Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SSC Advisory TSA-051 (T-mobile wireless and Verizon Northwest)
From: "Brad Herbert" <bherbert () earthwastesystems com>
Date: Thu, 12 Aug 2004 17:04:36 -0400

Actually, you should know that these systems authenticate based on Calling
Party Number (CPN) which caller id is derived from. So saying "This
confidential information breach is caused by the implicit trust of Caller-ID
as the sole authentication mechanism from the targets phone." is technically

----- Original Message ----- 
From: "Secure Science Corporation Advisory Notice"
<bugtraq () securescience net>
To: <bugtraq () securityfocus com>
Sent: Wednesday, August 11, 2004 5:10 PM
Subject: SSC Advisory TSA-051 (T-mobile wireless and Verizon Northwest)

Hash: SHA1

Secure Science Corporation Advisory TSA-051
e-response () securescience net

- ---------------------------------------------------------

T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID
authentication spoofing, enabling arbitrary compromise of customer
voicemail/message center.

- ---------------------------------------------------------------------

Vulnerability Classification: Authentication bypass, remote compromise,
confidential information breach.

Discovery Date: July 09, 2004
Vendor Contacted: July 28, 2004
Advisory publication date: August 11, 2004

- ---------
T-mobile Wireless and Verizon Northwest (Washington state) grant
implicit trust to certain Caller-ID input for receiving voicemails and
accessing customer message preferences. Caller-ID spoofing allows
forgery of a calling number to the target number. When spoofing the
target number while calling T-mobile or Verizon Northwest, the target
trusts the CID to be accurate, bypassing the password response, and
allows direct access into the targets voicemail message center.

- ------------
During a recent demo with Caller-ID spoofing, a discovery was made when
spoofing the targets own number. When calling the target, and if they
did not pick up the call, the voice mail box would go into administrator
mode without verifying or authenticating a voice mail box passcode.
This confidential information breach is caused by the implicit trust of
Caller-ID as the sole authentication mechanism from the targets phone.

Particularly T-mobile is of greater concern, as it demonstrates when
dealing with the threat model of a lost or stolen phone, an arbitrary
entity can listen to the voicemail without authentication from the lost
or stolen phone. Most mobile carriers do trust the Caller-ID that is
displayed, but still ask for a passcode.

Verizon Northwest (formerly GTE) has the same vulnerability, excepting
that it is a landline carrier, not a mobile service.

Tested Vendors:
- ---------------
T-Mobile Wireless
Verizon Northwest

Suspected Vendors:
- ------------------
Multiple untested Telco vendors
Multiple Credit-Card activation protocols

Vendor and Patch Information:
- -----------------------------
Secure Science Corporation has made multiple attempts to contact the
vendors with no response.

- ---------
Add 2-factor authentication (passcode requirement) by default and cease
implicit trust of Caller-ID information.

- --------
Secure Science Corporation: Lance James, with many thanks to Samy Kamkar
and Dachb0den Labs.

- -----------
Secure Science Corporation is not responsible for the misuse of any of
the information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Secure Science Corporation
- --
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]