[ Preface: The world is rapidly moving towards extremely coupled hardware and software security mechanisms. This is seen in everything from i-buttons, smart-cards, biometrics (ewww!), security token cards, etc. Often times people don't/can't see the things in their lives that they depend upon the security of when they are right in front of them. To this end we decided to document some problems with the common household answering machine. We hope it is enjoyable and elicits thoughts about how weak security in this world really is. Cheers, .mudge ] Document: L0pht Security Advisory URL Origin: http://www.l0pht.com/advisories.html Release Date: September 8th, 1998 Application: Telephone Answering Machines Severity: Users can access supervisory functions of various answering machines Author: kingpinat_private Operating Sys: None Hardware: AT&T Model 1320 and various other answering machines Poorly implemented security with answering machines has been a known fact for years. The problem is that such answering machine security has been happily accepted by the general public, so it continues to be weak. For those who have been living in a hole, most answering machines have an easily guessed 2- or 3-digit password which will allow a remote user to check messages, administer the answering machine, etc. To prevent unauthorized hacker attacks, some answering machines will prevent more than a certain number of attempts. Many more have no prevention methods at all. Why the security hasn't been enhanced in recent years is beyond me - the threat of an unauthorized intruder to your answering machine is a great possibility considering the ease. I have recently come across an answering machine that has a supposedly "secure" 3-digit password (which would have a maximum of 10^3, or 1000, password combinations) - The AT&T Model 1320. Guessing a 2- or 3-digit password takes no skill at all, but it is time consuming. The AT&T Model 1320 has the password hardwired into the circuit board with a combination of jumpers (either shorted or not shorted to select the number). The three-digit number is set at the factory and the password is printed on the inside of the answering machine cover (another flaw: easily accessible by anyone within arms reach to the answering machine). I had come across two of these answering machines, one functioning, one not. Upon cracking the broken one open to scavenge for parts (we pay for L0pht out of our own pockets, remember?), I noticed an interesting 2-column by 3-row table silkscreened onto the main printed circuit board, resembling the following: o---o o o Digit #1 3 4 Digit #2 7 8 Digit #3 1 2 5 6 By observing the above table, you see that the password is a 3-digit combination, although this model of answering machine only allows the use of an extremely limited range of numbers! Because of this, the maximum possible number of combinations is reduced from 1000 to 2*2*4 = 16: 371, 372, 375, 376, 381, 382, 385, 386, 471, 472, 475, 476, 481, 482, 485, 486 Unbelievable, yet true. Many more varieties of answering machines are guilty of similar in-security practices, such as the AT&T Model 1504 (2-digit password), AT&T Model 1511 (2-digit password) and Southwestern Bell Freedom Phone FA965 (3-digit password). Other variations of answering machines are only looking for the specific combination, regardless of how many attempts of combinations or how many digits have been pressed. In this example, from a letter published in 2600 Magazine: The Hacker's Quarterly (www.2600.com), an answering machine of this type with a 2-digit code can be accessed with the following keystroke combination: 001122334455667788991357902468036925814715937049483827261605173950628408529630074197 531864209876543210 If you examine the above string, every two-digit number combination has been entered (00, 01, 11, 12, etc.) Keep in mind that that string is the maximum amount of numbers you would need to enter to access that box. On average, you'd enter about half. An unverified theory of a security flaw is with regards to the older-generation answering machines that use register/flag based password protection. Those types of answering machines are basically checking to see if the correct digits have been entered, regardless of order. In an example for an answering machine with a 2-digit password, the entire keyspace might be represented by: 01234567890123456789. This advisory is just a simple reminder of the obvious security flaws within common answering machines, which are used in tens of millions of households worldwide. As far as privacy is concerned, with such a focus on Internet security, I think most people forgot about the easy vulnerabilities with common household items. Monitoring answering machines is a trivial task and the security needs to be enhanced, because I, for one, prefer to keep my messages for my ears only. And to think I used to USE one of these models... Kingpin <kingpinat_private>, 9/8/98 ------------------------------------------------------------------------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:34 PDT