1 00:00:00,000 --> 00:00:17,790 *35C3 preroll music* 2 00:00:17,790 --> 00:00:25,360 Herald Angel: We start the next talk. It's by Martin Vigo. He stands here. He is a 3 00:00:25,360 --> 00:00:32,500 product security lead and researcher and he's responsible for mobile security, 4 00:00:32,500 --> 00:00:39,860 identity, and authentication. So he helps people design and secure systems and 5 00:00:39,860 --> 00:00:46,710 applications. And he has worked on stuff like breaking password managers or 6 00:00:46,710 --> 00:00:57,500 exploiting Apple's FaceTime to create a spy... yeah, a spy program. So give him a 7 00:00:57,500 --> 00:01:09,360 warm applause for his talk. *Applause* 8 00:01:09,360 --> 00:01:12,650 Martin Vigo: Thank you for joining me in this talk. I'm super excited to be here. 9 00:01:12,650 --> 00:01:16,500 It's actually my second year at the conference, so super super excited that 10 00:01:16,500 --> 00:01:20,490 the first year I was sitting there, and the second year I'm sitting here. This is 11 00:01:20,490 --> 00:01:24,980 me, but an introduction was already made. Just pointing out that this is me, 9 year 12 00:01:24,980 --> 00:01:32,640 old, with an Amstrad CPC 6128. You had this machine before? I see only one hand? 13 00:01:32,640 --> 00:01:36,480 I think this was sold in Europe, but I was playing here La Abadía del crímen, which 14 00:01:36,480 --> 00:01:40,770 is the best video game ever written. If you guys like abandonware, you should 15 00:01:40,770 --> 00:01:45,410 definitely check it out. So like any good research we have to start by looking at 16 00:01:45,410 --> 00:01:49,860 previous art, right? We can learn a lot from researchers that did stuff in the 17 00:01:49,860 --> 00:01:55,800 past. And in this case I went all the way back to the 80s to understand how freakers 18 00:01:55,800 --> 00:01:59,590 of the time, when the hacking thing started, we're doing to actually hack into 19 00:01:59,590 --> 00:02:06,110 voicemail systems. I condensed everything I learned in five different paragraphs of 20 00:02:06,110 --> 00:02:11,670 five different essences, that I actually got from frac website, which is an amazing 21 00:02:11,670 --> 00:02:16,870 resource. So, here from the Hacking Telephone Answering Machines, the 22 00:02:16,870 --> 00:02:20,840 paragraph that I extracted was that "You can just enter all 2-digit combinations 23 00:02:20,840 --> 00:02:25,240 until you get the right one", "A more sophisticated and fast way to do this is 24 00:02:25,240 --> 00:02:29,200 to take advantage of the fact that such machines typically do not read two numbers 25 00:02:29,200 --> 00:02:33,330 at a time, and discard them, but just look for the correct sequence". What is this 26 00:02:33,330 --> 00:02:41,650 about? In older voicemail systems if you will enter like 1234 for the 2-digit PIN, 27 00:02:41,650 --> 00:02:47,770 it will not process 12 and 34 to to verify the PIN, but it will also process 23, 28 00:02:47,770 --> 00:02:52,280 which is very interesting. In fact, in Hacking AT&T Answering Machines, again, 29 00:02:52,280 --> 00:02:56,960 this is amazing from their 90s or 80s, we actually get the correct sequence to cover 30 00:02:56,960 --> 00:03:01,230 the entire 2-digit key space. So, if you enter all these, you are basically brute 31 00:03:01,230 --> 00:03:05,770 forcing the entire key space, without having to enter in the entire thing that 32 00:03:05,770 --> 00:03:11,541 covers it. I also learned, from A Tutorial of Aspen Voice Mailbox Systems, that in 33 00:03:11,541 --> 00:03:16,319 the 80s there was default passwords. Surprise, surprise! But also that as 34 00:03:16,319 --> 00:03:21,660 humans, we actually have patterns when we choose PINs. And so we have the classics: 35 00:03:21,660 --> 00:03:28,230 1111, 9999, 1234. And another thing that I learned in Hacking Answering Machines in 36 00:03:28,230 --> 00:03:32,700 the 90s, was that "There is also the old 'change the message' secret to make it say 37 00:03:32,700 --> 00:03:36,970 something to the effect of this line accepts all toll charges so you can bill 38 00:03:36,970 --> 00:03:41,849 third party calls to that number". This is basically a trick used by inmates to get 39 00:03:41,849 --> 00:03:46,160 free calls. Basically, they would record in the voicemail a greeting message "yes, 40 00:03:46,160 --> 00:03:49,750 yes, yes", so when the automated system comes in and asks "Do you want to accept 41 00:03:49,750 --> 00:03:53,890 the toll charges from the call from the penitentiary, it will go and they will be 42 00:03:53,890 --> 00:03:59,940 able to do free calls. So, condensing everything and summarizing what what I 43 00:03:59,940 --> 00:04:04,350 learned from looking at what previous hackers did in the 80s: we know that the 44 00:04:04,350 --> 00:04:08,780 voicemail system security looked like... there was default PINs, there was common 45 00:04:08,780 --> 00:04:12,650 PINs, there was bruteforceable PINs, there was efficient bruteforcing because we can 46 00:04:12,650 --> 00:04:16,779 enter multiple PINs at the same time, that the greeting message is actually an attack 47 00:04:16,779 --> 00:04:21,470 vector. So let's play a game. Let's do checklist and let's look at the voicemail 48 00:04:21,470 --> 00:04:26,970 security today. So, I looked at the American carriers because I live in the 49 00:04:26,970 --> 00:04:32,340 US, but because I was invited to talk in Germany, I took some friends to give me 50 00:04:32,340 --> 00:04:37,190 some SIM cards and I actually wanted to put about German carriers as well. So, 51 00:04:37,190 --> 00:04:41,490 checklist time, default PINs: all American carriers do have default PINs and 52 00:04:41,490 --> 00:04:45,940 unfortunately they are really not a secret because most of them is actually the last 53 00:04:45,940 --> 00:04:51,060 digits of your phone number. When it comes to German carriers it's actually a much 54 00:04:51,060 --> 00:04:54,840 better state, for example Vodaphone it's the last 4 digits of the client number 55 00:04:54,840 --> 00:04:59,530 which you don't know. I mean, you know as the customer, not others, it's a secret. 