 Let's get it started! Matan Vigo! Give it a big hand! Let's go! Hello, thanks everyone for coming to this talk. It was supposed to be a 45-minute talk, so I can only be 20. I'm gonna go super, super fast because I really want to cover the entire content. So my name is Martin Vigo. I work as a product security lead. I'm from Galicia, Spain. We've got the best shipper in the world, and you don't believe me? Come over there to try it. I like research. I like scuba, and I don't like that whiskey, like gin tonics. In case you want to ask questions later, you know how to draw my attention. So let's talk about history. So we're going to talk about voicemail systems. I like to move, and they don't have a wireless thing. About voicemail systems, how to compromise them, right? And the first thing when you do research is you look at previous art. And in this case, it was really cool because I just went back to the 80s when the voicemail systems become popular, and I started to read articles and isons from the first hackers and freakers. It was really, really good. So I condensed everything that I learned in five quotes of five different isons. So here we can see that it says you can just enter all two-digit combinations until you get the right one. A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time and discard them, but just look for the correct sequence. Actually, in this one, in hacking AT&T answering machines quick and dirty, we can see the actual sequence that you can enter, and it would actually be the entire two-digit PIN key space, because if you enter one, two, three, four, it will actually parse two, three as well to look if it's the correct PIN. In a tutorial for Aspen voicemail systems, what we learned is that it was actually a default password, and there was actually common patterns that people use as PINs. And in the last one, what we learned is that there is also the old change the message secret to make it say something to the effect of this line, assess all total charges, so you can build a third-party calls to that number. What that means is you will basically record as the greeting measures, yes, I accept, and then from a penitentiary, you will get basically free calls. So voicemail security in the 80s, we can sum up as there was default passwords, common passwords, brute-forceable passwords, efficient ways to brute-force the passwords, and the greeting message was an attack vector. How about we play checklist? Fast forward to today, voicemail security today, let's do a checklist. Default passwords, check according to the public documentation in the four major carriers of the United States in their websites, AT&T is three, six ones, T-Mobile the last four digits of the phone number, Sprint is the last seven, Verizon is the last four. Common passwords, according to a fantastic research from 2012, from data genetics, there is a number of conclusions that they got to, but basically some of the important was that you have a 22% chance of guessing a four-digit ping by just trying the top 20 pins of the 10,000 that are possible. So that means that one in every fourth victim that you try by just trying 20, 20 pins, you will actually get the right one. Other conclusions include that most of the pins start by one nine, and that's because people tend to use their birth year as a pin number. Brute-forceable passwords, AT&T, T-Mobile, Sprint, Verizon, they all allow for digit pin codes. Efficient brute-forcing, it actually allows to enter three pins at a time by using the pound to co-catenate it, which is kind of like a return in a voicemail system, and you don't even have to wait for prompt of error messages if the pin was wrong. So with all this in mind that I learned from the amazing hackers from the 80s and my tests today on the voicemail systems, I decided that I should write a tool that actually takes advantage of that and allows you to brute-force voicemails fast, cheap, easy, efficiently, and undetected. So let's look how fast I use Twilio, which is basically a voice service that allows you programmatically to make phone calls, to make hundreds of calls to the victim, and to try different pins. It's cheap. The entire four-digit key space for less than 40 bucks, or if you want to have a 50% chance of actually guessing the correct pin in a four-digit one, it costs you less than five. But we can take a different approach. Why don't we try the default pins that we mentioned before on thousand different numbers? Remember, the phone number is actually the pin code. So that costs you 13 bucks. It's easy. It's fully automated. You pretty much provide the victim's phone number and some other parameters, and that's it. I already configured that specific payloads for the carriers. And it's efficient. It optimizes brute-forcing, tries three pins at a time, and it uses the existing ratios to research from data genetics to favor the ones that are more common, to favor the ones of birthjeers, and stuff like that. But the most important thing is detection, because if you think about it, if I, as an attacker, want to interact with your voicemail, I need to call you, because if you don't pick up, then I can interact with your voicemail. So that really sucks, because I need to detect when your phone is offline. So what is the ways that I can go straight to your voicemail with my tool? When I started to look into this, one of the things that I tried was to do several calls at the same time to kind of flood the line, and it will work and go straight to the voicemail. It's actually kind of like slide dial works, which is a service for scammers and marketers to basically go directly to your voicemail. You can call when the phone is online, and you can use awesome techniques for finding out when someone has the phone offline. Everyone likes to tweet when they take the plane. Who goes to Burning Man in two weeks? Yeah, and you better, guys, stay till the end of the talk. You have a home location record, which it's a global, it's a database that you can query if you pay a little bit of money. But among other things, what it provides you is actually if the phone is connected to a tower. I tried it. It's not very reliable, not very real time. So I had to find a way that was really good in order to go straight to your voicemail. And that's when I found the concept of backdoor voicemail numbers. So it turns out that carriers think it's a good idea to have a system that you can dial in, put the number you want to leave a message to, and then you leave the message. So I don't have to call you. I call