L0pht Answering Machine Advisory

[mudge () L0PHT COM (Dr. Mudge)]

[ Preface: The world is rapidly moving towards extremely coupled hardware
and software security mechanisms. This is seen in everything from
i-buttons, smart-cards, biometrics (ewww!), security token cards, etc.
Often times people don't/can't see the things in their lives that they
depend upon the security of when they are right in front of them. To this
end we decided to document some problems with the common household
answering machine. We hope it is enjoyable and elicits thoughts about how
weak security in this world really is. Cheers, .mudge ]

Document:       L0pht Security Advisory
URL Origin:     http://www.l0pht.com/advisories.html
Release Date:   September 8th, 1998
Application:    Telephone Answering Machines
Severity:       Users can access supervisory functions of various
                answering machines
Author:         kingpin () l0pht com
Operating Sys:  None
Hardware:       AT&T Model 1320 and various other answering machines

Poorly implemented security with answering machines has been a known fact
for years.  The problem is that such answering machine security has been
happily accepted by the general public, so it continues to be weak. For
those who have been living in a hole, most answering machines have an
easily guessed 2- or 3-digit password which will allow a remote user to
check messages, administer the answering machine, etc. To prevent
unauthorized hacker attacks, some answering machines will prevent more
than a certain number of attempts. Many more have no prevention methods at
all. Why the security hasn't been enhanced in recent years is beyond me -
the threat of an unauthorized intruder to your answering machine is a
great possibility considering the ease.

I have recently come across an answering machine that has a supposedly
"secure" 3-digit password (which would have a maximum of 10^3, or 1000,
password combinations) - The AT&T Model 1320. Guessing a 2- or 3-digit
password takes no skill at all, but it is time consuming. The AT&T Model
1320 has the password hardwired into the circuit board with a combination
of jumpers (either shorted or not shorted to select the number). The
three-digit number is set at the factory and the password is printed on
the inside of the answering machine cover (another flaw: easily accessible
by anyone within arms reach to the answering machine).  I had come across
two of these answering machines, one functioning, one not. Upon cracking
the broken one open to scavenge for parts (we pay for L0pht out of our own
pockets, remember?), I noticed an interesting 2-column by 3-row table
silkscreened onto the main printed circuit board, resembling the
following:

            o---o      o   o

Digit #1      3          4
Digit #2      7          8
Digit #3      1          2          5          6

By observing the above table, you see that the password is a 3-digit
combination, although this model of answering machine only allows the use
of an extremely limited range of numbers! Because of this, the maximum
possible number of combinations is reduced from 1000 to 2*2*4 = 16:

371, 372, 375, 376, 381, 382, 385, 386, 471, 472, 475, 476, 481, 482, 485,
486

Unbelievable, yet true.

Many more varieties of answering machines are guilty of similar
in-security practices, such as the AT&T Model 1504 (2-digit password),
AT&T Model 1511 (2-digit password) and Southwestern Bell Freedom Phone
FA965 (3-digit password).

Other variations of answering machines are only looking for the specific
combination, regardless of how many attempts of combinations or how many
digits have been pressed.  In this example, from a letter published in
2600 Magazine: The Hacker's Quarterly (www.2600.com), an answering machine
of this type with a 2-digit code can be accessed with the following
keystroke combination:

001122334455667788991357902468036925814715937049483827261605173950628408529630074197
531864209876543210

If you examine the above string, every two-digit number combination has
been entered (00, 01, 11, 12, etc.) Keep in mind that that string is the
maximum amount of numbers you would need to enter to access that box. On
average, you'd enter about half.

An unverified theory of a security flaw is with regards to the
older-generation answering machines that use register/flag based password
protection. Those types of answering machines are basically checking to
see if the correct digits have been entered, regardless of order. In an
example for an answering machine with a 2-digit password, the entire
keyspace might be represented by: 01234567890123456789.

This advisory is just a simple reminder of the obvious security flaws
within common answering machines, which are used in tens of millions of
households worldwide.

As far as privacy is concerned, with such a focus on Internet security, I
think most people forgot about the easy vulnerabilities with common
household items. Monitoring answering machines is a trivial task and the
security needs to be enhanced, because I, for one, prefer to keep my
messages for my ears only. And to think I used to USE one of these
models...

Kingpin <kingpin () l0pht com>, 9/8/98

-------------------------------------------------------------------------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html