 We start the next talk. It's by Martin Vigo. He stands here. He is a product security lead and researcher. And he's responsible for mobile security, identity and authentication. So he helps people design and secure systems and applications. And he has worked on stuff like breaking password managers or exploiting Apple's FaceTime to create a spy program. So give him a warm applause for his talk. Joining me in this talk, I'm super excited to be here. It's actually my second year at the conference. So super, super excited that the first year I was sitting there and this second year I'm sitting here. This is me, but the introduction was already made just pointing out that this is me, nine years old with an Amstrad CPC 6128. Who had this machine before? I see only one hand. I think this was sold in Europe. But I was playing here Lavadia del Crimin, which is the best video game ever written. If you guys like Abandonware, you should definitely check it out. So like any good research, we have to start by looking at previous art, right? We can learn a lot from researchers that did stuff in the past. And in this case, I went all the way back to the 80s to understand how Frickers at the time, when the hacking scene started, were doing to actually hack into voicemail systems. I condensed everything I learned in five different paragraphs of five different e-sins that I actually got from FRAC website, which is an amazing resource. So here, from the hacking telephone answering machines, the paragraph that I extracted was that you can just enter all two-digit combinations until you get the right one. A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time and discard them, but just look for the correct sequence. What is this about? In all their voicemail systems, if you will enter, like, one, two, three, four for a two-digit ping, it will not process one, two, and three, four to verify the ping, but it will also process two, three, which is very interesting. In fact, in hacking AT&T answering machines, again, this is an e-sign from the 90s or 80s, we actually get the correct sequence to cover the entire two-digit key space. So if you enter all these, you're basically brute forcing the entire key space without having to enter the entire thing that covers it. I also learned from a tutorial of fast-claim voicemail systems that in the 80s, there was default passwords, surprise, surprise, but also that as humans, we actually have patterns when we choose pins. And so we have the classics, one, one, one, one, nine, nine, nine, one, two, three, four. And another thing that I learned in hacking answering machines in the 90s was that there is also, they all changed the message secret to make it say something to the effect of this line accepts all toll charges so you can build third-party calls to that number. This is basically a trick used by inmates to get free calls. Basically, they will record in the voicemail greeting message, yes, yes, yes. So when the automated system comes in and asks, do you want to accept the toll charges from the call from the penitentiary, it will go and they will be able to do free calls. So condensing everything and summarizing what I learned from looking at what previous hackers did in the 80s, we know that the voicemail system security in the 80s looked like there was default pins, there was common pins, there was brute-forceable pins, there was efficient brute-forcing because we can enter multiple pins at the same time and then the greeting message is actually an attack vector. So let's play a game, let's do checklist and let's look at the voicemail security today. So I looked at the American carriers because I live in the U.S. but because I was invited to talk in Germany, I took some friends to give me some SIM cards and I actually wanted to put about German carriers as well. So checklist time, default pins. All American carriers do have default pins and unfortunately they are really not a secret because most of them is actually the last digits of your phone number. When it comes to the two German carriers, it's actually a much better state. For example, Vodafone is the last four digits of their client number, which you don't know. I mean, you know as the customer, not others, it's a secret. Or if it comes to the Callia, that is the car that I got is the last four digits of the book. For telecom is the last four digits of the card number, which is the car you get with the SIM card. For O2, unfortunately, there is a default pin, which is 8705, which is the only pin you can set when you choose to set one. Yeah. So voicemail security today when it comes to common pins. According to, like, a fantastic research from data genetics, this is actually about people choosing pins for their credit cards. But there was a lot of conclusions that I learned from this research. And basically, to summarize the most important regarding this work is that, for example, by trying the top 20 most common pins, you have a 22% chance of guessing the right one. What this means, in other words, is for every fourth victim that I try to brute force the pin from their voicemail system, I will get it right every fourth person. There are other conclusions that are very interesting, like the pins mostly start by 1.9. Who has an idea why is that? Birth year, right? It's very common to set as your birth year. Most of us were born in the 20th century to set it as a pin. Brute forceable pins, same thing. In Germany and the U.S., it accepts four