{"id":36,"date":"2011-06-08T14:06:37","date_gmt":"2011-06-08T22:06:37","guid":{"rendered":"http:\/\/chrismiller.com\/wordpress\/?p=36"},"modified":"2017-06-11T15:08:13","modified_gmt":"2017-06-11T23:08:13","slug":"i-just-hacked-your-att-voicemail","status":"publish","type":"post","link":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/","title":{"rendered":"I just hacked your AT&#038;T voicemail"},"content":{"rendered":"<p><!--adsense--><\/p>\n<p>Kidding. But what I discovered on accident last night is that many AT&#038;T voicemail boxes are unprotected by default, even if you have a PIN number.<\/p>\n<p>You can test your voicemail to see if it&#8217;s vulnerable by calling yourself from your cell phone. If you are prompted for a password, you are safe.<\/p>\n<p>If you are not prompted for a password, it&#8217;s AT&#038;T&#8217;s way of making your life easy. After all AT&#038;T knows you are just you calling yourself, so why should they prompt you for your password? Well, because other people can &#8220;spoof&#8221; your cell phone callerID, and access your voicemail.<\/p>\n<p>Using my telephony superpowers (comes with owning a <a href=\"http:\/\/scruztel.com\/\">phone company<\/a>), I conducted some tests with willing participants and validated this issue. Even called AT&#038;T to let them know there was an issue. As it turns out, this has been a known issue for about a year now.<\/p>\n<p>My thinking is that this largely affects iPhone users rather than those with non-smart-phones. Here&#8217;s how this plays out;<\/p>\n<p>You go to the Apple Store and purchase your shiney new iPhone. During the purchase, the sales associate requests a PIN number. The first time you try to access Visual Voicemail, you are prompted for the PIN. If you call your iPhone from another phone, you may have pressed * to access your voicemail box, in which case you are prompted to enter your PIN. So your voicemail is secure, right? Ummm, no.<\/p>\n<p>By default, the PIN is not enabled if you call your voicemail from your own phone. You have to enable your PIN explicitly. Here&#8217;s how;<\/p>\n<ol>\n<li>Call your voicemail<\/li>\n<li>Listen to and save\/delete and outstanding messages<\/li>\n<li>Press 4 to go to \u201cPersonal Options\u201d<\/li>\n<li>Press 2 to go to \u201cAdministrative Options\u201d<\/li>\n<li>Press 1 to go to \u201cPassword\u201d<\/li>\n<li>Press 2 to turn your password \u201cON\u201d<\/li>\n<\/ol>\n<p>Hang-up and call your voicemail again from your iPhone to confirm you are protected.<\/p>\n<p>I haven&#8217;t heard back from AT&#038;T yet, but <a href=\"http:\/\/www.wireless.att.com\/learn\/popups\/voicemail-security.jsp\">they are aware of this issue<\/a>. Yep. Uh huh.<\/p>\n<p>Seems like someone should setup a war dialer to call all AT&#038;T customer&#8217;s voicemail and enable their passwords for them. Then again, AT&#038;T could just do this for their customers. Or not.<\/p>\n<p>Chris<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kidding. But what I discovered on accident last night is that many AT&#038;T voicemail boxes are unprotected by default, even if you have a PIN number. You can test your voicemail to see if it&#8217;s vulnerable by calling yourself from your cell phone. If you are prompted for a password, you are safe. If you are not prompted for a&#8230;<\/p>\n","protected":false},"author":142,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[22],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>I just hacked your AT&amp;T voicemail - Chris Miller<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"I just hacked your AT&amp;T voicemail - Chris Miller\" \/>\n<meta property=\"og:description\" content=\"Kidding. But what I discovered on accident last night is that many AT&#038;T voicemail boxes are unprotected by default, even if you have a PIN number. You can test your voicemail to see if it&#8217;s vulnerable by calling yourself from your cell phone. If you are prompted for a password, you are safe. If you are not prompted for a...