56 00:04:59,530 --> 00:05:03,650 Or if it comes to the CallYa, that is the card that I got, it's the last 4 digits of 57 00:05:03,650 --> 00:05:07,440 the PUK. For Telekom it's the last 4 digits of the card number, which is the 58 00:05:07,440 --> 00:05:11,590 card you get with the SIM card. For O2, unfortunately, there is a default PIN, 59 00:05:11,590 --> 00:05:18,440 which is 8705, which is the only PIN you can't set, when you choose to set one. 60 00:05:18,440 --> 00:05:23,680 Yeah. So, voicemail security today when it comes to common PINs: according to like a 61 00:05:23,680 --> 00:05:28,180 fantastic research from Data Genetics, this is actually about people choosing 62 00:05:28,180 --> 00:05:33,530 PINs for their credit cards, but there was a lot of conclusions that I learned from 63 00:05:33,530 --> 00:05:38,500 this research and basically, to summarize the most important regarding this work, is 64 00:05:38,500 --> 00:05:44,940 that for example by trying the top 20 most common PINs, you have a 22 percent chance 65 00:05:44,940 --> 00:05:50,060 of getting the right one. What this means in other words is for every fourth victim 66 00:05:50,060 --> 00:05:53,990 that I tried to brute force the PIN from their voicemail system, I will get it 67 00:05:53,990 --> 00:05:58,290 right every fourth person. There are other conclusions that are very interesting 68 00:05:58,290 --> 00:06:08,660 like, the PINs mostly start by 19. Who has an idea why is that? Birth year, right? Is 69 00:06:08,660 --> 00:06:13,819 very common to set as your birth year. Most of us were born in the 20th 70 00:06:13,819 --> 00:06:20,440 century... to set it as a PIN. Bruteforceable PINs. Same thing in Germany 71 00:06:20,440 --> 00:06:24,650 and in the US, it accepts 4-digit PINs which, we will see later, is just not 72 00:06:24,650 --> 00:06:29,970 enough key space. Efficient bruteforcing all the carriers accept concatenation of 73 00:06:29,970 --> 00:06:34,880 payload. So, in this case I use it to try different PINs and I don't even have to 74 00:06:34,880 --> 00:06:38,919 wait for error messages. I just use the pound as kind of like an enter in a 75 00:06:38,919 --> 00:06:43,270 voicemail system and I can try three PINs at a time. Usually carriers will hang up 76 00:06:43,270 --> 00:06:46,710 when you enter three PINs wrong, for security purposes, but we will take 77 00:06:46,710 --> 00:06:52,289 advantage of that. So with everything that I learned from the 80s, I verified that it 78 00:06:52,289 --> 00:06:56,711 was still a problem today. I decided to write a tool that allows you to brute 79 00:06:56,711 --> 00:07:01,970 force voicemail system fast, cheap, easily, efficiently, and undetected. So, 80 00:07:01,970 --> 00:07:08,179 fast: I used Twilio... who is familiar with Twilio here? Some of you? So a Twilio 81 00:07:08,179 --> 00:07:11,950 is basically an online services that allows you to programmatically interact 82 00:07:11,950 --> 00:07:15,410 with phone calls. You can make phone calls, interact with them, and all that. 83 00:07:15,410 --> 00:07:18,780 So I use it to launch hundreds and hundreds of calls at the same time in 84 00:07:18,780 --> 00:07:24,150 order to brute force PINs. It's cheap! The entire 4-digit keyspace costs 40 dollars. 85 00:07:24,150 --> 00:07:29,490 So if I want to have a 100 percent chance of getting your 4-digit PIN, I only have 86 00:07:29,490 --> 00:07:33,460 to pay 40 bucks. A 50 percent chance, according to the research from Data 87 00:07:33,460 --> 00:07:37,370 Genetics, it will cost me five dollars. So once every two victims, I will get the 88 00:07:37,370 --> 00:07:41,490 PIN. Actually, if I want to take a different approach and instead of just 89 00:07:41,490 --> 00:07:46,620 trying to brute force only yours, I want to brute force the PIN from everyone here, 90 00:07:46,620 --> 00:07:50,620 according to Data Genetics, and in this case, according to the fact that that is 91 00:07:50,620 --> 00:07:54,570 default PINs... I'm not going to ask how many of you have O2, now that they know 92 00:07:54,570 --> 00:07:58,490 that there is a default PIN to their voicemail system. It will be more 93 00:07:58,490 --> 00:08:03,320 interesting to actually try a thousand phone numbers for that default PIN for O2 94 00:08:03,320 --> 00:08:08,410 customers, only for 13 dollars. It's easy: fully automated, the tool does everything 95 00:08:08,410 --> 00:08:11,770 for you, you just have to provide the victim number, the carrier, and couple 96 00:08:11,770 --> 00:08:16,091 other parameters and it's efficient! It optimizes brute forcing, I use the 97 00:08:16,091 --> 00:08:20,910 research from Data Genetics to favor the PINs that are most common, and obviously 98 00:08:20,910 --> 00:08:25,350 it tries different PINs and all that stuff. But the most important here is 99 00:08:25,350 --> 00:08:28,750 detection, because think about it. In order for me to interact with your 100 00:08:28,750 --> 00:08:33,049 voicemail system I need to call you and you cannot pick up, because if not, it 101 00:08:33,049 --> 00:08:36,539 doesn't go to the voicemail system. So I was trying to find ways, because I need 102 00:08:36,539 --> 00:08:41,938 to, in the end, make a lot of calls, trying different PINs. How can I interact 103 00:08:41,938 --> 00:08:46,100 directly with your voicemail? I try call flooding like basically doing three calls 104 00:08:46,100 --> 00:08:49,810 at a time, because the line gets flooded just with three calls, it goes directly to 105 00:08:49,810 --> 00:08:54,220 the voicemail, but it wasn't very reliable. You can use OSINT techniques, a 106 00:08:54,220 --> 00:08:57,290 lot of people likes to tweet that they, you know, they go on a trip, they are 107 00:08:57,290 --> 00:09:01,980 about to board a plane, so it goes into airplane mode, or you go in a remote area, 108 00:09:01,980 --> 00:09:06,850 or you are in a movie theater, or at night you put in Do Not Disturb. Those are all 109 00:09:06,850 --> 00:09:12,300 situations in which calls go directly to the voicemail. You can use HLR database to 110 00:09:12,300 --> 00:09:17,529 find out if mobile devices are disconnected or the SIM cards have been 111 00:09:17,529 --> 00:09:21,720 discarded, but they are still assigned to an account. And you can use online 112 00:09:21,720 --> 00:09:25,800 services like realphonevalidation.com which I actually reached out and they 113 00:09:25,800 --> 00:09:30,300 provide services that allow you to know if a phone is acutally connected to a tower 114 00:09:30,300 --> 00:09:34,870 at the moment, so it's basically available, so you could use that too. You 115 00:09:34,870 --> 00:09:40,509 can also use class 0 SMS, which gives you feedback. It's basically a type of SMS 116 00:09:40,509 --> 00:09:45,570 that will... it has more priority and will basically display on the screen and you'll 117 00:09:45,570 --> 00:09:49,519 get the feedback if it was displayed. So, that's a nice trick to find out if the 118 00:09:49,519 --> 00:09:55,259 phone actually connected to a tower. But in reality, I wanted a bullet proof way to 119 00:09:55,259 --> 00:09:59,480 do this and in the U.S. I found that there is this concept of backdoor voice mail systems. 