14 replies to this topic

[ucmysc]

HEY!!!
Does anyone know the backdoor vm number for the ATT iphone....
The number is 630-596-7_ _ _

I need some help with cracking the password as well...
Any info?

Tina

[dual]

Scan it out. http://www.handscan.net/

[decoder]

I think this person is trying to haxor a particular phone, otherwise, why would there be a password involved?

Well, Tina... Post the number again, and one of us will make sure to warn that person.

[Infinite51]

I think this person is trying to haxor a particular phone, otherwise, why would there be a password involved?

Well, Tina... Post the number again, and one of us will make sure to warn that person.

Tina, if you could please provide your computers ip address and Phone number so that we can forward your information to the
proper authorities, and expected time period in which you want to unlawfully access this voicemail system.

Yes Tina, gaining access to someone else's voicemail system without their permission would be constituted as unauthorized
access.

If indeed you are having issues with your voicemail passcode, you can contact AT&T directly:
Reset voicemail password from AT&T's automated system

Call 611 or 800-331-0500
Enter the wireless number starting with area code
Press 3 to “get help with voicemail”
Press 3 to reset your VM password
Enter the Billing Zip code for the account
After a few seconds, iPhone will display "Password Incorrect - Enter Voicemail Password"
Enter the last seven digits of the wireless phone number and tap OK

[decoder]

I think this person is trying to haxor a particular phone, otherwise, why would there be a password involved?

Well, Tina... Post the number again, and one of us will make sure to warn that person.

Tina, if you could please provide your computers ip address and Phone number so that we can forward your information to the
proper authorities, and expected time period in which you want to unlawfully access this voicemail system.

Yes Tina, gaining access to someone else's voicemail system without their permission would be constituted as unauthorized
access.

If indeed you are having issues with your voicemail passcode, you can contact AT&T directly:
Reset voicemail password from AT&T's automated system

Call 611 or 800-331-0500
Enter the wireless number starting with area code
Press 3 to “get help with voicemail”
Press 3 to reset your VM password
Enter the Billing Zip code for the account
After a few seconds, iPhone will display "Password Incorrect - Enter Voicemail Password"
Enter the last seven digits of the wireless phone number and tap OK

Would that reset method work if one were to spoof the Caller ID? Or is AT&T smarter than Sprint?

As relating to another thread, if that were to work, it may, on the surface, look like a problem with Caller ID Spoofing. It isn't.

If Caller ID spoofing were illegal, tricks like that would still work. The technology needs to be changed, not the law.

[Infinite51]

:

Edited by Infinite51, 19 October 2009 - 10:56 AM.

[decoder]

Very interesting, to say the least.

You can still gain access to a Sprint VMB with Caller ID spoofing.

I was with a friend recently. Her phone was dead and she didn't have the charger with her, but she needed to listen to her voicemail. She has it - excuse me, used to have it - set so that she didn't need to enter the password when calling from the phone itself. Needless to say, she had completely forgotten her password, due to never actually using it.

Spoofing got her right in.

Edited by decoder, 03 April 2009 - 01:40 PM.

[Colonel Panic]

Awesome post, Infinite51!

[livinded]

I think this person is trying to haxor a particular phone, otherwise, why would there be a password involved?

Well, Tina... Post the number again, and one of us will make sure to warn that person.

Tina, if you could please provide your computers ip address and Phone number so that we can forward your information to the
proper authorities, and expected time period in which you want to unlawfully access this voicemail system.

Yes Tina, gaining access to someone else's voicemail system without their permission would be constituted as unauthorized
access.

If indeed you are having issues with your voicemail passcode, you can contact AT&T directly:
Reset voicemail password from AT&T's automated system

Call 611 or 800-331-0500
Enter the wireless number starting with area code
Press 3 to “get help with voicemail”
Press 3 to reset your VM password
Enter the Billing Zip code for the account
After a few seconds, iPhone will display "Password Incorrect - Enter Voicemail Password"
Enter the last seven digits of the wireless phone number and tap OK

Would that reset method work if one were to spoof the Caller ID? Or is AT&T smarter than Sprint?

As relating to another thread, if that were to work, it may, on the surface, look like a problem with Caller ID Spoofing. It isn't.

If Caller ID spoofing were illegal, tricks like that would still work. The technology needs to be changed, not the law.

AT&T isn't (or at least wasn't) smarter than sprint. By default it will let you in if you are "calling from your own number" and they only use CID to verify this. You can set a password manually through the options, but there isn't one set by default. I don't know if this has changed, but the last time I checked (over a couple years ago) this was the case.

[Infinite51]

The only carrier that I have found to mandate a password is Verizon. Sprint, Cingular/AT&T, T-Mobile, all to this day still allow you to spoof directly into their voicemail systems, if the customer has setup (dial 1 to allow them to access their voicemail directly). This was the case back in early 2001, when I was working for them, and even today at my last position with AT&T in 2007-2008 I can say that their networks were still wide open. I guess folks you heard it first on DDP, your secure systems that were advertised as "being safe from hackers" are in fact still vulnerable.

Personally from a Security/Ethical Hacker perspective I find this extremely troubling. Not only do we hear about Paris Hilton/ Lindsay Lohan and others being hacked regularly. I can say that several of the employees that I managed, were open to this exploit.

But let's not stop there, how many Merger and Acquisition Attorney, Forensic Accountants, Elected officials do you know that have to safeguard TOP SECRET or very classified information that use one or more of these providers? And what do you think the overall threat level is if their messages are retrieved or deleted without them even knowing?

[Infinite51]

Indeed, William/Decoder is correct. It is not a carrier dependent issue, rather a software/hardware bug. For some reason people like to be able to (hold down that #1 key and access their voicemail without a pass code). Personally, I would love for nothing more than the American Bankers Association and American Bar Association to put out a press release to their members advising them of this issue and how to take proper preventive means to address it. Yet, more than likely only 20% of its members would be exposed to the advice and head the warning.

So we are back at square one. As far as I know California is the only state AG's office that has successfully sued any of the providers for this bug. And it was not for not taking actions to fix the software/hardware coding bug, but rather for falsely advertising that the issue did not exist.

[decoder]

It's not a bug, it's a feature! Seriously. It's an "ease of use" or "shortcut" feature. And it's stupid.

[ThoughtPhreaker]

On GSM networks, *#67# SEND will tell you the voicemail access number. Also, the newer Anypath VMSes on VZW don't have you enter a password by default, just the older Converse ones.

Edited by ThoughtPhreaker, 02 April 2009 - 11:16 PM.

[Infinite51]

My apologies Decoder, you are absolutely correct, it is not a bug and is indeed a feature! The 'shortcut feature' is enabled on many Voicemail platforms so that customers can bypass entering a passcode. I would also agree the feature is extremely stupid, especially when it has been listed in the National Vulnerability Database (which is the 'US government’s repository of known vulnerability data) for several years now.

As for the reason I referenced it as a bug, is that the feature should have NEVER been in place to begin with. I remember when Sprint first rolled out this feature in early 2001 and we were encouraged to tell our customers about this great benefit. It was and still today is considered a feature, and I know many individuals who have VERY classified or legally privileged messages being left on their cell phone voicemail. That could easily be accessed by a partner in their firm, opposing counsel or even someone who is out to get them.

Let’s face it people do many stupid things, I have witnessed individuals put their ATM pin number on the back of their ATM card so that they would not forget it. These same individuals are surprised when they accidently leave behind or lose their wallets and criminals withdraw money from the customer’s bank account.

[decoder]

It is certainly true that many "features" can, indeed, be accurately described as "bugs."

Fuck, some entire platforms can be described as bugs!