digit pins, which we will see later. It's just not enough key space. Efficient brute forcing, all the carriers accept concatenation of payloads. So in this case, I use it to try different pins. And I don't even have to wait for error messages. I just use the pound as kind of like an enter in a voicemail system and I can try three pins at a time. Usually carriers will hang up when you enter three pins wrong for security purposes, but we will take advantage of that. So with everything that I learned from the 80s, I verify that it was still a problem today. I decided to write a tool that allows you to brute for voicemail system fast, cheap, easily, efficiently, and undetected. So fast, I use Twilio. Who is familiar with Twilio here? Some of you. So Twilio is basically an online services that allows you to programmatically interact with phone calls. You can make phone calls, interact with them, and all that. So I use it to launch hundreds and hundreds of calls at the same time in order to brute force pins. It's cheap. The entire four digit key space costs 40 dollars. So if I want to have a hundred percent chance of getting your four digit pin, I only have to pay 40 bucks. A 50 percent chance, according to the research from data genetics, it will cost me $5. So one over two victim, I will get the pin. Actually, if I want to take a different approach, and instead of just trying to brute force only yours, but I want to brute force the pin from everyone here, according to data genetics, and in this case, according to the fact that there is default pins, I'm not going to ask how many of you have an O2. Now that they know there is a default pin to their very small system, but it will be more interesting to actually try a thousand phone numbers for that default pin for O2 customers, only for $13. It's easy. Fully automated. The tool does everything for you. You just have to provide the victim number, the carrier, and a couple other parameters. Again, it's efficient. It optimizes brute forcing. I use the research from data genetics to favor the pins that are most common, and obviously it tries different pins and all that stuff. But the most important here is detection, because think about it. In order for me to interact with your voicemail system, I need to call you, and you cannot pick up, because if not, it doesn't go to the voicemail system. So I was trying to find ways, because I need to, in the end, make a lot of calls, trying different pins. How can I interact directly with your voicemail? I try call flooding, like basically doing three calls at a time, and because the line gets flooded just with three calls, it goes directly to the voicemail, but it wasn't very reliable. You can use awesome techniques. A lot of people like to tweet that they go on a trip. They are about to board a plane, so it goes into airplane mode, or you go in a remote area, or you are in a movie theater, or at night you put it at do not disturb. Those are all situations in which calls go directly to the voicemail. You can use HLR database to find out if mobile devices are disconnected, or the SIM cards have been discarded, but they are still assigned to an account. And you can use online services like realformvalidation.com, which I actually reached out, and they provide services that allow you to know if a phone is actually connected to a tower at the moment, so it's basically available, so you could use that too. You can also use Class Zero SMS, which gives you feedback, it's basically a type of SMS that it has more priority, and it will basically display on the screen, and you get the feedback if it was displayed, so that's a nice trick to find out if the phone is actually connected to a tower. But in reality I wanted a bulletproof way to do this, and in the US I found that there is this concept of backdoor voicemail systems. So instead of me calling you, I'm gonna call one of these services that you guys have listed here for every carrier, and there I entered the number, in this case the number of the victim, from the voicemail I want to interact to, and of course it allows you to access to the login prompt. Actually in Germany I found it interesting that you guys have it as a service, because in the US it's more a secret that I had to found using Google, but here basically if I dial your phone number, and when it comes to both the phone between the area code and the rest of the number, I put 55 for telecom 13, or for 0233, I directly go to the voicemail, you won't ring your phone, so I can use that. Who was aware of this that is from Germany? Okay, many of you, so that's what I thought, like here it's not really like something you guys care too much about. In the US this is actually used a lot for scammers, or to leave directly voicemail messages from spammers as well. So, voicemail cracker actually takes advantage of backdoor numbers, so it allows you to be undetected. I don't need to call you, I don't need to wait till you are offline, I can do that, and for example for the US, it's great because when I launch in that many calls, the line gets flooded even if you are offline, but when I use these backdoor voicemail systems, because they are meant to be used by everyone, those don't get flooded, so I literally make hundreds and hundreds of calls, and it never fails. So, but you know, like carrier, some of them add brute force protections, right, so that you can't actually launch brute forcing attacks, and I looked at the German carriers, and for