SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
WhatsApp users warned to change voicemail PINs
Mon, 18th Feb 2019
FYI, this story is more than a year old

Australia's Stay Smart Online is warning WhatsApp users to change their mobile's voicemail PIN from the default PIN, if they haven't done so already.

Attackers are allegedly gaining access to users' WhatsApp accounts by using the default voicemail PIN to access voice authentication codes. Those codes can allow the attacker to use a victim's WhatsApp account on the attacker's own device.

The attack method isn't new – it has been doing the rounds since 2017 and Israel's National Cyber Directorate issued a warning about it - however people are still falling victim to the attack.

Stay Smart Online explains how it works:

The attacker will install WhatsApp on their own device using a genuine user's phone number. Usually this happens late at night when a user would generally be sleeping and not using their phone.

While WhatsApp will send a one-time verification SMS to the user's phone, the attacker cannot see this if they don't have the phone.

However, if a user doesn't use the SMS code WhatsApp switches to a voice verification code. It calls the user's phone and speaks the one-time verification code out loud. But because the user is asleep, the automated call goes to voicemail.

“Most mobile service providers allow remote access to your voicemail account, by calling a generic number and entering your PIN code,” Stay Smart Online says.

“So to retrieve the voicemail, the hacker simply needs to call the generic phone number and enter the victim's four-digit PIN – which, if you haven't changed it, is typically a simple combination such as 0000 or 1234 by default."

“Once the hacker listens to the pre-recorded voicemail and hears the verification code, they can then access your WhatsApp account on their own device."

“When the attacker uses the default PIN to access the victim's voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim's phone number to their own WhatsApp account,” adds Sophos' Danny Bradbury.

“To seal the deal, the attacker can then enable two-step verification, which is an optional feature that WhatsApp has been offering since 2017. This requires the user to set a custom PIN, which they must then re-enter if they wish to re-verify their phone number. Turning on this feature prevents the victim from regaining control over their own phone number.

WhatsApp users should change their voicemail PINS to a strong password. This can be done in the phone's voicemail settings or by calling the user's phone service provider.

Users should also enable two-factor authentication on their WhatsApp account for an extra layer of security. This can be done by opening the app and going to Settings > Account > Two-step verification > Enable.