By Bradley J. Bartram, Vice President of Information Technology , Chief Technology Officer
Assume you have two computers that need to communicate with each other. The first computer is a database server that holds customer data and account information. The second computer is some form of application server that allows users to interact with the data being stored on the first computer. There has to be some form of direct communication between the first and second computers. Ideally the first computer should only allow specific users to access its data.
Historically, this process worked well for a little while. When data began being stored on computers that actually had importance and value, less than honest people began to realize data had value, and networks began to get a little bit more public in-scope this all tended to fall apart. It was trivial for an attacker to gain access to the network and then pretend to be a trusted computer and gain access to valuable data.
Networks began to get a little more secure in response. System and network administrators learned to not be so trusting. In current networks, it tends to be the exception rather than the rule to see trusted source authentication. And the pendulum has been swinging towards more security for most of the last decade.
But an interesting deja vu happened to me the other day. While seeing a demo of a website with some security implications, a very interesting discovery was made that recalled earlier trusted source authentication schemes and the associated problems.
The website in question allowed a visitor to purchase “points” or “credits” for as little as $20.00. These points could then be applied to making phone calls via the service with any Caller ID display they wanted. The user could even modulate and mask their voice to sound like a female or a male. Obviously to be used for entertainment purposes only.
The security hole occurs when a user makes a call to someone’s cell phone while masking their caller ID as the destination’s phone number. Essentially, faking the phone into thinking it was calling itself. The call, when bumped to voice mail, did not provide the customary “leave a message” greeting, but instead, led the caller right into the voice mailbox main menu. Even on some phone services where voicemail passwords were set, the telephone system trusted the Caller ID string and gave full access. This is the most likely source of the unauthorized access into Journalist and Celebrities’ voicemails during the famous News Corp scandal a few months ago.
What’s a user to do? From our tests, we found that some providers were much better about this than others. Call your provider and complain about this. Ask them how they handle spoofed caller IDs getting into your voicemail. If you suspect your voicemail has already been compromised, give us a call. We have handled trusted source authentication exploits and we can possibly help.