example with a phone, I saw that it resets the six digit ping and sends it over SMS, so I guess I can flat your phone with text, but who cares, that's not a big deal, but I think it's actually a pretty effective measure against voicemail, against brute forcing. Telecom blocks the caller ID from accessing the mailbox, or even leaving messages. I tried, and after six times that it's wrong, every time I call it says hey, you can't do anything, and it tanks up, and for 02, it connects directly to the customer headline, someone started talking German, and my German is not that good. So, brute force, I wanted to be able to bypass this, right, and so if you look at Telecom, I mentioned that it blocks the caller ID, but it turns out that Twilio, you can actually buy caller IDs, well, you can buy phone numbers, right, and they are really cheap. So, it's very easy for me to do randomization of caller IDs for very, very cheap, and bypass Telecom's brute force protection. So, Voicemail Cracker also supports that, it supports caller ID randomization. So, let's make the first demo. So, as you can see here on the left is the victim's mobile device, and on the right is the tool, and in this case, I'm gonna use the brute force option. The brute force option allows me to basically brute force the ping. It makes hundreds, of course, as I explained, and you'll try to guess it, and there is a number of parameters, like the victim number, the carrier, the carrier is important because I put there a specific payloads for every single carrier because all the Voicemail systems are different, how you interact with them, and in this case, I'm using a backdoor number because it's more efficient, and then there is no detection, and in this case, I did the option of top ping. So, this is basically trying the top 20 pings according to the research for four digits. So, as you can see, it's trying actually three pings at a time, as I mentioned before, rather than one, so we have to do a third of the calls, right? And how do you think that I am detecting if the ping was correct or not? Any ideas? Okay, so the disconnect and hang up, that's what I heard, and that's exactly right. If you think about it, I can look at the call duration because when I try three pings and it hangs up, it's always the same call duration. For T-Mobile, in this case, it's like 18 seconds. So, I instruct Twilio to after dialing and putting the payload to interact with the Voicemail system, trying the pins to wait 10 extra seconds. So, all I gotta do, I don't need any sound processing to try to guess what the Voicemail voice is telling me if it's correct or not. I just use the call duration. So, if the call duration is 10 times longer, then I know that's the right pin because it locked in. So, as you can see, it found that one of those three is actually the correct one. In this case, it's 983. So, in order to give you the exact one, because at that time, it tried the three of them, now it's trying one by one. And it may look like it's taking longer than it should for only 20 pins, but remember, failing pings is very, very quick. It's just that because in the top 20, it found already the right ping, it takes longer than it should. And there you go, we got that it's a 983. Awesome. So, what is the impact really? Why am I here talking to you at CCC that has such amazing talks, right? And this is really the thing about this. No one cares about the voicemail. Probably if I ask here, who knows his own voicemail ping? Nice. That's what I was expecting. Probably less hands, even. So, some of them are lying. But that's the thing, right? We don't care about the voicemail. We don't even use it, which is the crazy thing here. We have an open door for the discussing an issue that we don't even know about or we don't even remember. So, many people is not familiar with the fact that you can recent passwords over phone call. We are familiar with the resetting passwords over email. You get a unique link, maybe over SMS. You get a code that you then have to enter in the UI, but a lot of people cannot receive SMS or that's what services claim. So, they allow you to provide that temporary code over a phone call. And that's exactly what we take advantage of because I ask you what happens if you don't pick up the phone? If basically I go to a service, enter your email or your phone number and reset a password, everyone can do that. Anyone can initiate the recent password process. And I know that you are not gonna pick up the phone. And I know that thanks to my tool, I got access to your voicemail system. So, basically the voicemail system will pick up the call and it will start recording. So, it will record the voice spelling out the code that I need to basically reset your account and get access to it. So, oops, let me press play here. Okay, so, what does the attack vector look like? You brute force the voicemail system using the tool, ideally using backdoor numbers. For that particular call that is the call that the victim will receive once you initiate the password reset, that one, it kind of goes through the backdoor number, right? Because it's gonna, PayPal is gonna directly call the victim. So, for that one, you need to make sure that the victim is not connected to a tower through all the methods that I showed before. You start the password reset process using the call me feature, you listen to the recorded message, secret code, and profit, you hijack that account. And voicemail cracker can do all that