How often do we take the easy road when it comes to passwords on our various corporate or personal devices?
Even among us security professionals, I'll wager we take the easy road more often than the more secure road if we are able.
While my Facebook, PayPal and other online apps all have a 13 character password for security, and I now know why my personal phone voice mail password feature should be activated and never turned off.
I was playing with an app to spoof incoming caller ids on my Android-based phone and was attempting to fool my nephew with a crank call. (All intra-family fun, no laws broken).
I decided to call him from his number to surprise him, and added a disguised voice to the fun. My nephew chose to omit a password on his voice mail.
Turns out, when I called his phone with his number as the spoofed caller id, it went straight into his voice mail, giving me a number of choices to use in the system.
At this point, I had full access to his voice mail system including listening to messages, and, ahem, changing his greeting. I expect he'll hear about his new greeting from his friends soon, but that's not really the point.
Obviously, with the right tool (application), accessing someone's cellular voice mail system is trivial if that person has taken the easy way and did not set a password.
It's very convenient to just hit the voice mail button and hear your messages without the hassle of entering a password first.
Such a practice opens your voice messages, the way the system takes messages, and what it says if you are not available to anyone who finds a free app to spoof caller ids.
Beyond loss of personal information, which one may not want posted in public, the embarrassment caused by changing someone's personal greeting could be enormous.
Intra-family joking aside, corporate phones that do not require a password are likely being used without one, and are susceptible to this type of attack.
How will you know your cellular voice system with no password has been attacked? If you call the phone and set the phone's number as the caller id, the target phone does not even ring.
So, you'll only know when you hear about your voice mail in public, or someone asks you about your phone greeting that may be quite an embarrassment.