Hundreds of thousands of Optus accounts have been vulnerable to phone hacking of voicemails without using a PIN, in a security flaw revealed by an 18-year-old university student.
The flaw was only resolved earlier this month after Fairfax Media raised a series of questions about the vulnerability, which also exposed Optus customers to identity theft through unauthorised access to social media services Google, Facebook and LinkedIN.
Optus hack explained
This was how easy it was to hack the voicemail of Optus phone customers, an issue which Optus says it has now resolved.
The flaw allowed anyone to "spoof" a victim's number using easily available technology and retrieve the phone number's voicemail. The practice of spoofing involves a hacker changing their phone's caller ID to a victim's mobile number.
The discovery of the flaw by 18-year-old UNSW student and IT security researcher Shubham Shah on April 28 resulted in Optus acknowledging the issue and patching against it.
Fairfax Media and Mr Shah gave Optus and other technology companies just over a week to fix the issue before publishing details about the flaw.
Optus first acknowledged caller ID spoofing in July 2011 when it was reported defunct UK tabloid News of the World was using similar techniques to hack into the voicemail of high-profile people.
"With regards to spoofing, we are looking at multiple options to address this emerging industry-wide threat, including technical solutions and customer education," Optus said then.
Mr Shah reported the issue to Optus on May 2 and said it also affected Optus resellers Live Connected, Dodo, Vaya Telecom, Yatango, Amaysim, iiNet, TPG and Exetel.
In a blog post provided to Fairfax prior to publication, Mr Shah said he found the flaw after discovering a telephone number Optus makes available to travellers was not checking for a PIN when customers used it to retrieve voicemail.
Instead, it was only verifying the voicemail request from the incoming mobile number.
This meant that when Mr Shah used a caller ID spoofing service, such as SpoofCard, he could access any Optus customer or Optus reseller customers' voicemail account.
Fairfax Media witnessed Mr Shah accessing voicemails using the system. In the demonstration Mr Shah only accessed voicemails with the phone owner's permission.
"It is concerning that it doesn't require a PIN when you call from the victim's number when spoofed, mainly because God knows what's in their voicemail," Mr Shah said in an interview. "It could be messages relating to something that's really fatal, critical."
An Optus spokesman said the telco had resolved the vulnerability "after restoring additional security measures".
Optus had "found no evidence" that customers were affected.
"Customers who tried to access their voicemail from outside of the Optus mobile network such as when overseas, were required to enter a PIN," the spokesman said. "A recent investigation found that in some instances, customers would not be prompted for a PIN."
It is understood the security vulnerability was introduced in the second half of last year after Optus received a number of complaints from customers who couldn't access voicemail while roaming overseas.
While the change let roaming customers access their voicemail it also mistakenly introduced a security vulnerability that the telco apparently didn't know about.
The flaw also allowed outsiders to retrieve Optus customers' two-factor authentication codes, or tokens, used to access their social media accounts including Google, Facebook and LinkedIN.
These codes – which come in handy as a second layer of security when online log-in credentials are stolen – are usually sent via text message but can also be sent via a phone call and end up in voicemail.
After being contacted by Mr Shah, Facebook and LinkedIN told him they had stopped security tokens being sent to users through telephone calls until they could stop them going to voicemail.
"We've temporarily disabled sending login approval codes via phone call while we investigate further," an email from Facebook Security told Mr Shah.
In an email from a LinkedIN employee Mr Shaw was told: "While the potential impact for our members is limited, we have made the decision to temporality (sic) turn off the voice option in our Two-Step verification setting. We are working with the third-party vendor we use for this service to implement a fix."
Google told Mr Shah the security issue was Optus' problem to fix, writing in an email: "We've taken a look at your submission and can confirm this is not a security vulnerability in a Google product. The attack presupposes a compromised password, and the actual vulnerability appears to lie in the fact that the Telcos provide inadequate protection of their voicemail system."
Troy Hunt, a Sydney security researcher, said it wasn't acceptable for telcos to use mobile numbers as a single means of authentication for voicemail as they could be easily spoofed, as proved by Mr Shah.
Mr Hunt added that hackers could have used the flaw in targeted attacks but that it was unlikely it could have be used in an automated attack to steal dozens of users' private information.
"The attacker has to manually single someone out and then get everything to line up just right," he said.
Ty Miller, director of IT security firm Threat Intelligence, said the ability to bypass two-factor authentication was a significant flaw that needed immediate attention by all affected parties.
"It is concerning to everyone when a key security measure like two-factor authentication fails us on such a grand scale with such a simple attack technique," Mr Miller said.
How it works:
1. Download SpoofCard or similar app
2. Set callerID in SpoofCard to the victim's number
3. Configure SpoofCard to call Optus overseas voicemail access number
4. Call access number and listen to the victim's voicemail
This reporter is on Facebook: /bengrubb