for you. Let's compromise what's up. So, on the left, you see my number, right? With a secret lover group, and a secret group, and all that stuff. On the right, notice that I'm not even using an actual device, it's an Android emulator that I installed the APK, and there is some sound to this. And you are gonna see, so again, on your left, it's the victim's number, on the right is an emulator of the attacker. So, you'll see that I'm gonna use my tool with the message payload, with the message option. So, in this case, what I'm doing is, I'm setting the victim's phone to airplane mode, simulating that it's now offline for some reason, and I detected that. So, if you see what's up, it sends you a text to actually register as WhatsApp group, right, as a WhatsApp user. But if you don't reply in a minute, it allows you, it gives you an option to call me, right? And that's exactly what I click. So now, what's up is basically calling the victim, which is again in airplane mode, because it went on a remote trip or on a plane. And so, I'm using voicemail cracker with the option message to automatically retrieve that newest message. So, the tool is gonna provide me, as you can see, the last option is the PIN, because I brute-forced it before. So, it's gonna give me a URL with the recording of the newest message, which hopefully, it's a recorded demo, hopefully contains actually the code. So, let's see, I got the URL. It's interacting with the voicemail system. Your graphic code is 365915. Your graphic code is 365915. And that's simple, we just hijacked the person's WhatsApp. And here, I'm fast-forwarding just to show you that you got a call back. Thank you. I do wanna point out that WhatsApp is super secure, like end-to-end encryption and all that, and there is a number of things that you can notice this attack. For example, you wouldn't be able to see the previous messages that were there, but you can just hold on, and as people write, the groups will pop up. So, you hijacked that WhatsApp account. There is also a fingerprinting, but who really pays attention to the fingerprinting when someone changes the device, right? So, are we done? Not yet, because the truth is, some researchers talked about this in the past, and actually, services try to slowly pick up. So, there is actually something that I found in several services that is what I call the user interaction-based protection. So, when you receive that phone call that provides you with the temporary code, in reality, it's not giving it away. You have to press a key. It comes in three different flavors from what I found from my test. Please press any key to hear the call, so when you get the call, you have to press, and then it will tell you the code. Please press a random key, so specifically, please press one, please press two, or please enter the code. PayPal does that. Instead of you having to press a key to hear the code, when you reset the password, you will see a four-digits code that you have to enter when you receive the call, and then it will reset the password. So, I'm gonna get the help from all of you guys. Can we be discurrently recommend the protection? What is nowadays recommended to prevent this kind of attacks? And we're gonna play a game. I'm gonna give you two hints. This is the first one. So, you probably guys are familiar with this, but kept in crunch. Again, we go back to the eighties. We can learn so much from them. Use this to generate specific sounds at a specific frequency to basically, you can go and read it to get free international calls, so we will create that sound and the system will process it on the line. And the second one is that I cheated. When we did the checklist, I actually skipped one, which was the greeting message is an attack vector. So, I ask you guys, how can we bypass the protection that requires user interaction in order to get the code recorded on the voicemail system? What was that? Exactly, record DTMF tones as the greeting message. We own the voicemail system so we can alter the greeting message. So, this is exactly how it works. We just alter the greeting message, record the DTMF tones that the system is expecting, and it works every single time. The best thing of this is what really is so awesome about all of us that really care about technology and we want to have a deep understanding because when I was asking people when I wanted to show them this, I was asking them, how does this protection really work? And they will say, well, you have to press a key and then it will give you the code. But that's not really true. What you have to do is to provide a specific sound that the system is expecting. That is different than saying you have to press a key because I have to press a key that requires physical access. If you say I have to provide a sound, now we know it doesn't require physical access. That is why hackers are so cool because we really want to understand what is happening backstage and we take advantage of that. So, how does the attack vector look like? Group force and voicemail systems are before. So, basically we have an extra step which is update the greeting message according to the account to be hacked and voicemail cracker can do this for you. Let's compromise PayPal. So, on the left side, you saw, you see that as before I brute force the ping of the voicemail. And in this case, on the right side, I'm gonna start the password research for that account. So, I do that. And I choose please call me with a temporary