120 00:09:59,480 --> 00:10:03,019 So instead of me calling you, I'm going to call one of these services that you guys 121 00:10:03,019 --> 00:10:08,129 have listed here for every carrier and there I enter the number, in this case the 122 00:10:08,129 --> 00:10:11,769 number of the victim from the voicemail I want to interact to. And of course it 123 00:10:11,769 --> 00:10:16,069 allows you to access to the logging prompt. Actually in Germany I find it 124 00:10:16,069 --> 00:10:19,740 interesting that you guys have it as a service, because in the US it's more a 125 00:10:19,740 --> 00:10:24,589 secret that I had to found using Google, but here... Basically if I dial your phone 126 00:10:24,589 --> 00:10:28,029 number and when it comes to Vodafone between the area code and the rest of the 127 00:10:28,029 --> 00:10:33,889 number I put 55, or for Telekom 13, or for O2 33, I directly go to the voicemail, you 128 00:10:33,889 --> 00:10:37,469 won't ring your phone. So I can use that. Who was aware of this, that is from 129 00:10:37,469 --> 00:10:42,439 Germany? OK, many of you. So that's what I thought. Like here it's not really like 130 00:10:42,439 --> 00:10:46,569 something you guys care too much about. In the U.S. it's actually used a lot for 131 00:10:46,569 --> 00:10:53,429 scammers or to leave directly voicemail messages from spammers as well. So, 132 00:10:53,429 --> 00:10:56,809 voicemailcracker actually takes advantage of backdoor numbers, so it allows you to 133 00:10:56,809 --> 00:11:00,119 be undetected. I don't need to call you, I don't need to wait till you are flying, I 134 00:11:00,119 --> 00:11:04,399 can do that. And for example for the U.S. it's great, because when I launch that 135 00:11:04,399 --> 00:11:08,549 many calls, the line gets flooded even if you are offline. But when I use these 136 00:11:08,549 --> 00:11:14,959 backdoor voicemail systems, because they are meant to be used by everyone, those 137 00:11:14,959 --> 00:11:19,320 don't get flooded. So I literally make hundreds and hundreds of calls and it 138 00:11:19,320 --> 00:11:25,339 never fails.So, but you know like carriers, or some of them, add a brute 139 00:11:25,339 --> 00:11:28,799 force protections, right? So that you can't actually launch brute forcing 140 00:11:28,799 --> 00:11:32,929 attacks. And I looked at the German carriers and for example Vodafone, I saw 141 00:11:32,929 --> 00:11:37,619 that it resets the 6 digit PIN and sends it over SMS. So, I guess I can flood your 142 00:11:37,619 --> 00:11:41,260 phone with text but who cares, that's not a big deal, but I think it's actually a 143 00:11:41,260 --> 00:11:45,709 pretty effective measure against voicemail... against brute forcing. 144 00:11:45,709 --> 00:11:48,660 Telekom blocks the Caller ID from accessing the mailbox or even leaving 145 00:11:48,660 --> 00:11:53,220 messages. I tried and after six times that it's wrong every time, I call it says 146 00:11:53,220 --> 00:11:56,949 "Hey, you can't do anything", and it hangs up. And for O2 it connects directly to the 147 00:11:56,949 --> 00:12:01,059 customer help-line, but someone started talking German and my German is not that 148 00:12:01,059 --> 00:12:08,410 good. So brute force, I wanted to be able to bypass this writing and so if you look 149 00:12:08,410 --> 00:12:12,869 at telecom I mentioned that it blocks the caller I.D. but it turns out that Twilio 150 00:12:12,869 --> 00:12:16,959 you can actually buy caller IDs you can, well, you can buy phone numbers, right? 151 00:12:16,959 --> 00:12:22,509 and they are really cheap. So it's very easy for me to do randomization of caller 152 00:12:22,509 --> 00:12:28,329 I.D.s for very very cheap and bypass telecom's brute force protection. So 153 00:12:28,329 --> 00:12:33,009 voicemailcracker also supports that. It supports caller ID randomization. So let's 154 00:12:33,009 --> 00:12:38,490 make the first demo. So as you can see here on the left is the victim's mobile 155 00:12:38,490 --> 00:12:43,789 device, and on the right is the tool. And in this case I'm going to use the brute 156 00:12:43,789 --> 00:12:47,509 force option. The brute force option allows me to basically brute force the 157 00:12:47,509 --> 00:12:51,940 pin. It makes hundreds of calls as I explain and I'll try to guess it. And 158 00:12:51,940 --> 00:12:55,070 there is a number of parameters like the victim number, the carrier... the carrier 159 00:12:55,070 --> 00:12:58,990 is important because they put their specific payloads for every single carrier 160 00:12:58,990 --> 00:13:03,589 because all the voicemail systems are different, how you interact with them, and 161 00:13:03,589 --> 00:13:06,869 in this case are using a backdoor number because he's more efficient. And then 162 00:13:06,869 --> 00:13:11,109 there is no detection. And in this case I did the option of top pin. So this is 163 00:13:11,109 --> 00:13:17,499 basically trying the top 20 pins according to the research for four digits. So as you 164 00:13:17,499 --> 00:13:21,639 can see it's trying actually three pins at a time as I mentioned before rather than 165 00:13:21,639 --> 00:13:26,959 one. So we have to do a third of the of the of the calls, right? And how did you 166 00:13:26,959 --> 00:13:34,390 think that I'm detecting if the pin was correct or not? Any ideas? 167 00:13:34,390 --> 00:13:40,170 *Unintelligible suggestion from audience* M.V.: OK. So the disconnect and hang up. 168 00:13:40,170 --> 00:13:43,879 That's what I heard. And that's exactly right. If you think about it I can look at 169 00:13:43,879 --> 00:13:48,170 the call duration because when I tried three pins and it hangs up it's always the 170 00:13:48,170 --> 00:13:54,379 same call duration. For T-Mobile in this case it's like 18 seconds. So I instruct 171 00:13:54,379 --> 00:13:58,110 Twilio to after dialing and putting the payload to interact with the voicemail 172 00:13:58,110 --> 00:14:03,109 system trying the pins to wait 10 extra seconds. So all I got to do, I don't need 173 00:14:03,109 --> 00:14:07,509 any sound processing to try to guess what the voicemail voice is telling me if it's 174 00:14:07,509 --> 00:14:11,069 correct or not. I just use the call duration. So if the call duration is ten 175 00:14:11,069 --> 00:14:15,549 times longer then I know that's the right pin because because it locked in. So as 176 00:14:15,549 --> 00:14:19,239 you can see it found out one of those three is actually the correct one: in this 177 00:14:19,239 --> 00:14:24,649 case it's 1983. So in order to give you the exact one because at that time it 178 00:14:24,649 --> 00:14:29,389 tried the three of them, now it's trying one by one and it may look like it's 179 00:14:29,389 --> 00:14:35,350 taking longer than it should for only 20 pins but remember failing pins is very 180 00:14:35,350 --> 00:14:38,989 very quick. It's just that because in the top 20 found already the right pin it 181 00:14:38,989 --> 00:14:46,219 takes longer than it should, and there you go. We got that it's 1983. Awesome. So 182 00:14:46,219 --> 00:14:50,410 what is the impact really why am I here talking to you at CCC that has such 183 00:14:50,410 --> 00:14:55,560 amazing talks, right? And this is really the thing about this. No one cares about 184 00:14:55,560 --> 00:15:00,720 the voicemail. Probably if I ask here, who knows his own voicemail pin? 185 00:15:00,720 --> 00:15:05,329 *laughter* M.V.: Nice. That's what I was expecting. 