I just hacked your AT&T voicemail

Kidding. But what I discovered on accident last night is that many AT&T voicemail boxes are unprotected by default, even if you have a PIN number.

You can test your voicemail to see if it’s vulnerable by calling yourself from your cell phone. If you are prompted for a password, you are safe.

If you are not prompted for a password, it’s AT&T’s way of making your life easy. After all AT&T knows you are just you calling yourself, so why should they prompt you for your password? Well, because other people can “spoof” your cell phone callerID, and access your voicemail.

Using my telephony superpowers (comes with owning a phone company), I conducted some tests with willing participants and validated this issue. Even called AT&T to let them know there was an issue. As it turns out, this has been a known issue for about a year now.

My thinking is that this largely affects iPhone users rather than those with non-smart-phones. Here’s how this plays out;

You go to the Apple Store and purchase your shiney new iPhone. During the purchase, the sales associate requests a PIN number. The first time you try to access Visual Voicemail, you are prompted for the PIN. If you call your iPhone from another phone, you may have pressed * to access your voicemail box, in which case you are prompted to enter your PIN. So your voicemail is secure, right? Ummm, no.

By default, the PIN is not enabled if you call your voicemail from your own phone. You have to enable your PIN explicitly. Here’s how;

  1. Call your voicemail
  2. Listen to and save/delete and outstanding messages
  3. Press 4 to go to “Personal Options”
  4. Press 2 to go to “Administrative Options”
  5. Press 1 to go to “Password”
  6. Press 2 to turn your password “ON”

Hang-up and call your voicemail again from your iPhone to confirm you are protected.

I haven’t heard back from AT&T yet, but they are aware of this issue. Yep. Uh huh.

Seems like someone should setup a war dialer to call all AT&T customer’s voicemail and enable their passwords for them. Then again, AT&T could just do this for their customers. Or not.