Flaw threatens T-Mobile voice mail leaks

A convenient voice mail feature has likely opened up many T-Mobile subscribers' voice mail boxes to anyone armed with a simple hack, the embattled cellular service provider acknowledged Thursday.

The attack, publicized by wireless security company Flexilis, could be used to download a person's voice messages or take control of the victim's voice mail functions, provided the attacker knew the subscriber's phone number.

"The attacker would be able to listen to the victim's voice mail, record the voice mail to a file on a remote server, and also make calls out from the system posing as the victim," said John Hering, director of business development for Flexilis. "This can all be done from a public pay phone, which is extremely difficult to trace."

While Flexilis did not give details of the flaws, at least one Internet site has pointed out that T-Mobile's voice mail system can be accessed by anyone who uses a service to spoof caller ID. T-Mobile acknowledged the problem, but said that the solution is simple: Users should set their voice mail to require passwords.

"By default, customers are not required to put a password on their voice mail," said spokesman Bryan Zidar. "If you enable the password protection, it solves the problem."

Zidar said the issue has no relation to the high-profile privacy hits suffered by Paris Hilton and other celebrities or to a previous incident, in which an online intruder had access to the mobile phone system. T-Mobile is still investigating that case and has not released details of how the information was stolen.

"The silver lining of this Paris Hilton thing is it is an opportunity for customers to take further steps to protect their data," Zidar said.

Flexilis also advised T-Mobile subscribers to change their voice mail settings to require a password from the mobile device.

Not quite a flaw

As a current T-Mobile subscriber and a former employee, this report really irritates me. I wouldn't necessarily call someone's ability to spoof ANI (caller ID) a flaw with T-Mobile's voicemail system. This article seems to portray that spoofing ANI is a relatively easy thing to do. In reality ANI spoofing is very difficult. It just seems to me that because of Paris Hilton's apparent inability to secure her account sufficiently and Danger's lack of server security, T-Mobile is getting the raw end. If people are so concerned with their voicemails, they can enable the password; otherwise I wouldn't consider it a big deal.

T-Mobile checks CPN, not ANI

As I understand it, the T-Mobile voicemail system checks Calling Party Number, which is not necessarily the same as ANI. CPN is entirely spoofable.