April 11, 2009, 4:00 PM — Flaws in popular Internet-based
telephony systems could be exploited to create a network of hacked
phone accounts, somewhat like the botnets that have been wreaking havoc
with PCs for the past few years.
Researchers at Secure Science recently discovered ways to make
unauthorized calls from both Skype and the new Google Voice
communications systems, according to Lance James, the company's
cofounder.
An attacker could gain access to accounts using techniques discovered
by the researchers, then use a low-cost PBX (private branch exchange)
program to make thousands of calls through those accounts.
The calls would be virtually untraceable, so attackers could set up
automated messaging systems to try and steal sensitive information from
victims, an attack known as vishing. The calls might be a recorded
message asking the recipient to update their bank account details, for
example.
"If I steal a bunch of [Skype accounts], I can set up [a PBX] to
round-robin all those numbers, and I can set up a virtual Skype botnet
to make outbound calls. It would be hell on wheels for a phisher and it
would be a hell of an attack for Skype," James said.
In Google Voice, the attacker could even intercept or snoop on incoming
calls, James said. To intercept a call, the attacker would use a
feature called Temporary Call Forwarding to add another number to the
account, then use free software such as Asterisk to answer the call
before the victim ever heard a ring. By then pressing the star symbol,
the call could then be forwarded to the victim's phone, giving the
attacker a way to listen in on the call.
Secure Science researchers were able to access accounts they had set up using an online service called spoofcard, which allows users to make it appear as though they are calling from any number they wish.
Spoofcard has been used in the past to access voicemail accounts. Most
famously, it was blamed when actress Lindsay Lohan's BlackBerry account
was hacked three years ago and then used to send inappropriate messages.
The attacks on Google Voice and Skype use different techniques, but
essentially they both work because neither service requires a password
to access its voicemail system.
For the Skype attack
to work, the victim would have to be tricked into visiting a malicious
Web site within 30 minutes of being logged into Skype. In the Google Voice attack
(pdf), the hacker would first need to know the victim's phone number,
but Secure Science has devised a way to figure this out using Google
Voice's Short Message Service (SMS).
Google patched the bugs that enabled Secure Science's attack last week
and has now added a password requirement to its voicemail system, the
company said in a statement. "We have been working in coordination with
Secure Science to address the issues they raised with Google Voice, and
we have already made several improvements to our systems," the company
said. "We have not received any reports of any accounts being accessed
in the manner described in the report, and such access would require a
number of conditions to be met simultaneously."
The Skype flaws have not yet been patched, according to James. EBay,
Skype's parent company, did not immediately respond to a request for
comment.
The attacks show how tricky it will be to securely integrate the
old-school telephone system into the more free-wheeling world of the
Internet, James said. "This kind of proves ... how easy VoIP is to
screw up," he said. He believes that these kinds of flaws almost
certainly affect other VoIP systems as well. "There are people out
there who can figure out how to tap your phone lines."
