Flaws in popular Internet-based telephony systems could be exploited to create a network of hacked phone accounts, somewhat like the botnets that have been wreaking havoc with PCs for the past few years.
An attacker could gain access to accounts using techniques discovered by the researchers, then use a low-cost PBX (private branch exchange) program to make thousands of calls through those accounts.
The calls would be virtually untraceable, so attackers could set up automated messaging systems to try and steal sensitive information from victims, an attack known as vishing. The calls might be a recorded message asking the recipient to update their bank account details, for example.
“If I steal a bunch of [Skype accounts], I can set up [a PBX] to round-robin all those numbers, and I can set up a virtual Skype botnet to make outbound calls. It would be hell on wheels for a phisher and it would be a hell of an attack for Skype,” James said.
In Google Voice, the attacker could even intercept or snoop on incoming calls, James said. To intercept a call, the attacker would use a feature called Temporary Call Forwarding to add another number to the account, then use free software such as Asterisk to answer the call before the victim ever heard a ring.
By then pressing the star symbol, the call could then be forwarded to the victim’s phone, giving the attacker a way to listen in on the call.
Secure Science researchers were able to access accounts they had set up using an online service called spoofcard, which allows users to make it appear as though they are calling from any number they wish.
Spoofcard has been used in the past to access voicemail accounts. Most famously, it was blamed when actress Lindsay Lohan’s BlackBerry account was hacked three years ago and then used to send inappropriate messages.
The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system.
For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (pdf), the hacker would first need to know the victim’s phone number, but Secure Science has devised a way to figure this out using Google Voice’s Short Message Service (SMS).
Google patched the bugs that enabled Secure Science’s attack last week and has now added a password requirement to its voicemail system, the company said in a statement. “We have been working in coordination with Secure Science to address the issues they raised with Google Voice, and we have already made several improvements to our systems,” the company said. “We have not received any reports of any accounts being accessed in the manner described in the report, and such access would require a number of conditions to be met simultaneously.”