September 5, 2009
To be more precise, the security hole is with the network (AT&T network) IPhone uses. I noticed this problem while working on a Voice-enabled application using Asterisk and surprised to see that my voicemail is wideopen to public. Then later found out that this has been reported earlier by various folks (here and here) but seems like it is not fixed yet. So if you own an IPhone (or any other phone for that matter) with AT&T network, please keep reading and I show you how to fix the problem yourself.
So what is the problem?
Others can listen to your voice mail, change your personal greeting and other settings. AT&T voicemail identifies user based on incoming caller ID, so if callerID matches the phone # you are calling from, it assumes that you are calling yourself to check voice mail then it simply goes to voice mail (if you don’t have password set).
Am I protected or Not?
Call yourself with your phone (by dialing 1 or dialing your number). If you are prompted for a password, then you are fine. If it takes your directly to voice mail menu, then you are NOT secured. See how to set password below.
How to protect my voice mail?
Dial 1 to call Voicemail from your phone
Press * to get to the voicemail Main Menu
- Press 4 for Personal Options
- Press 2 for Administrative Options
- Press 1 for Passwords
- Press 2 to turn password on
- Select any random 4– to 14–digit password
Why I am blogging this?
I don’t know if new AT&T users may be forced to set password or not, but when I got my phone couple of years back and my voicemail was setup without password. It ended up that most of my friends with IPhone also don’t have password setup for voicemail because simply they are not aware of the security hole. With easy access to Open source PBX like Asterisk or spoofing calling cards, its not hard to exploit this security hole. So if this blog helps people to realize how important is to set password, then my job is done.
The opinions expressed in this blog post are my own and not of any company. The usual standard disclaimer applies, especially the fact that I am not liable for any damages caused by direct or indirect use of the information. I bear NO responsibility for content or misuse of this information or any derivatives thereof. This post is NO WAY intended to blame anyone, especially AT&T. They may have already posted about this issue somewhere on their website.