-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Secure Science Corporation Advisory TSA-051
http://www.securescience.net
e-response@securescience.net
877-570-0455

- ---------------------------------------------------------

T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID
authentication spoofing, enabling arbitrary compromise of customer
voicemail/message center.

- ---------------------------------------------------------------------

Vulnerability Classification: Authentication bypass, remote compromise,
confidential information breach.

Discovery Date: July 09, 2004
Vendor Contacted: July 28, 2004
Advisory publication date: August 11, 2004


Abstract:
- ---------
T-mobile Wireless and Verizon Northwest (Washington state) grant
implicit trust to certain Caller-ID input for receiving voicemails and
accessing customer message preferences. Caller-ID spoofing allows
forgery of a calling number to the target number. When spoofing the
target number while calling T-mobile or Verizon Northwest, the target
trusts the CID to be accurate, bypassing the password response, and
allows direct access into the targets voicemail message center.

Description:
- ------------
During a recent demo with Caller-ID spoofing, a discovery was made when
spoofing the targets own number. When calling the target, and if they
did not pick up the call, the voice mail box would go into administrator
mode without verifying or authenticating a voice mail box passcode.
This confidential information breach is caused by the implicit trust of
Caller-ID as the sole authentication mechanism from the targets phone.

Particularly T-mobile is of greater concern, as it demonstrates when
dealing with the threat model of a lost or stolen phone, an arbitrary
entity can listen to the voicemail without authentication from the lost
or stolen phone. Most mobile carriers do trust the Caller-ID that is
displayed, but still ask for a passcode.

Verizon Northwest (formerly GTE) has the same vulnerability, excepting
that it is a landline carrier, not a mobile service.


Tested Vendors:
- ---------------
T-Mobile Wireless
Verizon Northwest

Suspected Vendors:
- ------------------
Multiple untested Telco vendors
Multiple Credit-Card activation protocols

Vendor and Patch Information:
- -----------------------------
Secure Science Corporation has made multiple attempts to contact the
vendors with no response.

Solution:
- ---------
Add 2-factor authentication (passcode requirement) by default and cease
implicit trust of Caller-ID information.

Credits:
- --------
Secure Science Corporation: Lance James, with many thanks to Samy Kamkar
and Dachb0den Labs.

Disclaimer:
- -----------
Secure Science Corporation is not responsible for the misuse of any of
the information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Secure Science Corporation products.
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBGos4S5qPmxIxbpkRAhE8AJ936K8F1dfzcCGBHrJH0B4J1mcwiwCgtyBL
Z5HBN6+R9qVvt1k8tgAyPeI=
=yDLU
-----END PGP SIGNATURE-----