code. But in this case, PayPal works differently because it will show me a four digits code that I need to enter when I receive the call in order to reset the password. So, you see that here I'm using the greeting option. So, the greeting is gonna allow me to enter a payload that I want to record it as the greeting message. In this case, it's 6353. So, I made it very verbose for this demo. So, you see the last option is PayPal code. And I enter 6353. And now the tool is going to use the ping to log into the voicemail system, interact with it, change the greeting message, record the DTMF tones according to 6353, and then it should be able to fool the call. In this case, I'm asking to call again because it didn't have enough time to do that. And in three, two, one, we should get that we actually compromise PayPal's account. And there we go. We can now set our own password. Thank you. So, I showed you some vulnerable service. Let's go very quick about it because I'm concerned I'm running out of time. So, I'm just mentioning Alexa top 100 types of services. No favoring anything. But, so for password reset, that supports over phone called PayPal, Instagram. No, is that? No, Snapchat, Netflix, eBay, LinkedIn. I'm still on Facebook, what can I say? 2FA for all the major fours. So, 2FA over phone call for Apple, Google, Microsoft, Yahoo, verification. So, basically you don't register with the username and password on WhatsApp or Signal. You actually use directly the phone number, right? As we saw before and you register through a phone call or SMS. So, you can compromise these two. Twilio, the own service that I use for this is actually really cool because you can own a caller ID by verifying it by getting a phone call. So, I can actually own your caller ID and make calls on your behalf, send texts, and these all legitimately, right? Because you pressed one. And Google Voice is actually another interesting service because it's used a lot by scammers, right? And this is the same thing. You have to verify ownership so you can do those phone calls and you can fool it as well with this. But then I found, I was looking like, what other services really take advantage of this? And this is super common in San Francisco where I live. You can bus in people like when they wanna enter, right? They enter your house number and your phone rings and you press any key to open the door. So, we are talking about physical security now and I've seen this in offices as well. They all work this way. They basically, because they wanna be able for tenants that come and go, be able to switch that very quickly. So, it works just through the phone that you bus people in. But my favorite is consent. Because when we think about consent, we think about lawyers and we think about signing papers and we think about all these difficult things. And I found out about this location smart service that is not anymore there and you will see why. But this was recently in the news because basically, Brian Krebs wrote a really great article about it. But I'm gonna let you hear then their YouTube channel, how Location Smart works. The screen that you're showing, that you're seeing right now is a demo that we have on our website. It's at locationsmart.com, slice try. And I've entered my name, my email, my mobile phone number. And it's gonna, it's again going to get my permission by calling my phone and then it'll locate. So, let's go ahead and I click the box to say yes, I agree, click to locate. And the screen now shows that it's going to call my device to get my permission. That's a nice ringtone. No, it's not. Yes. So, as you see, this service, this website had a free demo. Had a free demo that allowed you to put a phone number, yours of course, and you will get a phone call and then you will give permission by pressing one so someone could locate you and keep tracking. I mean, I checked with them for up to 30 days real time. So now you know why they don't exist anymore. Open source, open source. So, and this was with the permission of the carriers. This is now some fishy thing. This was actually a service. So, I wanted to release code because I want you guys to verify that what I mentioned is true and have code to hopefully help push the industry forward to make voicemail systems more secure, right? We wanna push carriers to do so. But I didn't want it to provide a tool that works off the box and anyone can very easily, as we saw, like just start to brute force pins specially because I saw that there is so many people with the default pins out there. So, I just removed the brute forcing. So, the tool allows you to test it on your own. You can test, you know, you can test the greeting message, you can test the retrieving messages, compromising the services and all that. So, the tool allows you to test on your own device. I won't give you code to brute force on someone else's device. And feel free to go to my GitHub repo. So, now, like all the talks comes the recommendations. But I know what you guys are thinking, right? When someone comes with all this paranoia and stuff, you still think, yeah, but, you know, still like no one's gonna come after me. I don't have anything to hide or anything like that. So, I wanted to give you reasons why you should still care about this and why we need to do better. Because, do carriers set default pins? Yes, we saw that. It's testing for the default pins, cheap, fast, undetected, and automatable. Yes, it is. Is updating greeting the