voicemailautomator is a tool that serves as a Proof of Concept for the research I presented at DEF CON 26, “Compromising online accounts by cracking voicemail systems”.
For details and demos please check: https://www.martinvigo.com/voicemailcracker
Demo
Fast
vociemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. voicemailcrackerlaunches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN.
Cheap
Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13.
Easy
voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all.
Efficient
vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed.
Undetected
Instead of call flooding, we can use OSINT techniques to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight.
DEF CON 26 talk
Setup
You will need a funded Twilio account, setup TwiML bins and configure localtunnel.me to accept Webhooks. Check the “Twilio setup” section in the script and add the missing information
account_sid = "" # Obtain from Twilio
auth_token = "" # Obtain from Twilio
twimlPayloadChangeGreeting = "" # <?xml version="1.0" encoding="UTF-8"?><Response><Pause length="10"/><Hangup/></Response>
twimlPayloadChangeGetNewestMessage = "" # <?xml version="1.0" encoding="UTF-8"?><Response><Pause length="10"/><Hangup/></Response>
status_callback_url = "" # Obtain from localtunnel.me
Usage
python voicemailcracker.py message --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000
python voicemailcracker.py greeting --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000 --payload 1234
Authors
Martin Vigo - @martin_vigo - martinvigo.com