that service and provide your phone number. But you know, when you press start, you access the login prompt. And so that's actually what the tool uses in order to not have to have your phone offline and be able to brute force passwords. So now voicemail cracker is undetected because I'm not even calling your phone. But the thing is, it doesn't have only that advantage. It turns out that during my test, when I was calling directly to the victim, every four, fifth call it will fail because it can only take that many calls. And the tool retries again. But when I try with backdoor voicemail numbers, because they are meant to be used by everyone, what happens is literally hundreds of calls and it never, never failed. Let's do the first demo. And in this demo, what I want to do is basically show you how the tool works. So what you see on the left is the victim's number. And I'm trying to see where to make this. So it's the victim's number. And on the right, you see the tool. And in this case, I'm using the brute force option. And as you can see, I provide the victim number, the type of carrier, because it has a specific payloads and the color ID which actually Twilio provides to you. And then I use the option of backdoor number, right? So it doesn't call the victim. And if you see the last option is top pins. So I'm trying, based on the peer research, the top 20 most common pins. Of course, the ping is 1983. That's the dev con steam. So what it's doing now, it's making those calls. I mean, it can do hundreds of them. But for demo purposes, I wanted to make just the top 20 and just trying those pins, interacting with the voicemail. So because it tries three at a time, you will find that first it will give you possibly one of those three is the ping. And then it will try individually those pins just to find out what is the right one. And I wanted to fast forward this demo. I will do the other two that I have. But I wanted to give you the feeling of how long it takes. And the truth is, it feels that it takes too long for just 20 pins. But think that in reality, how do I find out if the ping is correct? People thought that I use sound processing just to figure out if your error's out. But I'm very lazy, so I do it much better. What I do is the call duration. If you enter three pins wrong, the call will hang up. So that gives me actually a pattern of the duration of the call. So with Twilio, I instructed to actually wait 10 extra seconds. So all I got to do is wait for for the thing to log in. If it's the ping is correct, it will wait 10 extra seconds. So because of the duration of the call, I know that that ping is correct. So that's what it's doing right now. That's why it takes a little longer. Obviously, when you don't have the right ping, it will be much faster. And in 321, it should tell us that the ping is 1983. I should have the demo shorter. There we go. Cool. So we see now. Thank you. Okay. All right. So we saw that we have a tool that we can use thousands of calls, very cheap and all that. But what's the impact? Why am I sitting here with this? Who cares about voicemails, right? Anyway, all the messages you guys probably have is from marketers and scammers. So why am I here? Well, the truth is, there is much more to it, right? A lot of people doesn't realize that you can reset passwords due to a fail or verification over automated phone calls. So my question to you is, what happens if I have your email go and start the password reset over phone call so that it sends you that code that usually sends you over SMS and you don't pick up? The voicemail will pick up and will start recording. So now that I can compromise your voicemail, all I have to do is to initiate password resets and I will be able to listen how the recording spills out the code. So the attack vector looks like the first thing you got to do is brute force the voicemail system, ideally using backdoors, as I mentioned. Then for this one, you need to ensure that the phone is offline. And the reason is because when I do the password reset, PayPal will call the victim, not the backdoor number. But it's only for this single call and you can use OSINT or call-floating or whatever you want. You start the password reset process, you listen to the recorded messaging and you got it. And the tool can do all of this for you automatically. Let's compromise WhatsApp. So what you have on the left is the victim's number, is the victim's phone. And what you have on the right, I actually did it with a simulator. It's not even actually a phone. I downloaded the APK and put it in Android in the emulator. So I opened the app and it tells me, hey, do you want to register? Well, no one has a username in WhatsApp, right? You do that with your phone number. So I entered the victim's phone number. And so what it's going to do is going to send a text to the victim. So you are going to see on the victim's phone number that I'm going to put it in airplane mode. And that's to simulate that the victim is offline because WhatsApp is obviously going to try to call it. But in the case specifically of WhatsApp, the first thing it does is to send the text. So I'm not interested in that. So I'm going to fast forward here because it basically waits a minute and gives you the option to call. And so as you can see, I press now the call me. So now WhatsApp is just basically calling the victim who is offline so the voicemail will pick up. And now what I'm doing is I'm using my tool with the option of message. And message basically interacts with the voicemail system to retrieve the newest message. So you don't even have to do it. It's automatically. And you see that because I brute force it before the ping, now I provide it as an option so it can log in this option that we have here. And so here it's fast forwarding. It's basically interacting with the voicemail. It's retrieving it and it will give you a URL. And all you've got to do is put that in a browser and you get an audio file. We have audio now. So I'm loading that. It gives you an audio file and it should be the newest message that victim has. Now it's interacting with the voicemail system. And that's it. So now I'm going to put the victim not in airplane mode and that's all it takes. And I want to mention that WhatsApp has really, really strong security. So I'm not claiming, I mean, there is things like you won't be able to see the previous groups but you can hold until someone writes and then you will be able to interact. And there is also the fingerprinting all that stuff. But this is a big problem because you literally hijack that person's WhatsApp. So let's go back to the slides. Okay. Got to go really fast. We don't, not yet because it turns out that some people know this. And so what they did and what is recommended is to provide user interaction based protection. What does that mean? So the automated call will not just spill the code but it will say, please press any key or press a random key or please enter the code. It will show you in the UI, this PayPal does this. It will show you in the UI a code and you will have to enter it in the keypad when you receive the call. So can we beat this recommended protection? This is what is recommended today when you read the articles. And we're going to play a game. We're going to guess it together. And I give you the first hint. Everyone probably what this is. So this generates some really nice DTMF kind of tones that was used by John Draper for doing good stuff in the 80s. And this is the second one. I actually cheated when I looked at the checklist, right? I told you we're going to cover them all but we didn't cover the greeting message. Something we learned from the 80s is actually an attack vector. So when people, this is why it's so important for you hackers, you guys are amazing because we want to understand how the system works, right? If you ask someone what is to explain to you this user interaction protection, it will tell you, oh, you have to press a key. No. The system is waiting to hear a specific frequency, a specific DTMF tone. Not that you physically press a key and that's the thing. So what we can do is we can record DTMF tones that represent the calls that it's expecting the automatic calls. That's the greeting message. And it works every single time. Attack vector, exactly the same. We just add now as a second step that you update the greeting message with the DTMF tones. And again, the tool will do all this automatically for you. Let's compromise. Okay. You see on the left that I brute-forced the ping. On the right, you see that I need the email. So I will just start the password reset. And in this case, it will actually show me a code that I'm supposed to enter when I receive the phone call, right? I'm just basically picking here that I want to reach the password over automated phone call. And as you can see on the left, I'm going to use the option of greeting. And this is what allows you to change the greeting message. And I made it very verbose in this case for the demo. So you see the last parameter is papal code. So all I have to do is to put the 6353 there. And the tool will interact with the voicemail, change the greeting message, put the DTMF tones that represent 6353. And if everything works, I mean, the demo is recorded, then we should see that actually we compromise papal. So actually papal is already making the call, but I don't care because it takes a little bit to change the greeting message. So just click, call me again, right? So we fast forward a little bit. I got five minutes. Okay, I can do this. And in three, two, one, boom, there it is. We just compromised papal. Thank you. Okay, very quick. What services are you going to pay attention and going to run over this? This is a small subset, Alexa top 100 not favoring on anything, but password reset for papal, Instagram, Netflix, eBay, LinkedIn, 2FA, the big four, Apple, Google, Microsoft, Yahoo, verification, WhatsApp, Signal. Twilly is a good one because Twilly allows you to verify a caller ID. So I can literally own your caller ID and make calls on behalf of you. Google Voice is used for scamming, but you need to tie it to a real phone number. So I can get unlimited virtual phone numbers by just verifying someone else's phone. But the best one is consent. When we think about consent, we think about lawyers, about signing papers. It turns out the location smart, which was in the news four months ago, I think, because Brian Krebs wrote an amazing article about it. It's basically a service that has agreements with the carriers to be able to track you for 24 seven if you provide consent by pressing one. Open source. So the truth is, I obviously did responsible disclosure and carriers are slow to catch up. Some of them didn't answer. I also talked to the services. So releasing this tool will only be a script-kitty tool, but at the same time, I don't want to claim stuff here that you can't verify. So basically what I do is a voicemail automated instead. So I'm going to publish this code on Monday because the weekend is I'm going to celebrate. So it's basically I remove the brute forcing. Why? Because this way, I didn't give you code to compromise anyone's voicemail number, but you will be able to try on your voicemail number what I'm claiming here. And you can go to the GitHub repo. Recommendations. Very quick. For online services, don't use automated calls for security purposes nor SMS. Feel free to check out a B site stock I gave that is kind of related to this, but for SMS. If not possible, well, detecting the answering machine is tough, but require user interaction. I just show you how to bypass that, but that is with the whole carriers listening and ban DTMF tones from the greeting message. This is the most important slide for carriers out there, ban DTMF tones from the greeting message, eliminate background voicemail systems or at least do not allow access to the login prompt by just pressing star. Voicemail should be disabled by default and can only be activated from the phone itself. I was able to activate phone numbers by activating the victim, never the victim, the person that allowed me to test it. I was able to set the password for them. No default ping, don't allow common pins, detect abuse. Is this being recorded? It's too late now. Don't abuse brute force attempts and don't press multiple pins at once. I got two minutes. Recommendations for you guys, disable voicemail or at least use the longest possible ping. Don't provide the phone number unless obviously it's the only way to get to FA, but you can use a virtual number because you get rid of things like awesome to figure out your phone or like sim swapping and when you use 2FA, try to use apps. I like always to put a slide just to kind of do it too long, didn't read it because someone arrived late or whatever that says automated phone calls are a common solution for password research 2FA and verification services and consent. This can be compromised by leveraging all weaknesses in current technology to exploit the weakest link voicemail systems. Thank you so much for attending.