186 00:15:05,329 --> 00:15:09,869 Probably less hands here. So some of them are lying but that's the thing, right? We 187 00:15:09,869 --> 00:15:13,910 don't care about the voicemail. We don't even use it, which is the crazy thing 188 00:15:13,910 --> 00:15:18,309 here. We have we have an open door for discussing an issue that we don't even 189 00:15:18,309 --> 00:15:23,290 know about or we don't even remember. So many people is not familiar with the fact 190 00:15:23,290 --> 00:15:27,869 that you can a reset passwords over phone call. We are familiar with resetting 191 00:15:27,869 --> 00:15:32,699 passwords over e-mail. You get a unique link maybe over SMS you get a code that 192 00:15:32,699 --> 00:15:36,809 you that you then have to enter in the UI. But a lot of people cannot receive SMS, or 193 00:15:36,809 --> 00:15:41,990 that's what services claim. So they allow you to provide that temporary code over a 194 00:15:41,990 --> 00:15:46,559 phone call, and that's exactly what we take advantage of, because I ask you what 195 00:15:46,559 --> 00:15:50,909 what happens if you don't pick up the phone if basically I go to a service, 196 00:15:50,909 --> 00:15:55,209 enter your e-mail or your phone number and reset a password, and everyone can do 197 00:15:55,209 --> 00:16:01,989 that. Anyone can reset it, initiate the reset password process, and I know that 198 00:16:01,989 --> 00:16:05,709 you are not going to pick up the phone. I know that thanks to my tool I got access 199 00:16:05,709 --> 00:16:09,759 to your voicemail system. So basically the voicemail system will pick up the call and 200 00:16:09,759 --> 00:16:15,309 it will start recording, so it will record the voice spelling out the code that I 201 00:16:15,309 --> 00:16:22,569 need to basically reset your account and get access to it. So -- oops! -- and I 202 00:16:22,569 --> 00:16:26,570 press play here. *Static* 203 00:16:26,570 --> 00:16:31,319 M.V.: Okay, so, what does the attack vector look like? You brute force the 204 00:16:31,319 --> 00:16:35,799 voicemail system using the tool ideally using backdoor numbers. For that 205 00:16:35,799 --> 00:16:38,779 particular call -- that is, the call that the victim will receive once you initiate 206 00:16:38,779 --> 00:16:42,369 the password reset -- that one it cannot go through the backdoor number, right?, 207 00:16:42,369 --> 00:16:45,849 because it's gonna-- PayPal is gonna directly call the victim. So for that one 208 00:16:45,849 --> 00:16:50,149 you need to make sure that the victim is not connected to a tower through all the 209 00:16:50,149 --> 00:16:53,979 methods that I showed before. You start the password reset process using the 210 00:16:53,979 --> 00:16:57,799 economy feature. You listen to the recorded message, secret code and profit. 211 00:16:57,799 --> 00:17:01,679 You hijacked that account, and Voicemailcracker can do all that for you. 212 00:17:01,679 --> 00:17:09,549 Let's compromise Whatsapp. So on the left you see my number, right?, with a secret 213 00:17:09,549 --> 00:17:13,939 lover group, and a secret group, and all that stuff. On the right notice that I'm 214 00:17:13,939 --> 00:17:19,709 not even using an actual device. It's an android emulator that I installed, an APK. 215 00:17:19,709 --> 00:17:23,809 And there is some sound to this, and you are gonna see -- so again on your left 216 00:17:23,809 --> 00:17:27,898 it's the victims number. On the right is an emulator of the attacker. So you'll see 217 00:17:27,898 --> 00:17:33,919 that I'm going to use my tool with the message payload, with the message option. 218 00:17:33,919 --> 00:17:38,520 So in this case what I'm doing is I'm setting the victim's phone to airplane 219 00:17:38,520 --> 00:17:43,880 mode, simulating that it's now offline for some reason, and I detected that. So if 220 00:17:43,880 --> 00:17:50,680 you see, WhatsApp allows sends you a text to actually register as a WhatsApp user, 221 00:17:50,680 --> 00:17:54,880 but if you don't reply in a minute it allows you-- it gives you an option to 222 00:17:54,880 --> 00:17:59,430 call, to call me, right? And that's exactly what I click. So now WhatsApp is 223 00:17:59,430 --> 00:18:04,080 basically calling the victim which is again in airplane mode, because he went on 224 00:18:04,080 --> 00:18:08,600 a remote trip or on a plane, and so I'm using Voicemailcracker with the option 225 00:18:08,600 --> 00:18:14,059 "message" to automatically retrieve that newest message. So the tool is gonna 226 00:18:14,059 --> 00:18:17,589 provide me as you can see the last option is the pin, because I brute forced it 227 00:18:17,589 --> 00:18:21,960 before. So it's going to give me a URL with the recording of the newest message, 228 00:18:21,960 --> 00:18:29,529 which, hopefully -- it's a recorded demo -- hopefully contains actually the code. 229 00:18:29,529 --> 00:18:46,079 So let's see... I got the URL. *Phone alert sound* 230 00:18:46,079 --> 00:18:48,760 Computerized phone voice: New Message! -- M.V.: It's interacting with the voicemail 231 00:18:48,760 --> 00:18:50,550 system right now. Phone voice: -- your verification code is: 232 00:18:50,550 --> 00:19:01,440 3 6 5 9 1 5. Your verification code is: 3 6 5 9 1 5. Your ver-- 233 00:19:01,440 --> 00:19:06,059 M.V.: And that simple. We just hijacked that person's WhatsApp, and I -- here I'm 234 00:19:06,059 --> 00:19:08,819 fast forwarding just to show you-- *Applause* 235 00:19:08,819 --> 00:19:18,760 M.V: --that you get actually that. Thank you. I do want to point out that WhatsApp 236 00:19:18,760 --> 00:19:21,841 is super secure, it like-- end to end encryption all that -- and there is a 237 00:19:21,841 --> 00:19:25,179 number of things that you can notice this attack. For example you wouldn't be able 238 00:19:25,179 --> 00:19:28,690 to see the previous messages that were there but you can just hold on and ask 239 00:19:28,690 --> 00:19:32,910 people, right? The groups will pop up. So you hijacked that WhatsApp account. There 240 00:19:32,910 --> 00:19:37,559 is also fingerprinting. But who really pays attention to the fingerprinting when 241 00:19:37,559 --> 00:19:43,440 someone changes the device, right? So are we done? Not yet. Because the truth is, 242 00:19:43,440 --> 00:19:48,029 some researchers talked about this in the past then and actually services tried to 243 00:19:48,029 --> 00:19:52,159 slowly pick up. So that is actually something that I found in several 244 00:19:52,159 --> 00:19:56,710 services. That is what I call the user interaction based protection. So when you 245 00:19:56,710 --> 00:20:01,060 received that phone call that provides you with the temporary code in reality it's 246 00:20:01,060 --> 00:20:04,700 not giving it away. You have to press a key. It comes in three different flavors 247 00:20:04,700 --> 00:20:08,530 from what I found from my tests. Please press any key to hear the code, so when 248 00:20:08,530 --> 00:20:11,679 you get the call, you have to press, and then it will tell you the code; please 249 00:20:11,679 --> 00:20:15,950 press a random key so specifically please press 1, please press 2, or please enter 250 00:20:15,950 --> 00:20:20,090 the code. PayPal does that, and instead of you having to press a key to hear the code 251 00:20:20,090 --> 00:20:24,289 when you reset the password you will see a four digits code that you have to enter 252 00:20:24,289 --> 00:20:29,140 when you receive the call and then it will reset the password. So I'm going to get 253 00:20:29,140 --> 00:20:33,680 the help from all of you guys. Can we beat this currently recommended protection what 254 00:20:33,680 --> 00:20:37,920 is nowadays recommended to prevent these kind of attacks? And we're going to play a 255 00:20:37,920 --> 00:20:44,590 game. I'm going to give you two hints. This is the first one. So, you probably 256 00:20:44,590 --> 00:20:48,510 guys are familiar with this, but Captain Crunch. Again we go back today it is we 257 00:20:48,510 --> 00:20:54,509 can learn so much from them, use this to generate specific sounds at a specific 258 00:20:54,509 --> 00:20:58,169 frequency to basically -- you can go and read it -- to get free international 259 00:20:58,169 --> 00:21:02,549 calls. So he will create that sound and the system will process it on the on the 260 00:21:02,549 --> 00:21:07,430 line. And the second one is that I cheated. When we did the checklist, I 261 00:21:07,430 --> 00:21:11,750 actually skipped one , which was the greeting message is an attack vector. So I 262 00:21:11,750 --> 00:21:16,549 ask you guys how can we bypass the protection that requires user interaction 263 00:21:16,549 --> 00:21:20,129 in order to get the code recorded on the voicemail system? 