Document:  L0pht Security Advisory
URL Origin:  http://www.l0pht.com/advisories.html 
Release Date:  September 8th, 1998 (Updated 9/9/98)
Application:  Telephone Answering Machines                
Severity:  Users can access supervisory functions of various answering 
           machines
Author:  kingpin@l0pht.com  
Operating Sys:  None
Hardware: AT&T Model 1320 and various other answering machines

Poorly implemented security with answering machines has been a known 
fact for years. The problem is that such answering machine security 
has been happily accepted by the general public, so it continues to 
be weak. For those who have been living in a hole, most answering 
machines have an easily guessed 2- or 3-digit password which will 
allow a remote user to check messages, administer the answering 
machine, etc. Some types of answering machines (specifically
Panasonic Ease-a-phone) allow the remote monitoring of a room 
("infinity transmitter") via the microphone in the device, which 
could ultimately be used for good or for evil. To prevent 
unauthorized hacker attacks, some answering machines will 
prevent more than a certain number of attempts. Many more have no 
prevention methods at all. Why the security hasn't been enhanced 
in recent years is beyond me - the threat of an unauthorized 
intruder to your answering machine is a great possibility 
considering the ease.

I have recently come across an answering machine that has a 
supposedly "secure" 3-digit password (which would have a 
maximum of 10^3, or 1000, password combinations) - The AT&T 
Model 1320. Guessing a 2- or 3-digit password takes no skill at 
all, but it is time consuming. The AT&T Model 1320 has the 
password hardwired into the circuit board with a combination of 
jumpers (either shorted or not shorted to select the number). The 
three-digit number is set at the factory and the password is 
printed on the inside of the answering machine cover (another 
blatant flaw: easily accessible by anyone within arms reach to 
the answering machine).  I had come across two of these answering 
machines, one functioning, one not. Upon cracking the broken one 
open to scavenge for parts (we pay for L0pht out of our own 
pockets, remember?), I noticed an interesting 3-column by 3-row 
table silkscreened onto the main printed circuit board, 
resembling the following:

        Security Code
        Jumper Settings

         o---o      o   o
Dig 1      3          4

         o---o      o   o
Dig 2      7          8

         o---o      o   o       
         o---o      o   o
           1          6
Dig 3
         o---o      o   o
         o   o      o---o
           2          5

By observing the above table, you see that the password is a 
3-digit combination, although this model of answering machine 
only allows the use of an extremely limited range of numbers! 
Because of this, the maximum possible number of combinations is 
reduced from 1000 to 2*2*4 = 16:

371, 372, 375, 376, 381, 382, 385, 386, 471, 472, 475, 476, 
481, 482, 485, 486

Unbelievable, yet true.

Many more varieties of answering machines are guilty of 
similar in-security practices, such as the AT&T Model 1504 
(2-digit password), AT&T Model 1511 (2-digit password), AT&T
Model 1820 (2-digit password) and Southwestern Bell Freedom 
Phone FA965 (3-digit password).

Other variations of answering machines are only looking for 
the specific combination, regardless of how many attempts of 
combinations or how many digits have been pressed. In this 
example, from a letter published in 2600 Magazine: The 
Hacker's Quarterly (www.2600.com), an answering machine of 
this type with a 2-digit code can be accessed with the 
following keystroke combination: 

00112233445566778899135790246803692581471593704948382726
1605173950628408529630074197531864209876543210

If you examine the above string, every two-digit number 
combination has been entered (00, 01, 11, 12, etc.) Keep 
in mind that that string is the maximum amount of numbers 
you would need to enter to access that box. On average, 
you'd enter about half. This string could easily be entered 
into the memory of a telephone dialer and one could 
essentially access an answering machine with the push of a 
button.

An unverified theory of a security flaw is with regards to 
the older-generation answering machines that use 
register/flag based password protection. Those types of 
answering machines are basically checking to see if the 
correct digits have been entered, regardless of order. In 
an example for an answering machine with a 2-digit 
password, the entire keyspace might be represented by: 
01234567890123456789.

Another unverified theory: When some answering machine
models are reset, the password gets set back to its
factory-default (in some cases "123"). Odds are this 
default password is never changed.

This advisory is just a simple reminder of the obvious 
security flaws within common answering machines, which 
are used in tens of millions of households worldwide.

As far as privacy is concerned, with such a focus on 
Internet security, I think most people forgot about the 
easy vulnerabilities with common household items. 
Monitoring answering machines is a trivial task and the 
security needs to be enhanced, because I, for one, prefer 
to keep my messages for my ears only. 

Kingpin <kingpin@l0pht.com>, 9/8/98

-------------------------------------------------------------------------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html