Voicemail security is hardly top-of-mind. Most cybersecurity efforts are concentrated on desktop and server management, network and firewall protection, email encryption and so on. So, it might be surprising to learn that your simple voicemail could be used by cybercriminals to compromise your online accounts.
The Voicemail Threat
The potential danger of voicemail hacking has been brought to the forefront by Martin Vigo, a security expert who recently spoke at the annual DEF CON convention in Las Vegas. According to Vigo, breaking into a voicemail is often relatively simple due to lax safeguards, and the lack of technical innovation. In fact, during his presentation Martin Vigo showed how he hacked into a voicemail server in under two minutes with brute force (we described brute force in an earlier blog post about data encryption hacking techniques).
Why was it so easy? Because most organizations don’t think much about voicemail security. As reported in Lifewire Magazine, most people don’t even bother changing their default voicemail password. Even those who change the password are restricted: many voicemail passwords are only four digits long and so can be broken quickly with just a modem, a computer and a scripted auto dialer program.
So why should I care?
A hacker breaks into your voicemail and … so what? Who uses their voicemail very often anyway? In his DEF CON talk, Martin Vigo pointed out that many websites offer a password reset code via text, email or phone call. If you miss the phone call, the automated reset code will be left on your voicemail. All a hacker needs to do is request a password reset via phone, hack into your voicemail and listen to the message, then change your Internet site password and take control of your account.
Some companies are aware of this issue and have attempted to thwart this scheme. With PayPal, for example, users can reset passwords with a phone call but at the same time a four-digit code must be manually typed into the keypad during the call. This means an attacker can’t simply listen to a voicemail and gain access.
But Vigo demonstrated a workaround to this problem during his Vegas presentation. As reported by the Guardian, he simply set the voicemail’s greeting message to mimic a recording of the keypad tones needed, which tricked PayPal’s system into thinking it reached a real person. “We just compromised PayPal,” Vigo announced to the cheers of the audience.
Vigo pointed out that he has reported these vulnerabilities to many affected companies, although to lackluster response. PayPal, Instagram, Netflix, eBay, LinkedIn WhatsApp, Signal, Twilio, and Google Voice were all sites Vigo said were vulnerable to his simple attack.
(Martin Vigo has written a post about his voicemail security findings, Compromising online accounts by cracking voicemail systems)
Calling China, or Iceland, Or …
Voicemail hacking is used for more than password stealing. The Federal Communications Commission (FCC) warns that hackers can make long international phone calls by hacking into voicemail systems. They can then use the phone number for long distance phone calls, such as by changing the message to accept collect calls (for example, changing the recording to something such as “Yes, operator. I will accept the charges.”) or by using the forwarding call feature. The FCC also warns:
• Hackers more often break into business voicemails during holiday periods or weekends, when changes to messages are less likely to be noticed
• Victims may not find out about the hack until they receive an unusually high phone bill
Those bills can be significant. A few years ago, a real estate agent in St. Louis received a bill for around $600,000 after a voicemail hack.
How To Improve Your Voicemail Security
Here a few suggestions on how to protect yourself from voicemail vulnerabilities, including:
• Always change default passwords and, when choosing a new password, require one of six characters are more. Make sure employees change their voicemail passwords frequently.
• Have employees check their recorded greetings on a regular basis to make sure they have not been changed.
• Don’t provide your phone number to online services unless it is for two-factor authorization.
• If your business does not need to place international calls, consider disabling international calling capability completely.
Keeping Voicemail and Systems Safe
Your data and Internet security, as well as your voicemail security, are not things you can afford to take lightly, and a partner like DYOPATH can help bring you peace of mind with a thorough review of your practices and vulnerabilities. DYOPATH not only offers comprehensive cybersecurity resources and guidance, but personal training for your staff so they are aware of the precautions they need to take to safeguard your system. After all, it could just take one lazily set password to put your entire network in peril. We can establish procedures and protocols, install and maintain the software and hardware you need to guard against most attacks, and help you get back on your feet if your security is breeched. Check out our DYOPATH Security offerings and see how we can help you get smart and stay safe.