264 00:21:20,129 --> 00:21:26,269 *Inaudible suggestion from audience* M.V.: What was that?... Exactly. Record 265 00:21:26,269 --> 00:21:31,470 DTMF tones as the greeting message. We own the voice mail system so we can alter the 266 00:21:31,470 --> 00:21:36,729 greeting message. So this is exactly how it works: We just alter the greeting 267 00:21:36,729 --> 00:21:42,260 message we call the DTMF that the system is expecting and it works every single 268 00:21:42,260 --> 00:21:48,039 time. The best thing of this is what really is so awesome about about all of us 269 00:21:48,039 --> 00:21:52,169 that really care about technology. We want to have a deep understanding because when 270 00:21:52,169 --> 00:21:57,049 I was asking people when when you know I wanted to show them this I was asking them 271 00:21:57,049 --> 00:22:01,480 how does this protection really work. And they will say well you have to press a key 272 00:22:01,480 --> 00:22:05,789 and then you know it will give you the code. But that's not really true. That's 273 00:22:05,789 --> 00:22:09,490 what you have to do is to provide a specific sound that the system is 274 00:22:09,490 --> 00:22:13,990 expecting. That is different than saying you have to press a key, because if you 275 00:22:13,990 --> 00:22:18,520 say I have to press a key that requires physical access. If you say I have to 276 00:22:18,520 --> 00:22:22,460 provide a sound, now we know it doesn't require physical access. That is why 277 00:22:22,460 --> 00:22:26,490 hackers are so cool, because we really want to understand what is happening 278 00:22:26,490 --> 00:22:30,720 backstage, and we take advantage of that. So how does the attack vector look like? 279 00:22:30,720 --> 00:22:34,090 Bruteforcing voicemail systems as before. So basically we have an extra step which 280 00:22:34,090 --> 00:22:38,121 is update the greeting message according to the account to be hacked in voicemail. 281 00:22:38,121 --> 00:22:40,929 Cracker can do that for you. Let's compromise PayPal. 282 00:22:40,929 --> 00:22:46,990 *Laughter* M.V.: So on the left side you see that as 283 00:22:46,990 --> 00:22:53,330 before I brute force the pin of the voice mail. And in this case on the right side 284 00:22:53,330 --> 00:23:00,769 I'm going to start a password reset for that account. So I do that and I choose 285 00:23:00,769 --> 00:23:05,799 "please call me with a temporary code". But in this case PayPal works differently 286 00:23:05,799 --> 00:23:10,139 because it will show me a four digits code that I need to enter when I receive the 287 00:23:10,139 --> 00:23:15,690 call in order to reset the password. So you see that here I'm using the greeting 288 00:23:15,690 --> 00:23:20,310 option. So the greeting is going to allow me to enter a payload that I want to 289 00:23:20,310 --> 00:23:26,270 record as the greeting message. In this case is 6 3 5 3. So I may be very very 290 00:23:26,270 --> 00:23:31,500 verbose for this demo. There you see the last option use PayPal code and I 291 00:23:31,500 --> 00:23:36,989 enter 6 3 5 3. Now the tool is going to use the pin to log into the voicemail 292 00:23:36,989 --> 00:23:42,350 system, interact with it, change the greeting message, record the DTMF tones 293 00:23:42,350 --> 00:23:50,759 according to 6 3 5 3 and then it should be able to fool the call. In this case I'm 294 00:23:50,759 --> 00:23:55,860 asking to call again, because it didn't have enough time to do that. And in 3 2 1 295 00:23:55,860 --> 00:24:00,690 we should get that we actually compromise PayPal's account, and there we go. We can 296 00:24:00,690 --> 00:24:05,200 now set our own password. *Applause* 297 00:24:05,200 --> 00:24:14,580 M.V.: Thank you. So, I showed you some vulnerable servers. Let's go very quick 298 00:24:14,580 --> 00:24:19,240 about it because I'm I'm concerned I'm running out of time. So, I'm just 299 00:24:19,240 --> 00:24:23,490 mentioning Alexa top 100 types of services, no favoring anything, but... so 300 00:24:23,490 --> 00:24:27,610 for password reset that supports over phone call: PayPal, Instagram-- no, 301 00:24:27,610 --> 00:24:35,059 Snapchat-- Netflix, Ebay, LinkdIn. I'm still on Facebook. What can I say? 2FA for 302 00:24:35,059 --> 00:24:38,279 all they major forms so 2FA over phone call for Apple, Google, Microsoft, 303 00:24:38,279 --> 00:24:42,289 Yahoo... Verification: So basically you don't register with a username and 304 00:24:42,289 --> 00:24:47,020 password on on WhatsApp or Signal you actually use directly the phone number, 305 00:24:47,020 --> 00:24:50,790 right? As we saw before and you register through a phone call or SMS. So you can 306 00:24:50,790 --> 00:24:54,710 compromise this too. Twilio, the own service that I use for these is actually 307 00:24:54,710 --> 00:25:00,519 really cool because you can own a caller I.D. by verifying it by getting a phone 308 00:25:00,519 --> 00:25:05,460 call so I can actually own your caller ID and make calls on your behalf, send texts, 309 00:25:05,460 --> 00:25:10,039 and these all legitimately, right?, because you've pressed one. Google Voice, 310 00:25:10,039 --> 00:25:13,289 it's actually another interesting service because it's used a lot by scammers, 311 00:25:13,289 --> 00:25:17,009 right? And this is the same thing: you have to verify ownership so you can do 312 00:25:17,009 --> 00:25:21,549 those phone calls and you can fool it as well with this, but I found I was looking 313 00:25:21,549 --> 00:25:24,730 like what other services really take advantage of this? And this is super 314 00:25:24,730 --> 00:25:30,789 common in San Francisco, where I live. You can buzz in people like when they want to 315 00:25:30,789 --> 00:25:35,279 enter, right?, they enter your house number, and then your phone rings and you 316 00:25:35,279 --> 00:25:39,449 press any key to open the door. So we are talking about physical security now. And 317 00:25:39,449 --> 00:25:44,019 I've seen this in offices as well. They all work this way, basically because they 318 00:25:44,019 --> 00:25:47,769 want to be able -- for tenants, that you know, come and go -- be able to switch 319 00:25:47,769 --> 00:25:52,620 that very quickly. So it works just through the phone that you buzz people in. 320 00:25:52,620 --> 00:25:56,710 But my favorite is consent, because when we think about consent we think about 321 00:25:56,710 --> 00:26:00,779 lawyers and we think about signing papers and we think about all of these difficult 322 00:26:00,779 --> 00:26:07,799 things. And I find out about these location smart service that is not anymore 323 00:26:07,799 --> 00:26:15,190 there and you will see why... But this was recently in the news because, basically 324 00:26:15,190 --> 00:26:19,690 Brian Krebs wrote a really great article about it. But I'm going to let you hear 325 00:26:19,690 --> 00:26:23,389 then their YouTube channel, how Location Smart works. 