02-22-2005, 08:32 PM
This comes courtesy KevinRose.com
UPDATE: Here is the audio clip.
**EXCLUSIVE** This is an exclusive you will not see anywhere else. As many of you know, yesterday Paris Hilton?s T-Mobile address book was stolen and posted online. But what you don?t know is, shortly thereafter a hacker gained access to both Paris? and Vin?s private saved voicemail messages. I was contacted anonymously and shown proof of the hacker?s ability to access these private saved voicemails.
The hack is a simple one that I duplicated easily. If you have Sprint or T-Mobile and have auto voicemail login enabled, you are vulnerable to this type of attack. I have auto voicemail login enabled because I hate entering my voicemail PIN number each time I want to check my messages.
The voicemail authentication system is simple. It uses caller ID to validate the originating number ? if the caller ID matches your cell phone number (ie. your cell phone calling in to check your voicemail messages), it will log you in automatically.
This system has worked great for the last few years. Well, that is until the advent of commercial caller ID spoofing systems such as CovertCall and Telespoof. For those not in-the-know, caller ID spoofing allows you to change your caller ID number to anything you like. To hack myself, I simply logged into CovertCall and placed a spoofed call to my cell phone. The spoofed call was to my cell phone, from my cell phone, forwarded to a pay phone. Sprint (my provider) thought I was calling from my cell, and automatically logged me in (even though I was performing this from a pay phone down the street).
As you can see, the hacker used the same method to access Paris Hilton?s and Vin Diesel?s private voicemails. CovertCall offers free call recording, so the hacker was also able to save the voicemails to disk (I wouldn?t have believed it, had I not heard them myself). From what they tell me, of the entire list only those two accounts used the auto login method. NOTE: This article is for informational purposes only - accessing someone?s voicemail without their consent is highly illegal.
UPDATE: Here is the audio clip.
**EXCLUSIVE** This is an exclusive you will not see anywhere else. As many of you know, yesterday Paris Hilton?s T-Mobile address book was stolen and posted online. But what you don?t know is, shortly thereafter a hacker gained access to both Paris? and Vin?s private saved voicemail messages. I was contacted anonymously and shown proof of the hacker?s ability to access these private saved voicemails.
The hack is a simple one that I duplicated easily. If you have Sprint or T-Mobile and have auto voicemail login enabled, you are vulnerable to this type of attack. I have auto voicemail login enabled because I hate entering my voicemail PIN number each time I want to check my messages.
The voicemail authentication system is simple. It uses caller ID to validate the originating number ? if the caller ID matches your cell phone number (ie. your cell phone calling in to check your voicemail messages), it will log you in automatically.
This system has worked great for the last few years. Well, that is until the advent of commercial caller ID spoofing systems such as CovertCall and Telespoof. For those not in-the-know, caller ID spoofing allows you to change your caller ID number to anything you like. To hack myself, I simply logged into CovertCall and placed a spoofed call to my cell phone. The spoofed call was to my cell phone, from my cell phone, forwarded to a pay phone. Sprint (my provider) thought I was calling from my cell, and automatically logged me in (even though I was performing this from a pay phone down the street).
As you can see, the hacker used the same method to access Paris Hilton?s and Vin Diesel?s private voicemails. CovertCall offers free call recording, so the hacker was also able to save the voicemails to disk (I wouldn?t have believed it, had I not heard them myself). From what they tell me, of the entire list only those two accounts used the auto login method. NOTE: This article is for informational purposes only - accessing someone?s voicemail without their consent is highly illegal.