Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers (PINs) that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like WhatsApp, PayPal, LinkedIn and Netflix.
Martin Vigo, a mobile security expert who presented his research here on Thursday at 35C3, warns that PINs that protect voicemail systems are far easier to crack than traditional passwords are a weak link that can lead to hacked-account results.
“Automated phone calls are a common solution for password resets, account verification and other services,” Vigo said. “These can be compromised by leveraging old weaknesses and current technology to exploit this weakest link – voicemail systems.”