It's very strange to listen to an MP3 recording of your own voice mail. When John Hering of security firm Flexilis told me that they had reversed engineered the exploit that compromised Paris Hilton and Vin Diesel's T-Mobile voice mail earlier this week, I wanted to see it for myself. I asked John to pop open my voicemail and send me a recording.
I called myself with a neighbor's land line, left myself a voice message, and then gave John my phone number. Twenty minutes later I not only had a recording of that voice mail in my email inbox, but had received two calls—from myself. We had been able to access my voicemail, sure, but had also used the system to make an outgoing call. In effect, my voicemail called me. In reality, John stood at a payphone in a cheap Mexican restaurant in downtown Los Angeles. He could have been anywhere.
We're making this known for two reasons: T-Mobile has been slow in responding to Flexilis's multiple notices about the exploit (T-Mobile is surely busy with this week's Hilton Hack fallout, but Flexilis has been trying to contact them since before that blew up Sunday and has yet gotten only minimal, albeit seemingly concerned response). Also, we want you to know how to protect yourself from a technique that's already out in the wild. It's not responsible to say exactly how it's being done—I asked specifically not to be given practical details, so don't ask. Although higher-level knowledge of computers, security, and telephony is required, the exploit is relatively trivial, I'm told.
If you're a T-Mobile customer, John's written up a few short steps you can take to protect yourself from this specific technique. A few minutes of time can save you from an outbound voice mail message that says "I'm a real douche."
Dial your T-Mobile voicemail from your mobile phone. If you don't know your PIN number, you can set a new one by doing the following: Access your 'personal options' by pressing 4. 'Modify your personal preferences' by pressing 4, again. Then 'modify your password' by pressing 1. Set a new PIN and write it down somewhere secure, if necessary.
After you reset your pin, press the * key to go back to the 'personal options' menu (or press 4 from the main menu if you already knew your PIN). Once you have accessed the 'personal options' menu you will then press 8 which will enable password authentication when calling from your own mobile phone. Although entering your password every single time you call your voicemail can be a bit of a nuisance, a few seconds of your time is a small price to pay for the security of your voicemail system.
We think T-Mobile will fix the problem eventually, but there's no reason for you or any celebrity to be at risk while they figure it out.
An aside: Yes, I'm still on T-Mobile, even after I called them crap devils and swore I was leaving. We should probably talk about it more sometime, but here's the short explanation: I've got shit credit and I haven't been able to (or didn't want to) afford the $650+ deposit to move our two lines to another carrier. I know I'm an asshole for staying with them, but I don't know what else to do at the moment. For what it's worth, I didn't buy the Sidekick II, even though I really wanted one.