Uiversity's security team: Hackers can never be beaten, just delayed until the next exploit. If a hacker wants to get in, they will eventually - regardless fo the system. Voicemail, email, servers, it doesn't matter. If its connected to a wire, its unsecure.

Granted, you don't want to make it easy for them, but every person has to be aware of the things you need to do to be secure. Unfortunately, too many clueless people do the stupidest things to make it easy for the hackers. The "system" isn't solely to blame in most cases.

*shrugs* Whoever is lazy enough to not put a password on their voicemail (Which from what I've read is the root of the problem.) Deserves all the problems this entails. I'm sorry if that sounds overly harsh and if that personally stings some of you, but really.
That isn't the issue. The T-Mobile network allows you to not have to enter your password if you call from your cell. If you call your voice mail from another handset, you must enter the PIN.

Nothing to do with laziness. Everythign to do with a flawed system.

Well, I just did the 4 - 8 trick here as well. Now its going to be a pain to put in that passcode, but better than the alternatives...

Jon.

*shrugs* Whoever is lazy enough to not put a password on their voicemail (Which from what I've read is the root of the problem.) Deserves all the problems this entails. I'm sorry if that sounds overly harsh and if that personally stings some of you, but really.
That isn't the issue. The T-Mobile network allows you to not have to enter your password if you call from your cell. If you call your voice mail from another handset, you must enter the PIN.

Nothing to do with laziness. Everythign to do with a flawed system.

OK. My bad. :oops: What I’ve read in a couple of different places has said that simply setting a password on your voicemail nullifies this exploit. Obviously wrong. Sorry. To be fair though its still has to do with laziness. ;) Just from a different perspective.

Well, I just did the 4 - 8 trick here as well. Now its going to be a pain to put in that passcode, but better than the alternatives...
Not everyone can do this. Some T-Mobile users are on an old PowerTel voice mail system and others are on T-Mobile's system. I am not sure which is which, but for some, 4/8 gives you an error and for others, 4/8 works.

Now, I wonder if both systems are vulnerable?

Who out there makes their ATM pin 1234?

I have to tell you, I've seen it happen. As a funny aside, I have to pass this on. It happened like 10 years ago; but still, very funny.

I was in Manhattan on Park Avenue South and I had to get some money out of the ATM. So I'm there with my cousin and get my money and I'm about to leave. This old, heavyset woman catches me before I can leave and asks for my help using the ATM. She says it makes her confused. Trust me, her confusion began LONG before she entered the ATM lobby. So she goes to give me her PIN number and asks me to take the money out for her. I tell her she should never give her PIN out, how does she know I wouldn't rob her? She says I look like an honest person. True, but that's besides the point... so, of course, what's her password? 1234. I thought I was going to laugh out loud.

So I help her out, tell her again never to give out her PIN and I hold the door open for her to leave. She then walks out the door.... very slowly... and proceeds to walk all OVER her little dog that she has on a leash while this thing cries out in agony because she wasn't watching where she was going. I don't know how the dog survived.

Man, I laughed my a** off with my cousin when we left. So yeah, it DOES happen that people use 1234.

Does anybody think it is a very large oversight that T-Mobile is still airing Sidekick commercials with Paris Hilton in them? I saw 3 of them last night... Who is running this trainwreck named T-Mobile. Oh well I'm sure I or somebody else could easily hack in and find out, lol.

I think it's funny how easy it is to "hack" someone's phone. I must say it's time to pack the bags and move over to cingular.

Does anybody think it is a very large oversight that T-Mobile is still airing Sidekick commercials with Paris Hilton in them? I saw 3 of them last night... Who is running this trainwreck named T-Mobile. Oh well I'm sure I or somebody else could easily hack in and find out, lol.

i dunno, does anybody think that using celebrities like Paris Hilton in the FIRST PLACE indicates bad publicity is better than no publicity?

i personally think the whole thing is staged.