AT&T And T-Mobile Pay Up For Not Being Truthful About Voicemail Hackability

from the caller-id-spoofing dept

Many mobile phones' voicemail systems have worked on the basis of checking the caller ID of the incoming caller -- and if it matched the number of the voicemail box, it would automatically push the caller through to the admin interface. The idea was that if the owner of the box was calling, he or she shouldn't have to put in the passcode to get to the messages. The only problem with this was that, if anyone could spoof your caller ID, they could access your voicemail. After a few high profile such voicemail attacks, many mobile operators urged customers to change their voicemail preferences to require a passcode, no matter what. Still, there were some operations out there, that went under names like SpoofCard, Love Detect and Liar Card, that would spoof a caller ID to get access to a voicemail box. The company behind them has been fined, but what may be more interesting is that T-Mobile and AT&T were also both fined for apparently being misleading about their susceptibility to the hack.

That seems a bit strange, and the article is woefully short on details, unfortunately. Pretty much anything is hackable given certain circumstances, and it always seems a bit odd to totally blame a hacking victim for being hacked. So it would be good to know why T-Mobile and AT&T, in particular, were fined in this case. Did they not even allow passcodes to be enabled for those who wanted to avoid this potential hack?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Brad, Dec 16th, 2008 @ 12:23am

    Maybe it's the sim cards?

    Since both AT&T and T-Mobile are SIM-based operators, I wouldn't be surprised if they were more (or exclusively) susceptible to these sorts of attacks. Verizon and Sprint both authenticate all kinds of information (possibly including identity for voicemail) based on the phone's ESN. It's possible that it's much more difficult to spoof an ESN, or even get your hands on it.

    This is also why stolen Sprint / Verizon phones have little to no value on the black market, where ATT phones fetch a nice premium. Slip in a SIM card and you're free to go, no matter who the device came from. Verizon / Sprint track phones based on ESN and owner, so you can't activate a phone that's been reported stolen.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    ooer, Dec 16th, 2008 @ 2:21am

    misleading about their susceptibility to the hack

    Microsoft next, then Google, then xxxx, etc...

    Nice precedence to set...

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    OneDisciple, Dec 16th, 2008 @ 3:29am

    Re: Maybe it's the sim cards?

    I could be wrong, but I am going to say it anyway. I believe that AT&T and T-Mobile both use the ESN for the same purposes. The problem is that customers do not report the ESN as belonging to them. so when their phone is stolen it can not be tracked. However if as the customer you follow the rules of your agreement with said company and register the ESN can be tracked.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Jeff, Dec 16th, 2008 @ 4:14am

    Re: Re: Maybe it's the sim cards?

    (addressing the theft/esn issue and i dunno what this has to do with anything, but here we go) and there's also the fact that these companies don't tell their customers what to do when they sell their old mobiles on ebay or craigstlist. they just tell them not to sell them and expect people to be out the cost of the old phone when they buy a new one. they aren't told about how to clear the esn and other information off of the phone before they sell it EVEN WHEN THEY REGISTER A NEW MOBILE ON THEIR ACCOUNTS. i bought a sprint blackberry on craigslist once...i could have just continued using the phone exactly as it was and have all of the use billed to the previous owner. it had their full address/phone book still on it, tons of personal information, a few hundred texts containing personal info on people other than the seller...granted, sprint is unlike other providers in that their customer service is a pile of smelly elephant assholes and it's all operated by people who barely speak english and simply use a piece of software to tell them exactly how to interact with customers...but...c'mon.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    AJ, Dec 16th, 2008 @ 4:37am

    Ever notice...

    Ever notice how AT*Ts logo looks like the Death Star from Star Wars? No coincidence there, now is there?

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Nate, Dec 16th, 2008 @ 5:10am

    Re: Maybe it's the sim cards?

    Nah, it's really easy to pull a phone's IMEI. On any handset, just type *#06# for instance, and it'll cough it up. You don't even need to pop the battery out to look for it. I don't think would be a good idea to authenticate based on this number.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Stephen, Dec 16th, 2008 @ 5:53am

    odd

    I've been a T-Mobile customer for a good while now and it's always asked me to enter a 6 digit pass code to check my voicemail.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Jasen (profile), Dec 16th, 2008 @ 7:41am

    Re: odd

    Once upon a time, the default on T-mobile was no passcode, although you could set one if you chose to. Now, T-mobile makes you set a passcode, with the option to not have one if you choose.

    It's kinda like when Microsoft included a firewall in Windows XP but left it off by default, then turned around and made it on by default in SP2.

    I have been using T-mobile for a few years now. I like not having a passcode set. I have no interesting voicemails, so I'm not worried about someone hacking them. LOL

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    nasch, Dec 16th, 2008 @ 8:17am

    Re: Re: Maybe it's the sim cards?

    How easy is it to get another phone to report that as its own number?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    JD, Dec 16th, 2008 @ 6:11pm

    Re: Re: Re: Maybe it's the sim cards?

    My Linksys VoIP box can set CallerID to whatever I want. I guess this should work.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Steevo, Dec 17th, 2008 @ 11:33pm

    The real problem is the CID is insecure

    The real problem is the CID is insecure and can be spoofed. That's the only problem and the problem that needs fixing.

    The telcos made an insecure system and they should be prohibited from delivering calling party data that is not correct. If there were a fine for delivering false Caller ID data they would have to either secure those systems or stop selling Caller ID at all. Either solution would be appropriate.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    billybob., Dec 25th, 2008 @ 10:43pm

    Re: Re: Maybe it's the sim cards?

    I work for at&t in sales, and I don't think this is the case. As far as I know, there is no way to remotely kill a stolen phone, aside from using special executive work programs like Good. Its best to contact ATT as soon as possible after your phone is stolen and have them put a hold on the account, killing the SIM card.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    scc4fun, Jan 5th, 2009 @ 8:52am

    Cingular/ATT statement

    I'm late to the comment party for this story, but here goes:
    I remember reading a statement from Cingular/AT&T that their voicemail always required a passcode--which was totally incorrect as, at that time and now, I was able to get into my voicemail without entering a passcode.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This