Preventing Voicemail Hacking

The following article on preventing voicemail hacking was originally published on the BCS website:

Voicemail hacking is not new. The two main methods are guessing PINs or using spoofing to bypass caller ID-based access control.

For convenient remote access to voicemail, e.g. where caller ID is not available or when the user is calling from a different phone, service providers allow users to authenticate through the use of PINs. Invariably these are short, usually four digits, and often they are preset to a known default – making hacking a simple guessing game.

Where caller ID is available, service providers use it to automatically identify users and allow direct access into their voicemail boxes. Unfortunately, caller ID spoofing has been around, for legitimate reasons, as long as caller ID. This facility can be misused to falsely represent the Calling Party and bypass such access control.

Historically, unlike other forms of login, service providers have not put much effort into the prevention and detection of brute force PIN guessing or caller ID spoofing attacks. Some limit the number of attempts per call, say to three, but attackers can set up automated brute force attack systems to break even a four digit PIN over a weekend.

In the US it is not illegal, at the federal level, to offer a public caller ID spoofing service. In the UK, regulator Ofcom has wisely chosen to try and restrict such public services offerings. Unfortunately, access to the right switchboard software or network signalling can enable a caller to set whatever Caller ID they wish.

Caller ID spoofing services can help reduce this type of fraud by not allowing the spoofing of a calling ID where it is the same as the called party number, so that someone cannot masquerade as a mobile phone and be automatically admitted by the mobile operator’s filtering mechanism. Some already have this restriction.

Mobile operators could improve things by:

  1. requiring robust PIN numbers are set for all accounts with voicemail;
  2. notifying users of (repeated) failed attempts to login to accounts – not just with a voicemail (as one operator does), which a successful attacker would delete;
  3. only trusting calls, presenting caller IDs of their own customers, originating from their own and roaming partner networks;
  4. relying less on presentation ID (easily spoofed) than network ID (less easily spoofed) when automatically connecting a caller to voicemail.

Users could improve things by:

  1. regularly changing voicemail PIN to a non-predicable numbers, so that if you were compromised you lock out your attacker until they can break in again;
  2. listening out for old message they don’t recall hearing before;
  3. noticing when told of a voicemail being left that they did not receive;
  4. disabling voicemail where not required or concerned about intrusion.

Awareness is the name of the game and reporting suspected breaches to your service provider, police and the Information Commissioner’s Office will maintain focus on this continued area of weakness in personal communications.

Gareth Niblett is the chair of BCS ISSG and previously a CISO at a telecommunications group.

Edited from my submitted text, due to length, were the following paragraphs that you may also find useful:

“Business voicemail, as a feature of a private branch exchange (PBX) or automated call distribution (ACD) system, is also vulnerable to poorly set PINs – which are often the last digits of the direct dial in (DDI) number or the same as the extension or a common default – Caller ID spoofing or simply using the target’s handset.

Skype and VoIP services also provide a voicemail capability, and where software clients are used there is also the risk of malware that could allow an attacker to gain access to credentials or data enabling them to monitor calls or messages. Staying up-to-date with patches and anti-virus updates, as well as strong passwords, will help.”

The original version of this piece is available online at: