Document: L0pht Security Advisory URL Origin: http://www.l0pht.com/advisories.html Release Date: September 8th, 1998 (Updated 9/9/98) Application: Telephone Answering Machines Severity: Users can access supervisory functions of various answering machines Author: kingpin@l0pht.com Operating Sys: None Hardware: AT&T Model 1320 and various other answering machines Poorly implemented security with answering machines has been a known fact for years. The problem is that such answering machine security has been happily accepted by the general public, so it continues to be weak. For those who have been living in a hole, most answering machines have an easily guessed 2- or 3-digit password which will allow a remote user to check messages, administer the answering machine, etc. Some types of answering machines (specifically Panasonic Ease-a-phone) allow the remote monitoring of a room ("infinity transmitter") via the microphone in the device, which could ultimately be used for good or for evil. To prevent unauthorized hacker attacks, some answering machines will prevent more than a certain number of attempts. Many more have no prevention methods at all. Why the security hasn't been enhanced in recent years is beyond me - the threat of an unauthorized intruder to your answering machine is a great possibility considering the ease. I have recently come across an answering machine that has a supposedly "secure" 3-digit password (which would have a maximum of 10^3, or 1000, password combinations) - The AT&T Model 1320. Guessing a 2- or 3-digit password takes no skill at all, but it is time consuming. The AT&T Model 1320 has the password hardwired into the circuit board with a combination of jumpers (either shorted or not shorted to select the number). The three-digit number is set at the factory and the password is printed on the inside of the answering machine cover (another blatant flaw: easily accessible by anyone within arms reach to the answering machine). I had come across two of these answering machines, one functioning, one not. Upon cracking the broken one open to scavenge for parts (we pay for L0pht out of our own pockets, remember?), I noticed an interesting 3-column by 3-row table silkscreened onto the main printed circuit board, resembling the following: Security Code Jumper Settings o---o o o Dig 1 3 4 o---o o o Dig 2 7 8 o---o o o o---o o o 1 6 Dig 3 o---o o o o o o---o 2 5 By observing the above table, you see that the password is a 3-digit combination, although this model of answering machine only allows the use of an extremely limited range of numbers! Because of this, the maximum possible number of combinations is reduced from 1000 to 2*2*4 = 16: 371, 372, 375, 376, 381, 382, 385, 386, 471, 472, 475, 476, 481, 482, 485, 486 Unbelievable, yet true. Many more varieties of answering machines are guilty of similar in-security practices, such as the AT&T Model 1504 (2-digit password), AT&T Model 1511 (2-digit password), AT&T Model 1820 (2-digit password) and Southwestern Bell Freedom Phone FA965 (3-digit password). Other variations of answering machines are only looking for the specific combination, regardless of how many attempts of combinations or how many digits have been pressed. In this example, from a letter published in 2600 Magazine: The Hacker's Quarterly (www.2600.com), an answering machine of this type with a 2-digit code can be accessed with the following keystroke combination: 00112233445566778899135790246803692581471593704948382726 1605173950628408529630074197531864209876543210 If you examine the above string, every two-digit number combination has been entered (00, 01, 11, 12, etc.) Keep in mind that that string is the maximum amount of numbers you would need to enter to access that box. On average, you'd enter about half. This string could easily be entered into the memory of a telephone dialer and one could essentially access an answering machine with the push of a button. An unverified theory of a security flaw is with regards to the older-generation answering machines that use register/flag based password protection. Those types of answering machines are basically checking to see if the correct digits have been entered, regardless of order. In an example for an answering machine with a 2-digit password, the entire keyspace might be represented by: 01234567890123456789. Another unverified theory: When some answering machine models are reset, the password gets set back to its factory-default (in some cases "123"). Odds are this default password is never changed. This advisory is just a simple reminder of the obvious security flaws within common answering machines, which are used in tens of millions of households worldwide. As far as privacy is concerned, with such a focus on Internet security, I think most people forgot about the easy vulnerabilities with common household items. Monitoring answering machines is a trivial task and the security needs to be enhanced, because I, for one, prefer to keep my messages for my ears only. Kingpin , 9/8/98 ------------------------------------------------------------------------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html