I just got myself an iPhone and I'm extremely pleased with it. I think it's the best cell phone on the market - a sheer pleasure to use.
The purpose of this post is to alert new iPhone customers about a security vulnerability in AT&T/Cingular's Voicemail system that has not been fixed for more than a year. I first wrote about this on February 1, 2006: Exploit Cingular Voicemail Vulnerability via Caller ID Spoofing. As soon as I got my new AT&T/Cingular number, I tested for this vulnerability and I can confirm that it still exists for new AT&T/Cingular accounts (atleast for iPhone customers). I can't force AT&T / Cingular to fix this issue, but I can tell you about it so you know what to do to protect yourself from this vulnerability.
Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset (it asks for your voicemail password if you call your number from another cell phone and press * when your voicemail answers). Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it. Because Caller ID can be spoofed easily (see below), anyone can gain access into your voicemail by calling you and spoofing your phone number (it will appear as if you are calling yourself when your phone rings) - should you not answer the call, your voicemail will answer and allow the intruder full access to your messages.
Here is how to test the vulnerability:
- Buy a calling card from Spoofcard. This service lets you spoof your caller ID.
- Use another phone and call your cell phone using Spoofcard. When the Spoofcard asks you what number you want to spoof, enter your number again.
- Do not pickup your cell phone. When the call goes into voicemail, if you are able to listen to your messages without being prompted for a password, then you are vulnerable.
Here is how to protect yourself from this vulnerability:
- Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
- Press 4 to go to "Personal Options".
- Press 2 to go to "Administrative Options".
- Press 1 to go to "Password".
- Press 2 to turn your password "ON".
- Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.
I sincerely hope that AT&T/Cingular gets around to fixing this huge security hole in their voicemail system.