Beneath you can find a detailed reporting timeline. I reported this to Netflix via the responsible disclosure program and I noticed, that they have a really good and fast responding security team – it took a little bit longer to fix the issue because the automated phone calls used by Netflix are handled by a third party. The other scenario would be, that the victim does not answer the call at all – the Netflix call gets redirected to the voicemail as well. No interaction of the victim is required - One scenario would be, that the victim answers the call of the attacker – the Netflix phone call gets redirected to voicemail. An attacker with the knowledge of the phone number of the victim (which uses a mobile network provider which is vulnerable to the voicemail issue) is able to reset the password of the victim. This means, that if the victim added a phone number to his/her Netflix account to improve the security of the account, it actually weakened it. Voicemail of the victim 3.) After some time, spoof the caller ID to get access to the victims mailbox 4.) Listen to the security code, which should now be on the voicemail 5.) Profit What about Netflix? Exploit flowġ.) Enter phone number of the victim 2.) Request voice call - At the same time, call the victim so that the automated call gets redirected to the Due to the voicemail issue, it was possible to bypass this using the following exploit flow. So when a user wanted to request the code, the user had the possibility to get an automated voice call which then told the code to the user. So, now we know that an attacker is (under certain circumstances) able to get into the voicemail of its victim but how can this be used to hack online services? Shubham Shah used this 2 ½ years ago to bypass 2FA of many services which are using automated phone calls to transmit the 2FA code. But actually this means, that many Austrian T-Mobile users, which use the default configuration of their voicemail without password, are vulnerable to the voicemail hacking issue. Remember, I have not tested every sub company of those three which are using the same network, which means that the number of affected users can be lower. Those are about 4 million users (according to T-Mobile). T-Mobile - VULNERABLE to voicemail hackingĪccording to the graph above, T-Mobile has a market share of 28% in Austria.DREI (Hutchison) – Not vulnerable to voicemail hacking.A1 – Not vulnerable to voicemail hacking.I checked those three main players including some of the companies which are using the same network and I got the following results:
![x lite softphone phone spoofing x lite softphone phone spoofing](https://www.acepeakinvestment.com/wp-content/uploads/2020/10/5-7.jpg)
The data for the graph above was taken from here (sorry, in German) The following graph shows the detailed market share of those mobile network providers (Q4 2015).Īustrian mobile network operators - Q4 2015 Basically I had a look at the “big three” mobile phone providers in Austria which are: I did some research on Austrian mobile phone operators and I was really surprised. No additional information is required from the user. There are still many mobile phone companies around the world which only use the incoming caller ID for authentication. Voicemails - It can be used to get access to the voicemail of everyone who is using a vulnerable telecom provider. An old and powerful Issue - Voicemail HackingĪlright, so now that we know, that everyone with a computer and a credit card can spoof every phone number on the planet, what can an attacker do with this besides social engineering and prank calls?
![x lite softphone phone spoofing x lite softphone phone spoofing](http://video.findmysoft.com/2015/04/02/X-Lite.jpg)
VOIP providers like voip.ms allow the user to set the outgoing caller ID directly within the web application – no additional software or hardware is required – not even a physical phone because a softphone (software which simulates a phone) can be used as well (e.g. This blogpost for example explains, how to set up your own Asterisk server to spoof any caller ID you want. Basically an attacker needs access to the phone network – which nowadays is very easy due to VOIP – and a provider which allows the attacker to set the caller ID as part of the configuration or allows the configuration of your own Private Branch Exchange (PBX) like Asterisk. What many people do not know is, that the caller ID of everyone around the globe can be easily spoofed. But lets start at the beginning of the story: Mobile network security is poor ….