Actually, you should know that these systems authenticate based on Calling
Party Number (CPN) which caller id is derived from. So saying "This
confidential information breach is caused by the implicit trust of Caller-ID
as the sole authentication mechanism from the targets phone." is technically
wrong.

----- Original Message -----
From: "Secure Science Corporation Advisory Notice"
<bugtraq (at) securescience (dot) net [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, August 11, 2004 5:10 PM
Subject: SSC Advisory TSA-051 (T-mobile wireless and Verizon Northwest)

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Secure Science Corporation Advisory TSA-051
> http://www.securescience.net
> e-response (at) securescience (dot) net [email concealed]
> 877-570-0455
>
> - ---------------------------------------------------------
>
> T-mobile Wireless and Verizon Northwest are vulnerable to caller-ID
> authentication spoofing, enabling arbitrary compromise of customer
> voicemail/message center.
>
> - ---------------------------------------------------------------------
>
> Vulnerability Classification: Authentication bypass, remote compromise,
> confidential information breach.
>
> Discovery Date: July 09, 2004
> Vendor Contacted: July 28, 2004
> Advisory publication date: August 11, 2004
>
>
> Abstract:
> - ---------
> T-mobile Wireless and Verizon Northwest (Washington state) grant
> implicit trust to certain Caller-ID input for receiving voicemails and
> accessing customer message preferences. Caller-ID spoofing allows
> forgery of a calling number to the target number. When spoofing the
> target number while calling T-mobile or Verizon Northwest, the target
> trusts the CID to be accurate, bypassing the password response, and
> allows direct access into the targets voicemail message center.
>
> Description:
> - ------------
> During a recent demo with Caller-ID spoofing, a discovery was made when
> spoofing the targets own number. When calling the target, and if they
> did not pick up the call, the voice mail box would go into administrator
> mode without verifying or authenticating a voice mail box passcode.
> This confidential information breach is caused by the implicit trust of
> Caller-ID as the sole authentication mechanism from the targets phone.
>
> Particularly T-mobile is of greater concern, as it demonstrates when
> dealing with the threat model of a lost or stolen phone, an arbitrary
> entity can listen to the voicemail without authentication from the lost
> or stolen phone. Most mobile carriers do trust the Caller-ID that is
> displayed, but still ask for a passcode.
>
> Verizon Northwest (formerly GTE) has the same vulnerability, excepting
> that it is a landline carrier, not a mobile service.
>
>
> Tested Vendors:
> - ---------------
> T-Mobile Wireless
> Verizon Northwest
>
> Suspected Vendors:
> - ------------------
> Multiple untested Telco vendors
> Multiple Credit-Card activation protocols
>
> Vendor and Patch Information:
> - -----------------------------
> Secure Science Corporation has made multiple attempts to contact the
> vendors with no response.
>
> Solution:
> - ---------
> Add 2-factor authentication (passcode requirement) by default and cease
> implicit trust of Caller-ID information.
>
> Credits:
> - --------
> Secure Science Corporation: Lance James, with many thanks to Samy Kamkar
> and Dachb0den Labs.
>
> Disclaimer:
> - -----------
> Secure Science Corporation is not responsible for the misuse of any of
> the information we provide on this website and/or through our security
> advisories. Our advisories are a service to our customers intended to
> promote secure installation and use of Secure Science Corporation
products.
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBGos4S5qPmxIxbpkRAhE8AJ936K8F1dfzcCGBHrJH0B4J1mcwiwCgtyBL
> Z5HBN6+R9qVvt1k8tgAyPeI=
> =yDLU
> -----END PGP SIGNATURE-----

[ reply ]