Forgot your password?
typodupeerror
Security Businesses Google The Internet

Google Voice Fixes Security Flaw, Almost 55

Posted by samzenpus
from the almost-got-it-that-time dept.
gardel writes "Google appears to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain. Until about 7pm PDT Tuesday, an unauthorized party could use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number, giviing the spoofer access to greetings and voicemail, and the ability to make outbound calls, including expensive international calls. Though spoofing via SIP is no longer possible, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access."
This discussion has been archived. No new comments can be posted.

Google Voice Fixes Security Flaw, Almost

Comments Filter:
  • by Kawahee (901497)

    giviing (sic) the spoofer access to greetings and voicemail

    I refer you to my signature:

    • Re: (Score:2, Funny)

      by Anonymous Coward

      giviing (sic) the spoofer access to greetings and voicemail

      I refer you to my signature:

      And I refer you to how to properly use sic [wikipedia.org], which is to say: It should be enclosed in square brackets, not in parenthesis.

      Gosh, now I can feel smugly superior, too!

      • Re: (Score:1, Offtopic)

        by Tubal-Cain (1289912)
        Shame on you. Neither the square brackets you reprimanded him for getting wrong, nor italicized.

        And I refer you to how to properly use [sic]...

        FTFY

      • by Xtifr (1323)

        Great, so don't pay him for his post. But—unlike the slashdot "editors"—he's not actually asking to be paid for his postings, so that's kind of a big difference.

    • Re: (Score:2, Funny)

      by Aranykai (1053846)

      Not a typo, this article was merely written by the brilliant minds that brought us the Nintendo Wii

      • Re: (Score:2, Offtopic)

        by numbsafari (139135)

        Oh no you diint!

      • by drinkypoo (153816)

        Not a typo, this article was merely written by the brilliant minds that brought us the Nintendo Wii

        It had to be 'Wii', because 'We' is heavily encumbered, and 'Wi' would be pronounced like "Why", which is not a question they want to be asking - some other video game manufacturer will be happy to tell you.

  • by conner_bw (120497) on Wednesday March 25, 2009 @08:50PM (#27337713) Homepage Journal

    Where expensive is an arbitrary number between the inability to use an internet chat program and proprietary price gouging?

  • Phreakers (Score:5, Funny)

    by Anonymous Coward on Wednesday March 25, 2009 @08:53PM (#27337731)

    Hackers, meet the Phreakers, Phreakers, meet the Hackers. Have fun!!

  • by BitZtream (692029) on Wednesday March 25, 2009 @09:01PM (#27337771)

    Not the google actually does, but you'll find plenty of VoIP setups that you can trick this way.

    Its too simple to configure these setups to trust outside caller id info (which is trivial to fake since most of the time no one checks to make sure the info being sent is allowed from the line) and to use that info for authentication to voicemail automatically.

    Its kind of like considering * a trusted host for rsh/rcp and when you turn a nice pointy/clicky gui over to a random person to admin your phone system, it ends up happening pretty often. Save money right up till you get that massive phone bill cause some guy was bouncing calls off you.

    • by BitZtream (692029)

      Or they authenticate SIP phones by using their phone number as a password.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Well, it is not only a "VoIP" problem. You still can access Metro PCS cellphones voicemail boxes that way. I used to check all my girlfriends' voicemails and be able to delete the ones I wanted, simply by setting the caller ID on my Asterisk as theirs.
      Now, Metro PCS tells the users to create a password to secure their mailboxes. But, still, if your dtmf is working right, you can enter their passwords and keep looking into their voicemail boxes. Usually girls' passwords are really easy to guess: their body m

  • This sort of thing really is inevitable. With the merging of more and more systems onto the internet, you're going to have a lot more malicious people much more accessible to your data. It used to be phone networks were either too slow, or just too inaccessible for all but really determined people, or one that has a captain crunch whistle... but now, even the dumbest script kiddie can begin to go after systems that have even small vulnerabilities.
  • 2600 plz (Score:4, Funny)

    by Anonymous Coward on Wednesday March 25, 2009 @09:55PM (#27338079)

    I took down google voice with my captain crunch whistle.

  • by Em Ellel (523581) on Wednesday March 25, 2009 @10:45PM (#27338247)

    Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.

    This has been true since early days of Grand Central. I really hope they would fix this, but I doubt they will. Basically, everyone knows you can't trust Caller ID, , but they chose to do so anyway. I bet this was a business decision to allow easier use of the voicemail in order to compete with cellphone provider voicemail.

    -Em

    • by ximenes (10)

      On the plus side, they did add some settings if you're concerned about this. Under Advanced Settings for each phone, you can now control whether or not it requires a PIN to access voicemail.

      With Grand Central, devices listed as 'mobile' just got special treatment, but now it's a little finer grained.

      I'm not really sure how else they could handle this, besides just eliminating the PIN-less voicemail and account control features entirely or having the default as off with big warnings about the boogeymen who w

  • by sam0737 (648914) <samNO@SPAMchowchi.com> on Wednesday March 25, 2009 @10:58PM (#27338289)

    It's just some data that can be faked. As long as you have a trunk line like T1 to the Telco, or something similar, you are responsible to generate the Caller ID instead of the Telco.

    So what's so surprising here? It just doesn't work to use it for authentication.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      And yet, so many agencies, such as credit card companies, require that you phone in from your "home phone" to activate new cards.

      Just because you seem to have figured out that it "doesn't work to use it for authentication", does not mean that it is commonly accepted of how unreliable it truly is and continues to be. Public attention (at least by "security professionals") needs to have more and updated education on best practices. Maybe you might consider being a trainer?

      • by realperseus (594176) on Thursday March 26, 2009 @12:26AM (#27338623)
        And yet, so many agencies, such as credit card companies, require that you phone in from your "home phone" to activate new cards.

        Credit card companies use ANI (automatic number identification) instead of CPN (calling party number) for their "authentication". HUGE difference there as ANI cannot be spoofed.. .

        • Re: (Score:3, Informative)

          HUGE difference there as ANI cannot be spoofed..

          Yes it can, just as easily as CID.

          • by 222 (551054)
            Under certain conditions, it can be. To say it can happen just as easily as CID is misleading at best, though.
      • The odds of your unactivated card falling into the hands of somebody who has the ability to modify the Caller ID info is most likely pretty slim.

        And having a card fall into the hands of somebody spoofing Caller ID to activate them means said person is doing some serious criminal shit. In other words, having the card activated is the least of anybody's worry.

        In other words, security is a balance. Activating your card from a "home phone" just weeds out casual criminals who stumble on your mail--not hard-cor

  • What does it take to get into Grand Central? I've been signing up over and over for a year now.
    • by RJFerret (1279530)

      It seems they are transitioning GrandCentral users first? In the future there's an expectation of being able to offer invites à la original gmail.

      However, availability of numbers in areas you want might be limited still?

      I have a local friend who signed up about a week before the Google Voice transition announcement who hasn't heard back either.

  • Wasn't the CIP device destroyed? Is there a second CIP device that Starkwood was keeping in reserve? And what the hell does Google have to do with anything?
    • Just wait. It will turn out that Bauer was exposed to a techno-organic virus that turns him into a CIP device that is organic and plays techno.

Recent investments will yield a slight profit.

Working...