How could voicemail insecurity affect your Facebook, Google or Yahoo! account?

It is nearly three years since the News of the World voicemail hacking scandal erupted (a case that’s in court right now). The blog and article I wrote at the time are still the most popular posts I’ve written. I was involved in drafting a set of guidelines for network operators which was published very soon after.

I was therefore quite surprised when a friend sent me the following link which explains how web application security researcher Shubham Shah managed to use voicemail vulnerabilities within network operators to exploit two-factor authentication (2FA) for some pretty major services (e.g. Google, Yahoo!, LinkedIn and so on). The way that 2FA is setup sometimes is that it will call your mobile number. Obviously an automated system isn’t usually setup to determine if you actually answered the call, so the code can go through to voicemail. And that’s how the attack goal is achieved. If the attacker can get into your voicemail account via a vulnerability in procedures or via CLI (Calling Line Identity) spoofing (i.e. faking your phone number), then they can get access to the rest of your life. Sounds simple and it is.

New stuff and a shop…

So I’ve made a few changes this evening on the blog. You’ll notice a few links above which you can peruse (and there are more to come) and of course, as promised I’m selling the “it’s not f**king phone hacking” t-shirts through the official shop. There’ll be more in there soon, but why not treat yourself to a default PIN #hackgate mug? It’s as easy as 1,2,3… (actually I won’t go there).

Blackhat & DEFCON19 – mobile presentations

With the main sessions of Blackhat starting tomorrow morning (Las Vegas time), I’ve posted the mobile-related talks here for those who are interested.

The mobile hacking training course which took place today (I think) was sold out. What has interested me the most is the increase in interest from the security and hacking community in all types of mobile platforms. As you’ll see below, there are really quite a few presentations focussed on mobile. Also, as smartphones become more advanced, a lot of the other presentations not listed here become relevant (for example web application security). I just want to highlight two of the presentations: ‘Aerial Cyber Apocalypse’ which will demonstrate a UAV equipped with WiFi and GSM hacking capabilities (see the picture below) and ‘War Texting: Identifying and Interacting with Devices on the Telephone Network’ which shows attacks on car systems which use SMS to remote control the car. Fun in the sun.


Blackhat USA 2011 (Briefings 3-4th August)

Don A. Bailey:
War Texting: Identifying and Interacting with Devices on the Telephone Network

Karsten Nohl + Chris Tarnovsky:
Reviving smart card analysis

Andrey Belenko
Overcoming IOS Data Protection to Re-enable iPhone Forensics

Ravi Borgaonkar + Nico Golde + Kevin Redon:
Femtocells: A poisonous needle in the operator’s hay stack

Dino Dai Zovi:
Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

Richard Perkins + Mike Tassey:
Aerial Cyber Apocalypse: If we can do it… they can too.

Long Le + Thanh Nguyen:
ARM exploitation ROPmap

Jennifer Granick:
The Law of Mobile Privacy and Security

Riley Hassell + Shane Macaulay:
Hacking Androids for Profit

Tyler Shields + Anthony Lineberry + Charlie Miller + Chris Wysopal + Dino Dai Zovi + Ralf-Phillipp Weinmann + Nick Depetrillo + Don Bailey:
Owning Your Phone at Every Layer – A Mobile Security Panel

DEFCON19: (4th-7th August)

Abusing HTML5

Cellular Privacy: A Forensic Analysis of Android Network Traffic

Getting SSLizzard

This is REALLY not the droid you’re looking for…

Mobile App Moolah: Profit taking with Mobile Malware

Wireless Aerial Surveillance Platform

Seven Ways to Hang Yourself with Google Android

Staying Connected during a Revolution or Disaster

So, plenty to keep everyone going then! It’ll be interesting to see what the next few weeks bring.