[ISN] Flaw threatens T-Mobile voice mail leaks

InfoSec News isn at c4i.org
Fri Feb 25 04:48:09 EST 2005


By Robert Lemos 
Staff Writer, CNET News.com
February 24, 2005

A convenient voice mail feature has likely opened up many T-Mobile
subscribers' voice mail boxes to unauthorized attackers armed with a
simple hack, the embattled cellular service provider acknowledged on

The attack, publicized by wireless security firm Flexilis, could be
used to download a person's voice mail or take control of the victim's
voice mail functions, provided the attacker knew the subscriber's
phone number.

"The attacker would be able to listen to the victim's voice mail,
record the voice mail to a file on a remote server, and also make
calls out from the system posing at the victim," said John Hering,
director of business development for Flexilis. "This can all be done
from a public pay phone, which is extremely difficult to trace."

While Flexilis did not give details of the flaws, at least one
Internet site has pointed out that T-Mobile's voice mail system can be
accessed by anyone who uses a service to spoof caller ID. T-Mobile
acknowledged the problem, but said that the solution is simple: Users
should set their voice mail to require passwords.

"By default, customers are not required to put a password on their
voice mail," said spokesman Bryan Zidar. "If you enable the password
protection, it solves the problem."

Zidar said the issue has no relation to the high-profile privacy hits
suffered by Paris Hilton and other celebrities or a previous incident
where an online intruder had access to the mobile phone system.  
T-Mobile is still investigating that case and has not released how the
information was stolen.

"The silver lining of this Paris Hilton thing, is it is an opportunity
for customers to take further steps to protect their data," Zidar

Flexilis also advised T-Mobile subscribers to change their voice mail
setting to require a password from the mobile device.

More information about the ISN mailing list