326 00:26:23,389 --> 00:26:30,380 LS vid speaker 1: The screen that you're showing, that you're seeing right now is a 327 00:26:30,380 --> 00:26:36,800 demo that we have on our Web site it's at location smart.com/pride, and I've entered 328 00:26:36,800 --> 00:26:43,190 my name, my email, my mobile phone number, and it's again going to get my permission 329 00:26:43,190 --> 00:26:48,470 by calling my phone, and then it'll locate. So let's go ahead and, I clicked 330 00:26:48,470 --> 00:26:55,100 the box to say yes I agree, click the locate, and the screen now shows that it's 331 00:26:55,100 --> 00:26:58,170 going to call my device to get my permission. 332 00:26:58,170 --> 00:27:03,680 *vid speaker's phone vibrates, sounds like an airhorn in video* LS vid speaker 2: Heh, that's a nice ring 333 00:27:03,680 --> 00:27:05,610 tone -- M.V.: No, it's not-- 334 00:27:05,610 --> 00:27:09,620 LS vid speaker 1's phone: To log into Location Smart Services, press 1 or say 335 00:27:09,620 --> 00:27:16,870 'Yes'. To repeat, press 2 or say 'Repeat'. LSVS1: Yes 336 00:27:16,870 --> 00:27:21,809 Phone: Congratulations. You have been opted in to Location Smart Services. 337 00:27:21,809 --> 00:27:23,419 Goodbye M.V.: So as you see, this service, this 338 00:27:23,419 --> 00:27:30,091 Web site had a free demo, had a free demo that allow you to put out a phone number 339 00:27:30,091 --> 00:27:33,639 -- yours, of course -- and you will get a phone call and then you will give 340 00:27:33,639 --> 00:27:38,499 permission by pressing one. So someone could locate you and keep tracking -- I 341 00:27:38,499 --> 00:27:47,970 mean, I checked with them -- for up to 30 days, real time. So now you know why they 342 00:27:47,970 --> 00:27:51,580 don't exist anymore! *Applause* 343 00:27:51,580 --> 00:28:00,810 M.V.: Open source.. *More Applause* 344 00:28:00,810 --> 00:28:05,490 M.V: Open source. So, and this was with the permission of the carriers. This was 345 00:28:05,490 --> 00:28:11,740 not some fishy thing. This was actually a service. So I wanted to release code, 346 00:28:11,740 --> 00:28:15,009 because I want you guys to verify that what I mentioned is true and have code to 347 00:28:15,009 --> 00:28:20,490 hopefully help push the industry forward to make a voice mail systems more secure, 348 00:28:20,490 --> 00:28:24,990 right?. We want to push carriers to do so. A but I didn't want to provide on tool 349 00:28:24,990 --> 00:28:29,639 that works out of the box and anyone can very easily as we saw like just start to 350 00:28:29,639 --> 00:28:32,929 bruteforce pins, especially because I saw that there is so many people with the 351 00:28:32,929 --> 00:28:37,280 default PINs out there. So I just removed the brute forcing, so the tool allows you 352 00:28:37,280 --> 00:28:41,220 to test it on your own. You can test, you know, you can test the greeting message 353 00:28:41,220 --> 00:28:45,010 you can test the retreiving messages compromising the services and all that. So 354 00:28:45,010 --> 00:28:48,221 the tool allows you to test on your own device. I won't give you code to brute 355 00:28:48,221 --> 00:28:54,220 force someone else's device. And feel free to go to my github repo. So now like all 356 00:28:54,220 --> 00:28:59,309 the talks comes the recommendations, but I know what you guys are thinking, right? 357 00:28:59,309 --> 00:29:02,509 When someone comes with all this paranoia and stuff you still think "yeah but you 358 00:29:02,509 --> 00:29:07,080 know still like no one is gonna come after me. I don't have anything to hide" or 359 00:29:07,080 --> 00:29:11,330 anything like that. So I wanted to give you reasons why you should still care 360 00:29:11,330 --> 00:29:17,490 about this, and why we need to do better. Because do carriers set default PINs? Yes, 361 00:29:17,490 --> 00:29:23,350 we saw that. Is testing for default pins cheap, fast, undetected, and automatable? 362 00:29:23,350 --> 00:29:28,899 Yes it is. Is updating reading the message automatable? Yes it is. Is retrieving you 363 00:29:28,899 --> 00:29:34,929 the newest message automatable? Yes it is. Is there speech to text description, so 364 00:29:34,929 --> 00:29:39,190 that I can get the sound that I played before with the code and get it in text? 365 00:29:39,190 --> 00:29:45,920 Yeah. Twilio gives you that as well. So can the account compromise process be 366 00:29:45,920 --> 00:29:49,640 automatable? Of course you can use selenium if you want to automate the UI. 367 00:29:49,640 --> 00:29:55,549 Or you can use a Web proxy and look at the APIs and do it yourself. So it is only a 368 00:29:55,549 --> 00:30:00,629 matter of time that someone actually does all these steps that I showed you step by 369 00:30:00,629 --> 00:30:05,350 step and just makes it all straight and starts to go over phone numbers trying the 370 00:30:05,350 --> 00:30:10,389 default PINs, and just automatically compromising services like WhatsApp like 371 00:30:10,389 --> 00:30:16,140 PayPal and all that. You can do basically, not a worm, but, you know, you can 372 00:30:16,140 --> 00:30:20,700 compromise a lot of devices without doing anything. Recommendations for online 373 00:30:20,700 --> 00:30:24,879 services. Don't use automated calls for security purposes. if not possible detect 374 00:30:24,879 --> 00:30:28,270 answering machines and fail. I mean this is not very accurate and you can still 375 00:30:28,270 --> 00:30:33,630 trick it. Require user interaction before providing the secret. I just show you how 376 00:30:33,630 --> 00:30:39,630 to bypass that, but that's with hope that carriers ban DTMF tones from the greeting 377 00:30:39,630 --> 00:30:44,370 message. I don't see why that should be supported, right? Recommendations for 378 00:30:44,370 --> 00:30:48,119 carriers. The most important thing: Ban DTMF tones from the greeting message, 379 00:30:48,119 --> 00:30:53,250 eliminate backdoor mobile services, or at least a give no access to the login 380 00:30:53,250 --> 00:30:57,080 prompt, right? There is no reason why you should be able to access your voicemail 381 00:30:57,080 --> 00:31:01,710 directly to leave a message. But then I can access the login prompt by pressing 382 00:31:01,710 --> 00:31:05,749 star. Voicemail disabled