Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Attackers use voicemail hack to steal WhatsApp accounts

08 Oct 2018 10 2-factor Authentication, Security threats

Post navigation

Previous: Phantom Secure CEO sold encrypted phones to drug cartels
Next: Unpatched routers bad, doubly unpatched routers worse – much, much worse!
by Danny Bradbury

Another online account hijacking attack has emerged, this time targeting WhatsApp. The Israeli agency responsible for cybersecurity has warned its citizens about the attack, which can often be conducted without any knowledge or interaction on their part. All the attacker needs is the victim’s phone number.

First documented by security researchers last year, the security flaw has now hit the mainstream. Last week, ZDNet reported that the Israeli National Cybersecurity Authority issued an alert warning that WhatsApp users could lose control of their accounts.

The hack capitalises on users’ tendency not to change default access credentials on cellphone voicemail numbers. The attacker makes a request to register the victim’s telephone number to the WhatsApp application on their own phone. By default, WhatsApp sends a six-digit verification code in an SMS text message to the victim’s phone number, to verify that the person making the request owns it.

Ideally, the victim would see the message, alerting them that something was up. The attacker avoids that by launching the attack at a time when the victim would not answer their phone, such as in the middle of the night, or while they are on a flight. Many users may even have their phones set to ‘do not disturb’ during this time.

The attacker doesn’t have access to the victim’s phone, and so cannot see the code to enter it. WhatsApp then offers to call the victim’s number with an automated phone message reading out the code. Because the victim is not accepting calls, the automated message is left as a voicemail.

The attacker then exploits a security flaw on many carrier networks, which provide generic telephone numbers that users can call to access voicemail. The only credential required to hear the voicemail is a four-digit PIN, and many carriers set this by default to something simple like 0000 or 1234. These default passwords are easily discovered online.

When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account.

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

To seal the deal, the attacker can then enable two-step verification, which is an optional feature that WhatsApp has been offering since 2017. This requires the user to set a custom PIN, which they must then re-enter if they wish to reverify their phone number. Turning on this feature prevents the victim from regaining control over their own phone number.

Security researcher Martin Vigo explored and expanded on automated phone message attacks in a talk at DEF CON this August titled “Compromising online accounts by cracking voicemail systems”. He went beyond simple default voicemail PINs, using a Python script that brute-forced voicemail accounts using the cloud-based telephony API Twilio.

During the talk, he called out several online services that he said were vulnerable to attacks like this. PayPal, Netflix, Instagram and LinkedIn supported password reset by automated phone call, he said, adding that Apple, Google, Microsoft and Yahoo support the use of automated voicemails for two-factor authentication (2FA).

In a blog post describing the talk, he lamented the fact that we’re still using 30 year-old technologies to secure sensitive systems.

How can you protect your WhatsApp and other accounts from hijackers?

Using application-based 2FA (such as Sophos Authenticator, which is also included in our free Sophos Mobile Security for Android and iOS) mitigates a lot of the risk, because these mobile authentication apps don’t rely on communications tied to phone numbers.

If you must use a service that relies on automated voice messages, then set a strong PIN for your voicemail inbox.

Finally, enable two-step verification on your WhatsApp account, by opening WhatsApp and going to Settings > Account > Two-step verification > Enable.


  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Phantom Secure CEO sold encrypted phones to drug cartels
Next: Unpatched routers bad, doubly unpatched routers worse – much, much worse!

10 comments on “Attackers use voicemail hack to steal WhatsApp accounts”

  1. Anonymous says:
    October 8, 2018 at 2:27 pm

    Other “We’ll call you and give you a code you have to enter” type systems I’ve interacted with won’t leave a code on voice mail. To make sure, they say up front, “If you’re expecting this call, press 1” before giving out a code. Maybe WhatsApp could consider doing this.

    Reply
    • Danny Bradbury says:
      October 8, 2018 at 9:46 pm

      Vigo has a sneaky answer for that in his material – hacking the voicemail and changing the outgoing message to send DTMF codes.

      Reply
      • David Pottage says:
        October 10, 2018 at 11:15 am

        WhatsApp could prevent that working, by saying “If you’re expecting this call, press 376”, (with random digits, different every time).

        Reply
  2. Raffles Administrator says:
    October 8, 2018 at 4:51 pm

    Can one use a different phone number for 2 step authentication?

    Reply
    • Danny Bradbury says:
      October 8, 2018 at 9:48 pm

      I don’t believe so. I went through the two-step verification setup while researching the story and there was no such option. If any other readers have different experiences, though, please let us know in the comments.

      Reply
  3. Roman says:
    October 9, 2018 at 9:27 am

    The scribd article is recent, but the link to the Israli government’s findings on their site is from 2017. Where was this discovered now?

    Reply
    • Danny Bradbury says:
      October 9, 2018 at 3:24 pm

      The reason that CERT-IL reported the issue this month is because it has seen several attacks arise recently using this technique and wanted to let its citizens know. The alert mentions these attacks specifically.

      Reply
  4. John pinckley says:
    October 9, 2018 at 1:03 pm

    Is their anyway to recover my FB acct. It does not recognise my phone #
    Email yea my voice mail pin is hacked also. My friends can still see my acct

    Reply
    • jona says:
      October 10, 2018 at 10:19 pm

      Make a new FB page…..FB is easily hacked and may not be recovered. Remember,FB is NOT there for you.

      Reply
  5. Anonymous says:
    May 23, 2019 at 7:06 pm

    What do you do if you get hijacked? WhatsApp support hasn’t responded or deactivated my account

    Reply

What do you think? Cancel reply

Recommended reads

Jan24
by Paul Ducklin
0

Apple patches are out – old iPhones get an old zero-day fix at last!

Dec06
by Naked Security writer
1

SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m

Nov09
by Paul Ducklin
2

Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days!

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP