Before It Bytes!

Sprint VoiceFailMail Authentication

I’s was playing with SkypeOut today (This is where you can call land lines from Skype.) Since you don’t have a real phone number on Skype, one of the features with SkypeOut is the ability  to set your SkypeOut caller ID to the phone number of a mobile phone you control.

The setup is pretty simple. Give them the phone number you want to use. They will text a password to the number. You enter that password back in to the website.

While testing it, I called my cell phone from Skype to see what would come up. I was surprised to find out that my phone did not ring. I was instead connected to my voicemail – not to leave a message, but to the part where you can check your messages. I heard “No Messages. Main menu.” I was directly connected – no prompt for a pin or anything – as if I was calling FROM my cell phone.

Sprint is using caller ID as its only method of authentication. Anyone who can set their caller ID can now access my Sprint voicemail settings. They can listen, change my greeting, etc. This doesn’t seem so bad when considering only SkypeOut. They make sure you control the phone before they assign the caller id.

I mentioned this in #securabit, and aricon pointed out that anyone with a DS3 or a PRI circuit can set the caller ID to whatever they wish. Then he asked for my cell phone number…

Another vector could leverage Skype too. Lets say you set your SkypeOut caller ID to your cell phone number. Down the road, you cancel your cell phone. Someone else will eventually get your old number. If you didn’t change your SkypeOut caller ID, you own their voicemail.

Sprint. This is 2009. Certainly you can do better than that.

If you have SkypeOut and have a different cell phone carrier, I would be interested to know if this works with the other providers as well.

5 Responses to Sprint VoiceFailMail Authentication

  1. hak5chris says:

    Can anyone replicate this? I'm about to try.

  2. nevesis says:

    Check your voicemail settings. You can enable password prompts.

  3. Great post and yes a very open flaw. Fortunately Sprint offers this only as a convenience and does allow you to set a password that prevents this from working. But honestly how many users would like to add an extra step to checking voice mail? – Linked on our frontpage

  4. Bugbear says:

    Verizon will prompt the user to setup a pin however this use to be optional and would use Caller ID if user chose so

Leave a Reply to hak5chris Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.