-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Secure Science Corporation Advisory TSA-051 http://www.securescience.net e-response@securescience.net 877-570-0455 - --------------------------------------------------------- T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID authentication spoofing, enabling arbitrary compromise of customer voicemail/message center. - --------------------------------------------------------------------- Vulnerability Classification: Authentication bypass, remote compromise, confidential information breach. Discovery Date: July 09, 2004 Vendor Contacted: July 28, 2004 Advisory publication date: August 11, 2004 Abstract: - --------- T-mobile Wireless and Verizon Northwest (Washington state) grant implicit trust to certain Caller-ID input for receiving voicemails and accessing customer message preferences. Caller-ID spoofing allows forgery of a calling number to the target number. When spoofing the target number while calling T-mobile or Verizon Northwest, the target trusts the CID to be accurate, bypassing the password response, and allows direct access into the targets voicemail message center. Description: - ------------ During a recent demo with Caller-ID spoofing, a discovery was made when spoofing the targets own number. When calling the target, and if they did not pick up the call, the voice mail box would go into administrator mode without verifying or authenticating a voice mail box passcode. This confidential information breach is caused by the implicit trust of Caller-ID as the sole authentication mechanism from the targets phone. Particularly T-mobile is of greater concern, as it demonstrates when dealing with the threat model of a lost or stolen phone, an arbitrary entity can listen to the voicemail without authentication from the lost or stolen phone. Most mobile carriers do trust the Caller-ID that is displayed, but still ask for a passcode. Verizon Northwest (formerly GTE) has the same vulnerability, excepting that it is a landline carrier, not a mobile service. Tested Vendors: - --------------- T-Mobile Wireless Verizon Northwest Suspected Vendors: - ------------------ Multiple untested Telco vendors Multiple Credit-Card activation protocols Vendor and Patch Information: - ----------------------------- Secure Science Corporation has made multiple attempts to contact the vendors with no response. Solution: - --------- Add 2-factor authentication (passcode requirement) by default and cease implicit trust of Caller-ID information. Credits: - -------- Secure Science Corporation: Lance James, with many thanks to Samy Kamkar and Dachb0den Labs. Disclaimer: - ----------- Secure Science Corporation is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Secure Science Corporation products. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBGos4S5qPmxIxbpkRAhE8AJ936K8F1dfzcCGBHrJH0B4J1mcwiwCgtyBL Z5HBN6+R9qVvt1k8tgAyPeI= =yDLU -----END PGP SIGNATURE-----