I would have contacted Cingular about this, and given them time to fix this before talking about this publicly, but Cingular has already gained negative press about this for MONTHS (see http://www.google.com/search?q=cingular+voice+mail+spoofing.) People have been exploiting this vulnerability since a while now. The aim of this post is to help those who are Cingular customers protect themselves from this issue (see last paragraph), and possibly help contribute noise into this problem so someone at Cingular escalates this issue. This should have been fixed months ago.
I purchased Spoofcard credit last night. Spoofcard (and many other services like it) allow you to spoof your Caller-ID information. In addition, Spoofcard also allows you to change your voice, and record conversations. I tried calling a few friends to make sure it worked, and it did. They were quite surprised and confused at first, but got a kick out of it when I revealed my identity (after joking around for a few minutes.)
This morning, I called a friend who has a cell-phone from Cingular. I used Spoofcard to spoof his own Caller ID. He wasn’t around to pick up the call, so I was forwarded to his voice mail. The Cingular voice mail system trusted the Caller ID information - it assumed it was my friend (using his handset) checking his own voicemail, and allowed me to access all his voice mail messages. I was quite alarmed, and immediately notified my friend. I also tried this with a co-workers cell phone (with his permission), and it worked.
Gaining access to cell phone voice mails via Caller ID spoofing is nothing new. Many voice mail systems have been known to be vulnerable to this. For example, a few months ago, when I was setting up my T-Mobile voice mail, I had to dig around for the right option in the voice mail system to force it to ask my for my password when I call the voicemail system from my phone. T-Mobile recently upgraded their voice mail system to encourage this behavior. However, I am alarmed Cingular has not patched this.
This doesn’t work with T-Mobile and Sprint. Their voice mail systems seem to have intelligence in place to recognize that the call is originating from an external gateway.
That said, if you are a Cingular customer, you might want to call your voicemail, and configure it to ask for a password even when you call the voicemail system from your handset. This should fix the vulnerability for you.