An 18-year-old Indian security researcher based in Sydney, Shubham Shah has found a critical flaw in Vodafone Australia’s voicemail system which can allow any hacker to tap into a Vodafone customers voicemail. Shubham had earlier found out a similar vulnerability in another mobile carrier, Optus’ mobile’s voicemail service.
Any hacker who had the right resources could “bruteforce” a target’s voicemail PIN using easily accessible technology and gain access to the phone subscriber’s voicemail messages. For the uninitiated, ‘Bruteforcing’ involves a hacker using a bruteforce software and trying various combinations and permutations to gain access to the service. It is similar to the normal zip password cracker softwares available on the net. However in the zip password cracker case, the file is on your system but normally large corporations employ security systems against bruteforce. A typical method, which is normally used on every banking site, is locking down the site if the user tries three unsuccessful password attempts. Shubham discovered that Vodafone Australia didnt employ any kind of brutefore protection on its voicemail servers.
The flaw which can allow hackers to listen into the private and personal voicemail messages of Vodafone customers can also be used to retrieve Vodafone customers’ two-factor authentication codes, or tokens, and use it to access their Google, Yahoo and other online accounts.
These codes – which come in handy as a second layer of security when online log-in credentials are stolen – are usually sent via text message but can also be sent via a phone call and end up in voicemail.
At the moment, the Vodafone’s 4.9 million customer accounts are safe as Vodafone had secured its network after Fairfax intimated them and other carriers about this flaw. Vodafone has now fixed the number of attempts for entering the PIN at five. But this also has some disadvantages to the customer. A hacker can input five wrong PINs and lock the user out just for the lulz. This will entail the user than calling the customer support to unlock his/her pin.
Shubham Shah will present his findings at the Ruxcon security conference in Melbourne next month alongside his friend and high school student Huey Peard, 17, one of the founding members of Gibson Security. Last year the group published exploits found in disappearing photo-sharing app Snapchat. The revelations allowed another group to release usernames and mobile numbers of 4.5 million Snapchat users online.
“We were made aware of research that identified a security issue with our visual voicemail service,” Eyman Ahmed, head of information security at Vodafone, said in a statement. “Vodafone’s technical team responded to the matter within a matter of hours, and has updated its systems to address it. We thank the researcher for responsibly disclosing this issue to us so that we could address it and ensure our customers remain protected.”
Shubham has also informed the GSM Association about the flaw so that other carriers can take due precautions for it. Since the flaw potentially affects certain configurations of the visual voicemail system, Shubham has also notified Apple, who acknowledged his findings.
“Thank you for contacting Apple Product Security,” a company representative told him. “We appreciate you keeping us informed of your research, and hope your presentation goes well.”