As you know AT&T is the only carrier for IPhones (unless its jailbroken). For many people jumping on the IPhone craze do not know that the convenience of listening to your voicemail from your Iphone (or any AT&T phone for that matter) is a huge hole. The AT&T voicemail system is configured by default not to ask for a password when you check your voicemail from the handset (it asks for your voicemail password if you call your number from another phone and press * when your voicemail answers). AT&T uses the ANI (Automatic Number Identification) number of the phone dialing-in as verification to enter the voicemail box. All one had to do was spoof the caller ID to the number of the phone and it lets you right into the voicemail without prompting for a password. There are alot of instructions on the ‘net to spoof caller ID, such as buying a spoofing calling card , or setting up your own Asterix linux box and using a VOIP provider.
Here is how to protect yourself from this vulnerability:
- Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
- Press 4 to go to “Personal Options”.
- Press 2 to go to “Administrative Options”.
- Press 1 to go to “Password”.
- Press 2 to turn your password “ON”.
- Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.