This was a PBL case study in my pgcert cybersecurity course. The problem was outlined in this news article. Essentially at one point mobile providers were using a pre-set voicemail PIN or generating one from a known formula that could be inferred based upon data points such as characteristics of the customer. This would make it a trivial matter to guess a voicemail PIN and access a subscriber’s confidential information.
Risks and likelihood of attack
The risk increases proportional to the openness of the voicemail; off-line is greater since that exposes attacks from anyone on the same carrier network, off-network is greatest since that exposes attacks from anyone on any network. Also impacting risk would be the predictability or ‘guessability’ of the PIN and the value of the target phone (a politician or celebrity would be high-value, thus likely to attract more determined attackers). Regardless, the likelihood of an attack is high, especially where off-network access is enabled with predictable PINs, since numbers could be robocalled en masse to determine which have accessible mailboxes.
Risk may be perceived as low if only access to existing voicemail messages is considered (we don’t generally share vast amounts of private information in voicemails and often delete them after being played), however it could be astronomically high. Consider a CEO that has their phone listed as a recovery method on their Office365 account; the attacker waits until the middle of the night when the phone is likely on silent and diverted to voicemail and executes a password reset. They select phone number as a confirmation method, a call rather than an SMS and pre-load the DTMF tone into the voicemail greeting to accept the message and prompt a response. The attacker would then be able to pick up the recorded message and proceed with the password reset, or alternatively use the voicemail to get around an MFA prompt.
Everything in security is a sliding scale between safety and convenience; something really safe is hard to make convenient and something convenient isn’t generally safe. Perhaps a telco would choose static PINs out of a desire to avoid inconveniencing their customer if they are prompted to set a PIN on first use and then forget it. Perhaps it’s their own staff load they’re concerned about, since every customer who forgets a PIN causes a new call to their service desk. Really though, I reckon the reason voicemail doesn’t get any attention, investment, or security-related effort – not ten years ago when this article was written and not now – is because it’s a low-complexity, low-value service. It’s a basic expectation of a customer of any network carrier and thus a ‘cost of doing business’ rather than a premium value-add. Possibly the telco’s system has been around since the days of GSM with no modifications and maybe cannot even cope with random PIN generation or forced PIN changes because it was never designed for that scenario.
Risk Management Options
- Avoid – Voicemail not enabled for off-line or off-network access unless specifically opted into by customer.
- Mitigate - Customers required to set a PIN before their voicemail can be activated.
- Mitigate – Locking the voicemail after a defined number of incorrect PIN entries and requiring human contact with the network provider.
- Mitigate – Default PIN based on a non-public information type that is available easily to both the customer and the network provider, such as last 4 digits of SIM number.
- Transfer – Use a third-party voicemail system that can have authentication performed separately on a smartphone or other device using MFA or at least a complex password.