by default. This is very important and can only be 383 00:31:05,749 --> 00:31:10,100 activated from the actual phone, or online maybe with a special code. Oh great 384 00:31:10,100 --> 00:31:15,730 I have time for questions. No default pins. Learn from the German carriers: 385 00:31:15,730 --> 00:31:19,399 don't allow common pins, detect and prevent brute force attempts, don't 386 00:31:19,399 --> 00:31:23,619 process multiple pins at once. Recommendations for you which, is in the 387 00:31:23,619 --> 00:31:28,389 end, very important here. disable the voice mail if you don't use it. I found 388 00:31:28,389 --> 00:31:31,760 though that some carriers you're still through the backdoor voicemail numbers you 389 00:31:31,760 --> 00:31:37,330 are unable to activate it again. So kind of sucks. So I guess use the longest 390 00:31:37,330 --> 00:31:41,649 possible random pin. Don't provide phone numbers to online services unless 391 00:31:41,649 --> 00:31:45,680 required, or is the only way to get 2FA. 2FA is more important. Use a virtual 392 00:31:45,680 --> 00:31:50,250 number to prevent OSINT like a Google Voice number so no one can you know learn 393 00:31:50,250 --> 00:31:55,399 about your phone number digits by resetting the password or do SIM swapping. 394 00:31:55,399 --> 00:31:59,660 Use 2FA apps only. And I always like to finish my talk with ones like that kind of 395 00:31:59,660 --> 00:32:03,519 summarizes everything. Automated phone calls are a common solution for password 396 00:32:03,519 --> 00:32:07,129 reset, 2FA, verification, and other services. These can be compromised by 397 00:32:07,129 --> 00:32:11,379 leveraging old weaknesses and current technology to exploit the weakest link 398 00:32:11,379 --> 00:32:15,050 voicemail systems. Thank you so much. Danke Schön, CCC! 399 00:32:15,050 --> 00:32:33,129 *Applause* Herald Angel: Thank you, Martin. We have 400 00:32:33,129 --> 00:32:37,450 time for questions, so if you have any questions or if someone in the Internet 401 00:32:37,450 --> 00:32:44,989 has questions just go to these microphones. Where is the microphone? 402 00:32:44,989 --> 00:32:50,020 You've got it. Yes. You were black and the microphone too. So maybe you start and we 403 00:32:50,020 --> 00:32:55,830 take the question from the Internet. Q: Yes I have a question. You mentioned 404 00:32:55,830 --> 00:33:02,510 that the phone needed to be offline. Would a call like a sim teen's call to the phone 405 00:33:02,510 --> 00:33:11,049 that it would be in what is called in english - besetzt?- like occupied so let's 406 00:33:11,049 --> 00:33:19,720 say I already called the victim. So the caller gets, yeah, the line's occupied 407 00:33:19,720 --> 00:33:21,960 that would then go to voicemail, wouldn't it? 408 00:33:21,960 --> 00:33:26,350 M.V.: So that's a great question. I think the question is if you are on a call and 409 00:33:26,350 --> 00:33:31,429 someone else calls you, so your attack will be: I somehow make up a story to keep 410 00:33:31,429 --> 00:33:34,980 the person on the phone call while I launch other calls... that will work. I 411 00:33:34,980 --> 00:33:38,850 tried that but the problem is usually to force, I mean that will not be too big of 412 00:33:38,850 --> 00:33:41,860 a deal I guess but it supports two calls right. They will warn you all there is 413 00:33:41,860 --> 00:33:45,719 another incoming call. But I guess you could keep doing more. So that's what I 414 00:33:45,719 --> 00:33:50,509 meant a partly with a call flooding. In that case what I tried was just launching 415 00:33:50,509 --> 00:33:53,909 all of them at the same time. And if the person picks up I don't care but it's 416 00:33:53,909 --> 00:33:57,490 somewhat related to what you mentioned and that's definitely possible. 417 00:33:57,490 --> 00:33:59,300 Questioner: Okay. Thank you. M.V.: Yeah. 418 00:33:59,300 --> 00:34:03,739 Herald: Question from the internet please Signal Angel: Does this work with the 419 00:34:03,739 --> 00:34:07,879 phone calls that start talking immediately, will the new code being 420 00:34:07,879 --> 00:34:12,159 recorded then? M.V.: if I understood the question 421 00:34:12,159 --> 00:34:16,429 correctly it's that when the voicemail picks up like basically the automated 422 00:34:16,429 --> 00:34:21,230 system that spits out the code already started to talk. I believe that's the 423 00:34:21,230 --> 00:34:23,230 question. Herald: We don't know it's from the 424 00:34:23,230 --> 00:34:27,030 Internet. M.V.: OK so if that is the question I 425 00:34:27,030 --> 00:34:30,739 found actually that, because usually greeting messages last like 15 seconds so 426 00:34:30,739 --> 00:34:35,460 by the time it starts recording you already finish the recording that gives 427 00:34:35,460 --> 00:34:39,199 you the code, but you own the greeting message so you make it as short as one 428 00:34:39,199 --> 00:34:44,469 second. And I never found a problem with that. You actually recorded DTMF tones for 429 00:34:44,469 --> 00:34:47,729 like two seconds. Herald: Ladies first let me take your 430 00:34:47,729 --> 00:34:54,799 question. Q: You talked about how you learned all of 431 00:34:54,799 --> 00:35:07,589 that through reading e-zines. How are they called, and how do I find them? 432 00:35:07,589 --> 00:35:10,979 M.V: That's the best question I've ever heard and it deserves an applause, 433 00:35:10,979 --> 00:35:15,770 seriously. I like that because you also want to learn about it. So that's that's 434 00:35:15,770 --> 00:35:20,190 really fantastic. So the Phrack Web site is the best resource you can get. I guess 435 00:35:20,190 --> 00:35:26,730 everyone will agree here. So you just look up google for phrack magazine and there is 436 00:35:26,730 --> 00:35:32,040 a lot a lot of interesting stuff that we can learn there still today. 437 00:35:32,040 --> 00:35:36,120 Q: Are there any others? M.V.: Yeah I mean you can then follow the 438 00:35:36,120 --> 00:35:42,040 classic. I mean I like Twitter to get my security news because it's very concise so 439 00:35:42,040 --> 00:35:47,180 I kind of get like you know the 140 characters version.. if I'm interested 440 00:35:47,180 --> 00:35:51,980 then I will read it. So I think you can google for like top security people to 441 00:35:51,980 --> 00:35:57,510 follow. Brian Krebs is great. It depends also on your technical depth. There is 442 00:35:57,510 --> 00:36:03,970 different people for that. And if not just you know specialized blogs in magazines. 443 00:36:03,970 --> 00:36:06,590 Q: All right. Thanks. M.V.: Thank you. 444 00:36:06,590 --> 00:36:10,810 Herald: And your question please. Q: Hi. And so for me the solution is 445 00:36:10,810 --> 00:36:14,700 obvious: I just turn off my voicemail. But thinking about some relatives which are 446 00:36:14,700 --> 00:36:19,170 maybe too lazy or don't really care and still use two factor authentication. I was 447 00:36:19,170 --> 00:36:24,450 thinking about could I easily adapt your script to automatically turn off voice 448 00:36:24,450 --> 00:36:37,569 boxes or generate random pins? M.V.: You can automate it to turn off the pin. Like 449 00:36:37,569 --> 00:36:41,600 for example on Vodaphone I don't know why that allows you to turn off the pin. To turn 450 00:36:41,600 --> 00:36:47,430 off the voicemail... I don't... I haven't tested that. I think you may have to call 451 00:36:47,430 --> 00:36:51,569 the IT department but you know what. It would be really great to do that. It would 452 00:36:51,569 --> 00:36:55,630 be really awesome. Great question. I guess if you can turn it off then you can turn 453 00:36:55,630 --> 00:37:00,040 it on as well. Yeah. Herald: Your question please. 