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/\" \/>\n<meta property=\"og:site_name\" content=\"Chris Miller\" \/>\n<meta property=\"article:published_time\" content=\"2011-06-08T22:06:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-06-11T23:08:13+00:00\" \/>\n<meta name=\"author\" content=\"Chris Miller\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chris Miller\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/\",\"url\":\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/\",\"name\":\"I just hacked your AT&T voicemail - Chris Miller\",\"isPartOf\":{\"@id\":\"https:\/\/chrismiller.com\/wordpress\/#website\"},\"datePublished\":\"2011-06-08T22:06:37+00:00\",\"dateModified\":\"2017-06-11T23:08:13+00:00\",\"author\":{\"@id\":\"https:\/\/chrismiller.com\/wordpress\/#\/schema\/person\/0c9fae995316a61906eadac5d44662b9\"},\"breadcrumb\":{\"@id\":\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/chrismiller.com\/wordpress\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"I just hacked your AT&#038;T voicemail\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/chrismiller.com\/wordpress\/#website\",\"url\":\"https:\/\/chrismiller.com\/wordpress\/\",\"name\":\"Chris Miller\",\"description\":\"Observations and Musings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/chrismiller.com\/wordpress\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/chrismiller.com\/wordpress\/#\/schema\/person\/0c9fae995316a61906eadac5d44662b9\",\"name\":\"Chris Miller\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/chrismiller.com\/wordpress\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2cf7cbf0b61bfbef0e04122c3e57d6ac?s=96&d=mm&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2cf7cbf0b61bfbef0e04122c3e57d6ac?s=96&d=mm&r=pg\",\"caption\":\"Chris Miller\"},\"sameAs\":[\"http:\/\/chrismiller.com\"],\"url\":\"https:\/\/chrismiller.com\/wordpress\/author\/chris\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"I just hacked your AT&T voicemail - Chris Miller","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/","og_locale":"en_US","og_type":"article","og_title":"I just hacked your AT&T voicemail - Chris Miller","og_description":"Kidding. But what I discovered on accident last night is that many AT&#038;T voicemail boxes are unprotected by default, even if you have a PIN number. You can test your voicemail to see if it&#8217;s vulnerable by calling yourself from your cell phone. If you are prompted for a password, you are safe. If you are not prompted for a...","og_url":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/","og_site_name":"Chris Miller","article_published_time":"2011-06-08T22:06:37+00:00","article_modified_time":"2017-06-11T23:08:13+00:00","author":"Chris Miller","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Chris Miller","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/","url":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/","name":"I just hacked your AT&T voicemail - Chris Miller","isPartOf":{"@id":"https:\/\/chrismiller.com\/wordpress\/#website"},"datePublished":"2011-06-08T22:06:37+00:00","dateModified":"2017-06-11T23:08:13+00:00","author":{"@id":"https:\/\/chrismiller.com\/wordpress\/#\/schema\/person\/0c9fae995316a61906eadac5d44662b9"},"breadcrumb":{"@id":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/chrismiller.com\/wordpress\/i-just-hacked-your-att-voicemail\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/chrismiller.com\/wordpress\/"},{"@type":"ListItem","position":2,"name":"I just hacked your AT&#038;T voicemail"}]},{"@type":"WebSite","@id":"https:\/\/chrismiller.com\/wordpress\/#website","url":"https:\/\/chrismiller.com\/wordpress\/","name":"Chris Miller","description":"Observations and Musings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/chrismiller.com\/wordpress\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/chrismiller.com\/wordpress\/#\/schema\/person\/0c9fae995316a61906eadac5d44662b9","name":"Chris Miller","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/chrismiller.com\/wordpress\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2cf7cbf0b61bfbef0e04122c3e57d6ac?s=96&d=mm&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2cf7cbf0b61bfbef0e04122c3e57d6ac?s=96&d=mm&r=pg","caption":"Chris Miller"},"sameAs":["http:\/\/chrismiller.com"],"url":"https:\/\/chrismiller.com\/wordpress\/author\/chris\/"}]}},"_links":{"self":[{"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/posts\/36"}],"collection":[{"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/users\/142"}],"replies":[{"embeddable":true,"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/comments?post=36"}],"version-history":[{"count":3,"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/posts\/36\/revisions"}],"predecessor-version":[{"id":202,"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/posts\/36\/revisions\/202"}],"wp:attachment":[{"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/media?parent=36"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/categories?post=36"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chrismiller.com\/wordpress\/wp-json\/wp\/v2\/tags?post=36"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}