WhatsApp Accounts Can Be Hacked Using Voicemail. Change Your Password to Protect Yourself
In the 1990's and the 2000's, voicemail, the technology that replaced the answering machine, was very popular. As with so many things from that period, it isn't anymore, and it's not difficult to see what contributed to its near demise. The smartphone and the numerous instant messaging applications like WhatsApp provided a new way of communication which completely eliminated the need for voicemail. Although nobody seems to be using it, however, voicemail is still around, and in an extremely ironic turn of events, it is now actively used to compromise WhatsApp accounts.
The attack targets Israeli users and appears to be ongoing. Apparently, it's substantial. Even the Israeli Computer Emergency Response Team (CERT) issued a warning, according to which they have received numerous reports of hijacked WhatsApp accounts with the help of the victims' voicemail service. Apparently, there's no shortage of affected people, which, in a normal world, would be rather strange because the attack was first demonstrated more than a year ago.
Hijacking WhatsApp accounts with no technical knowledge or specialist equipment
The attack was first described by Ran Bar-Zik back in September 2017, but it would appear that not many people have paid enough attention to the threat it poses. It must be said that quite a few stars must align for it to be successful, but despite this, pulling it off requires nothing more than a mobile phone, some determination, and a bit of luck.
The first thing that hackers need to do is check whether their victim uses voicemail. Conveniently for the people compromising WhatsApp accounts, this can be done remotely in Israel. They just dial *151 and enter the victim's phone number and voicemail passcode. "How do they know the victim's passcode?", we hear you ask. Well, this is what makes the whole attack possible.
Israeli users, like people from the rest of the world, rarely use voicemail nowadays, and very few bother to change the default passcode that's assigned by the mobile service provider. As a result, if the crooks try "0000" or "1234", they are extremely likely to confirm the state of the victim's voicemail service. If it's active, hijacking is possible.
The attacker then tries to connect the victim's WhatsApp account to their own device. As a security precaution, WhatsApp sends a six-digit code via SMS to the victim's phone number, and normally, this would set off some alarm bells. The idea is, however, that if the attack is carried out in the middle of the night, the victim is likely to be asleep and to miss the text message.
The problem, from the attacker's perspective, is that since it's sent as an SMS, they can't get to the six-digit code. Luckily for them, and unfortunately for the victim, WhatsApp has a backup Call Me option in case the SMS doesn't work. When chosen, an automated system calls the account owner's phone number, and when the call is received, it plays a voice recording of the six-digit code. Again, the success of the attack relies on the victim not picking up their phone and the call going through to voicemail.
You can probably guess what happens next. The attacker calls *151, enters the victim's phone number and the default passcode, listens to the voicemail message, and logs in to the victim's WhatsApp account. Once inside, the crooks can get to the victim's messages and contacts, and to lock the account owner out, they can enable two-factor authentication.
What can you do to protect yourself?
Last year, when Ran Bar-Zik first reported the problem, telecommunication service providers had the chance to rethink their strategy of enabling rarely-used services and using poor default passwords to protect them. They didn't take that chance, and there's no telling if they'll take this one. Whatever the case, it would appear that it's up to you to keep yourself safe.
The attack described above shows that if you don't use a particular service, you should turn it off. Of course, if you do need voicemail, keep it enabled, but be sure to change the default passcode. And in case you needed any more encouragement, the attack in Israel is just another reason why you should turn on Two-factor authentication for your WhatsApp account.