Hackers take control over online accounts using voicemail services

An exploit proof of concept to hack multiple online services has been recently disclosed

According to cybersecurity and ethical hacking specialists from the International Institute of Cyber Security, voice mail systems (voicemailing) are highly vulnerable to brute force attacks against their main security measure, the four digits of the Personal identification Number (PIN) they own. According to reports from multiple experts, a malicious actor could access a voicemail system to take control over services such as WhatsApp, LinkedIn, Netflix or PayPal.

The cybersecurity and mobile security expert Martin Vigo recently presented an investigation in which he states that the PIN that protects these voicemailing services is much easier to crack than a traditional password, which can lead to accounts hacking in different services.

“Automated phone calls are commonly used to use functions such as password reset, account verification, and more. A hacker could compromise these functions, exploiting some old programming weaknesses with updated tools and intervening in a user’s voicemail.”

The cybersecurity expert resorted to the use of some simple hacking techniques for phone calls, this time applied to the hack of a voicemailing service. Once a service has been compromised, hackers can start listening to the messages the victim uses to reset their password. Hackers might even infer the user’s PIN if it is typed into the victims’ device.

Vigo wrote an automated script capable of violating most of the four-digit PIN used by voicemailing systems without the victims’ knowledge. The investigator published the code of his Voicemailcracker on GitHub (omitting the brute force function), hoping to help for the correction of this kind of weak points. 

When carrying out a demonstration, Vigo showed how a voicemailing system works the same with the brute force function activated, verifying that it could access services such as PayPal or WhatsApp which have a PIN verification system.

“Voicemailcracker uses Twilio, a Voice Over Internet Protocol service that allows you to manage phone calls automatically. Voicemailcracker launches hundreds of phone calls at the same time to interact with voicemailing systems and use brute force against the PIN, all without the victim’s knowledge,” concluded the expert. The investigator also revealed other possible attack vectors, such as a backdoor to the voicemailing system, eliminating the need to make thousands of phone calls, an attack that requires minimal interaction from the victim.