A convenient voice mail feature has likely opened up many T-Mobile subscribers' voice mail boxes to unauthorized attackers armed with a simple hack, the embattled cellular service provider acknowledged on Thursday.
The attack, publicized by wireless security firm Flexilis, could be used to download a person's voice mail or take control of the victim's voice mail functions, provided the attacker knew the subscriber's phone number.
"The attacker would be able to listen to the victim's voice mail, record the voice mail to a file on a remote server, and also make calls out from the system posing at the victim," said John Hering, director of business development for Flexilis. "This can all be done from a public pay phone, which is extremely difficult to trace."
While Flexilis did not give details of the flaws, at least one Internet site has pointed out that T-Mobile's voice mail system can be accessed by anyone who uses a service to spoof caller ID. T-Mobile acknowledged the problem, but said that the solution is simple: Users should set their voice mail to require passwords.
"By default, customers are not required to put a password on their voice mail," said spokesman Bryan Zidar. "If you enable the password protection, it solves the problem."
Zidar said the issue has no relation to the high-profile privacy hits suffered by Paris Hilton and other celebrities or a previous incident where an online intruder had access to the mobile phone system. T-Mobile is still investigating that case and has not released how the information was stolen.
"The silver lining of this Paris Hilton thing, is it is an opportunity for customers to take further steps to protect their data," Zidar said.
Flexilis also advised T-Mobile subscribers to change their voice mail setting to require a password from the mobile device. SOURCE