Altough this problem was found out more than a year ago, new users that are buying iPhones and migrating to AT&T/Cingular should know that their voicemails can be listened to by anyone.
In February 2006 security researcher Nitesh Dhanjani wrote about how easy is to spoof your Caller-ID and as a result users can listen to voicemail messages of other AT&T/Cingular users. The default settings leave the voicemail accounts open, so no password is needed to open them, just a form of “authorization” by calling from “your” number.
A day ago Dhanjani got a hold of a new iPhone. As soon as soon as he got the new AT&T/Cingular number, he tested for this vulnerability and he confirms that it still exists for new AT&T/Cingular accounts (at least for iPhone customers).
Here is the information provided by Dhanjani needed to test the vulnerability, as well as protect yourself from this serious security issue:
1. Buy a calling card from Spoofcard. This service lets you spoof your caller ID.
2. Use another phone and call your cell phone using Spoofcard. When the Spoofcard asks you what number you want to spoof, enter your number again.
3. Do not pickup your cell phone. When the call goes into voicemail, if you are able to listen to your messages without being prompted for a password, then you are vulnerable.
Turn on the voicemail password:
1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
2. Press 4 to go to “Personal Options”.
3. Press 2 to go to “Administrative Options”.
4. Press 1 to go to “Password”.
5. Press 2 to turn your password “ON”.
6. Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.