Making a PBX 'botnet' out of Skype or Google Voice?

A researcher with Secure Science says it could be done, thanks to flaws in both services

Flaws in popular Internet-based telephony systems could be exploited to create a network of hacked phone accounts, somewhat like the botnets that have been wreaking havoc with PCs for the past few years.

Researchers at Secure Science recently discovered ways to make unauthorized calls from both Skype and the new Google Voice communications systems, according to Lance James, the company's cofounder.

An attacker could gain access to accounts using techniques discovered by the researchers, then use a low-cost PBX (private branch exchange) program to make thousands of calls through those accounts.

The calls would be virtually untraceable, so attackers could set up automated messaging systems to try and steal sensitive information from victims, an attack known as vishing. The calls might be a recorded message asking the recipient to update their bank account details, for example.

"If I steal a bunch of [Skype accounts], I can set up [a PBX] to round-robin all those numbers, and I can set up a virtual Skype botnet to make outbound calls. It would be hell on wheels for a phisher and it would be a hell of an attack for Skype," James said.

In Google Voice, the attacker could even intercept or snoop on incoming calls, James said. To intercept a call, the attacker would use a feature called Temporary Call Forwarding to add another number to the account, then use free software such as Asterisk to answer the call before the victim ever heard a ring. By then pressing the star symbol, the call could then be forwarded to the victim's phone, giving the attacker a way to listen in on the call.

Secure Science researchers were able to access accounts they had set up using an online service called spoofcard, which allows users to make it appear as though they are calling from any number they wish.

Spoofcard has been used in the past to access voicemail accounts. Most famously, it was blamed when actress Lindsay Lohan's BlackBerry account was hacked three years ago and then used to send inappropriate messages.

The attacks on Google Voice and Skype use different techniques, but essentially they both work because neither service requires a password to access its voicemail system.

For the Skype attack to work, the victim would have to be tricked into visiting a malicious Web site within 30 minutes of being logged into Skype. In the Google Voice attack (pdf), the hacker would first need to know the victim's phone number, but Secure Science has devised a way to figure this out using Google Voice's Short Message Service (SMS).

Google patched the bugs that enabled Secure Science's attack last week and has now added a password requirement to its voicemail system, the company said in a statement. "We have been working in coordination with Secure Science to address the issues they raised with Google Voice, and we have already made several improvements to our systems," the company said. "We have not received any reports of any accounts being accessed in the manner described in the report, and such access would require a number of conditions to be met simultaneously."

The Skype flaws have not yet been patched, according to James. EBay, Skype's parent company, did not immediately respond to a request for comment.

The attacks show how tricky it will be to securely integrate the old-school telephone system into the more free-wheeling world of the Internet, James said. "This kind of proves ... how easy VoIP is to screw up," he said. He believes that these kinds of flaws almost certainly affect other VoIP systems as well. "There are people out there who can figure out how to tap your phone lines."

Tags google voiceskypevoipbotnets

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

1 Comment

gaylendost

1

forward warmer

2009 substantial least http://www.usaid.gov http://www.cnpp.usda.gov http://www.greenfoothills.org

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?