message automatable? Yes, it is. Is retrieving the newest message automatable? Yes, it is. Is there a speech to text description so that I can get the sound that I played before with the code and get it in text? Yeah, Twilio gives you that as well. So, can the account compromise process be automatable? Of course, you can use Selenium if you want to automate the UI or you can just use a web proxy and look at the APIs and do it yourself. So, it is only a matter of time that someone actually does all these steps that I show you step by step and just makes it all straight and starts to go over phone numbers, trying the default pins, and just automatically compromising services like WhatsApp, like PayPal, and all that. You can do basically not a worm, but you know, you can compromise a lot of devices without doing anything. Recommendations for online services. Don't use automated calls for security purposes. If not possible, detect answering machines and fail. I mean, this is not very accurate and you can still trick it, but require user interaction before providing the secrets. I just show you how to bypass that, but that's with the whole da-carriers-bang DTMF tones from the greeting message. I don't see why that should be supported, right? Recommendations for carriers, the most important thing, ban DTMF tones from the greeting message, eliminate backdoor mobile services, or at least give no access to the login prompt, right? There is no reason why I should be able to access your voicemail directly to leave a message, but then I can access the login prompt by pressing start. Voicemail disabled by default, this is very important and can only be activated from the actual phone or online, maybe with a special code. Oh, great, so I have time for questions. No default pins, learn from the German carriers, don't allow common pins, detect and prevent brute force attempts, don't process multiple pins at once. Recommendations for you, which is in the end very important here, disable the voicemail if you don't use it. I found out that some carriers, you're still through the backdoor voicemail numbers, you are able to activate it again, so it kinda sucks. So I guess use the longest possible random ping. Don't provide phone numbers to online services and lines required, or it's the only way to get to a fade, to a fade is more important. Use a virtual number to prevent us in like a Google voice number, so no one can learn about your phone number digits by resetting the password, or do same swapping, use 2FA apps only, and I always like to finish my talk with one slide that kinda summarizes everything. Automated phone calls are a common solution for password research, 2FA verification and other services. This can be compromised by leveraging all weaknesses in current technology to exploit the weakest link voicemail systems. Thank you so much. Thank you, Sharon. See, see, see. Thank you. Thank you, Martin. We have time for questions. So if you have any questions, or if someone in the internet has questions, just go to these microphones. Where is the microphone? You've got it. Yes, you wear black in the microphone too. So maybe you start and we take the question from the internet. Yes, I have a question. You mentioned that the phone needed to be offline. Would a call, like a simultaneous call to the phone that would be in what's called English, beset, like occupied? So let's say I already called the victim. So the caller gets, yeah, the line is occupied. It would then go to voicemail, wouldn't it? So that's a great question. I think the question is, if you are on a call and someone else calls you, so your attack will be I somehow make up a story to keep the person on the phone call while I launch other calls, that will work. I tried that, but the problem is usually two calls. I mean, that wouldn't be too big of a deal, I guess. But it supports two calls, right? It will warn you, oh, there is another incoming call. But I guess you could keep doing more. So that's what I meant partly with the call flooding. In the case where I tried was just launching all of them at the same time. And if the person picks up, I don't care. But it's someone related to what you mentioned and that's definitely possible. Okay, thank you. Yeah. Question from the internet, please. Don't ask where is the phone call start talking immediately. Would the new code be recorded then? If I understood the question correctly, is that when the voicemail picks up, like basically the automated system that spills out the code already started to talk. I believe that's the question. We don't know, it's from the internet. Oh, okay. So if that is the question, I found actually that because usually greeting messages last like 15 seconds. So by the time it starts recording, you already finished the recording that gives you the code. But you own the greeting message, so you make it as short as one second. And I never found a problem with that. You actually record the DTMF tones for like two seconds. Ladies first, so we take your question. You talked about how you learned all of that through reading it easy and how are they called and how do I find them? That's the best question I've ever heard in the search and applause. Seriously. I like that because you also wanna learn about it. So that's really fantastic. So the FRAC website is the best resource you can get. I guess everyone will agree here. So just look up Google for FRAC magazine and there is a lot, a lot of interesting stuff that