454 00:37:00,040 --> 00:37:03,109 Q: Did Twilio ban you or did they find out what you did? 455 00:37:03,109 --> 00:37:09,700 M.V.:I got some emails I got some emails but they were really cool. I have to say 456 00:37:09,700 --> 00:37:13,740 that. I explained to them what I was coming from, I gave them my identity... 457 00:37:13,740 --> 00:37:18,180 like I wasn't hiding anything. Actually I had to pay quite some money and because of 458 00:37:18,180 --> 00:37:21,650 all the calls that I was doing while I was doing the research, so I do think hide my 459 00:37:21,650 --> 00:37:27,049 identity at all. So, they did detect tact that I was doing many calls and stuff like 460 00:37:27,049 --> 00:37:31,809 that. So there is I guess at the high volumes there is some detection, but 461 00:37:31,809 --> 00:37:35,970 Twilio is not the only service. So again you can switch between services, space it 462 00:37:35,970 --> 00:37:40,330 out, change caller I.D.s, a number of things. 463 00:37:40,330 --> 00:37:45,549 Herald: And one more question here. Q: Hi. You talked about being undetected 464 00:37:45,549 --> 00:37:50,400 when making all these calls by going directly to these direct access numbers. 465 00:37:50,400 --> 00:37:56,030 In Germany it's very common that if someone calls your voicemail you get an 466 00:37:56,030 --> 00:38:00,460 SMS text even if they don't leave a message. But I suspect there's some kind 467 00:38:00,460 --> 00:38:05,370 of undocumented API to actually turn that off through the menus. Have you looked 468 00:38:05,370 --> 00:38:08,710 into that? M.V.: No I haven't looked into that 469 00:38:08,710 --> 00:38:14,230 specifically. The question is that usually in Germany for the carriers you'll get an 470 00:38:14,230 --> 00:38:18,220 SMS when you when you get a call. I wonder... the test that I did on the 471 00:38:18,220 --> 00:38:22,250 German carriers, I was getting a text if I was leaving a message, not if someone was 472 00:38:22,250 --> 00:38:26,420 calling there. I guess you are talking about a missed call, that kind of 473 00:38:26,420 --> 00:38:32,089 notification. I'm not sure about it. What I do want to point out is remember that a 474 00:38:32,089 --> 00:38:35,609 you can do these while the person is offline maybe on a long trip so you can 475 00:38:35,609 --> 00:38:40,750 time it, and that will be a good probation I guess to just not launch at any, you 476 00:38:40,750 --> 00:38:44,300 know, at any point in time, but you can just always time it, and by the time the 477 00:38:44,300 --> 00:38:47,850 person gets a million text it's too late. Q: Thanks. 478 00:38:47,850 --> 00:38:50,189 M.V.: Yeah. Herald: One more question over here 479 00:38:50,189 --> 00:38:55,200 please. Q: Thank you. On apple phones you can 480 00:38:55,200 --> 00:39:00,540 activate with some care the, what they call visual voicemail. Would that prevent 481 00:39:00,540 --> 00:39:04,950 your attack to work, or..? M.V.: No there is actually, I believe he 482 00:39:04,950 --> 00:39:11,550 was an Australian researcher, that looked into the visual voicemail and he was able 483 00:39:11,550 --> 00:39:16,770 to find that in reality uses the IMAP, If I remember correctly, protocol, and for 484 00:39:16,770 --> 00:39:23,110 some carriers he was able to to launch brute force attacks because the 485 00:39:23,110 --> 00:39:28,450 authentication wasn't with the same pin as you get when you dial in. But he found at 486 00:39:28,450 --> 00:39:34,819 least one carrier in Australia I believe that was vulnerable through visual 487 00:39:34,819 --> 00:39:37,930 voice mail protocol. And I check for German carriers. I did that, I actually 488 00:39:37,930 --> 00:39:43,010 follow the steps that he did, to see if that was worth mentioned in here. I didn't 489 00:39:43,010 --> 00:39:49,100 find it to be vulnerable, but that doesn't mean that that's not the case. 490 00:39:49,100 --> 00:39:53,750 Herald: One more last question. Q: Thank you for the talk. What is your 491 00:39:53,750 --> 00:39:58,090 recommendation to American carriers to protect themselves against this attack? 492 00:39:58,090 --> 00:40:03,460 M.V.: I put a slight slide there. Like for me I guess the most important thing is 493 00:40:03,460 --> 00:40:07,839 really look at what some German carriers are doing I really like that in the recent 494 00:40:07,839 --> 00:40:12,940 past where it sends it to you over SMS as soon as it detects that someone dialed, 495 00:40:12,940 --> 00:40:17,730 tried six times the wrong pin. I mean if you have physical access to a locked 496 00:40:17,730 --> 00:40:22,619 device you could claim that if someone has the preview turned on the device you could 497 00:40:22,619 --> 00:40:26,910 still see the pin, you know when you get it so. But then it wouldn't be like a 498 00:40:26,910 --> 00:40:33,900 remote attack anymore, so definitely detect brute forcing and shut down. I mean 499 00:40:33,900 --> 00:40:38,490 we know that with the caller I.D. is not working so well for a Telecom, because I 500 00:40:38,490 --> 00:40:43,440 was able to bypass it. But I know that, because I did some test with HLR records 501 00:40:43,440 --> 00:40:46,850 that you can actually tell the type of device that it is, if it's a virtual 502 00:40:46,850 --> 00:40:51,400 number. So if carriers could actually look at the type of phone that is trying to 503 00:40:51,400 --> 00:40:55,830 call in. I think if it's a virtual number, you know, red flag. If it's not I don't 504 00:40:55,830 --> 00:40:59,400 think someone is going to have... I guess the government could like, you know have 505 00:40:59,400 --> 00:41:05,810 3333 devices because you try one pin for the 10000 keyspace, you know. You try 3 506 00:41:05,810 --> 00:41:10,889 pins at a time and just have 3333 SIM cards and so it will come from real 507 00:41:10,889 --> 00:41:15,990 devices. But then at least it will quite significantly mitigate it. And then like 508 00:41:15,990 --> 00:41:22,850 again like if you ban DTMF tones from the greeting message that will help as well. 509 00:41:22,850 --> 00:41:26,270 Herald: Thank you Martin. I have never provided any telephone number to any 510 00:41:26,270 --> 00:41:32,230 platform and now thanks to you I know why. Warm applause for Martin Vigo please. 511 00:41:32,230 --> 00:41:33,552 M.V.: Thank you 512 00:41:33,552 --> 00:41:39,532 *applause* 513 00:41:39,532 --> 00:41:45,100 *35c3 postroll music* 514 00:41:45,100 --> 00:42:02,000 subtitles created by c3subtitles.de in the year 2019. Join, and help us!