Compromising Online Accounts by Cracking Voicemail Systems

Explore the vulnerabilities of voicemail systems and their potential impact on online account security in this 42-minute conference talk from the 35th Chaos Communication Congress (35C3). Delve into the history of voicemail hacking, examining how old weaknesses persist alongside modern technology. Learn about techniques for compromising voicemail systems, including both traditional methods and innovative approaches. Discover the far-reaching consequences of unauthorized voicemail access, extending beyond message exposure. Witness demonstrations of real-world attacks, including compromising PayPal accounts and exploiting location services. Gain insights into user interaction-based protection measures and their limitations. Examine a new tool that automates the voicemail hacking process. Conclude with recommendations for improving voicemail security and addressing questions from the audience on topics such as disabling voicemail, undocumented APIs, and carrier responsibilities.

Introduction
Previous research
Checklist on default pins
The tool
First demo
User Interaction Based Protection
Compromising PayPal
Compromising LocationSmart
LocationSmart Demo
Recommendations
Questions
Question from the internet
Turning off voicemail
Twilio ban
Undocumented API
Visual voicemail
Recommendations to carriers