we can learn there still today. Are there any others? Yeah, I mean, you can then follow the classic. I mean, I like Twitter to get my security news because it's very concise. So I kinda get like, you know, the 140 characters version if I'm interested, then I will read it. So I think you can Google for like top security people to follow, Brian Krabs is great. It depends also on your technical depth. There is different people for that. And if not just, you know, specialized blogs and magazines. All right, thanks. Thank you. And your question please. Hi, so for me, the solution is obvious. I just turned off my voicemail but thinking about some relatives which are maybe too lazy or don't really care and still used to factor out the indication. I was thinking about, could I easily adapt your script to automatically turn off voice boxes or generate random pins? You can automate it to turn off the ping. Like for example, on Vodafone, I don't know why it allows you to turn off the thing. To turn off the voicemail, I haven't tested that. I think you may have to call the IT department but you know what, it would be really great to do that. It would be really awesome, great question. I guess if you can turn it off, then you can turn it on as well, but yeah. Your question please. Did Twilio ban you or did they find out what you did? What did they do? I got some emails. I got some emails but they were really cool. I have to say that. I explained to them where I was coming from. I gave them my identity. I wasn't hiding anything. Actually, I had to pay quite some money because of all the calls that I was doing while I was doing the research. So I didn't hide my identity at all. So they did detect that I was doing many calls and stuff like that. So there is I guess at the high volumes, there is some detection, but Twilio is not the only services. So again, you can switch between services, space it out, change color IDs, a number of things. And one more question here. You talked about being undetected when making all these calls by going directly to these direct access numbers. Well in Germany it's very common that if someone calls your voicemail, you get an SMS text even if they don't leave a message. But I suspect there's some kind of undocumented API to actually turn that off through the menus. Have you looked into that? No, I haven't looked into that specifically. The question is that usually in Germany for the carriers, you get an SMS when you get a call. I wonder what the test that I did on the German carriers, I was getting a text if I was leaving a message, not if someone was calling there. I guess you are talking about a missed call kind of notification. I'm not sure about it. What I do want to point out is remember that you can do this while the person is offline maybe on a long trip. So you can time it. That will be a good probation I guess to just not launch it at any point in time, but you can just always time it and by the time the person gets a million texts it's too late. Thanks. Yeah. One more question over here please. Thank you. On Apple phones, can you activate with some carrier the what they call visual voicemail? Would that prevent your attack to work or? No, there is actually, I believe he was an Australian researcher that looked into the visual voicemail and he was able to find that in reality uses the IMAP if I remember correctly protocol and for some carriers, he was able to launch brute force attacks because the authentication wasn't with the same ping as you get when you dial in, but he found at least one carrier in Australia I believe that was vulnerable through the visual voicemail. And I checked for German carriers. I did that I actually follow the steps that he did to see if that was worth mentioning here. I didn't find it to be vulnerable, but that doesn't mean that that's not the case. Thank you. One more last question. I thank you for the talk. What is your recommendation to American carriers to protect themselves against this attack? I put a slide there like for me, I guess the most important is really look at what some German carriers are doing. I really like that the recent password is sensitive to you over SMS as soon as it detects that someone dialed, tried six times the wrong ping. I mean, if you have physical access to a locked device, you could claim that if someone has the preview turned on on the device, you can still see the ping when you get it, but then it wouldn't be like a remote attack anymore. So definitely detect brute force and shut down. I mean, we know that with the color ID is not working so well for telecom because I was able to bypass it, but I know that because I did some tests with HLR records that you can actually tell the type of device as it is, if it's a virtual number. So if carriers could actually look at the type of phone that is trying to call in, if it's a virtual number, you know, red flag, if it's not, I don't think someone's gonna have, I guess a government could like, you know, have 3,333 devices because you try one ping for the 10,000 key space, you know, you try three pins at a time and just have 3,333 SIM cards and so it will come from real devices, but then at least it will quite significantly mitigate it. And then like, again, like if you ban the TMF tones from the greeting message, that will help as well. Thank you, Martin. I've never provided any telephone number to any platform and now thanks to you, I know why. One plus for Martin Weigel, please. Thank you.