Despite Fixes, Google Voice Security Flaws Remain

Google appears to have fixed a significant security hole in its two-week-old Voice calling service though some vulnerabilities remain.

Until about 7pm PDT Tuesday, an unauthorized party could use a SIP device to spoof a phone number attached to a Google Voice account to call the Google Voice number. This would give the spoofer access to greetings and voicemail, and the ability to make outbound calls, including expensive international calls.

Though SIP access to a Google Voice account is no longer possible in such a manner, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.

Because many VoIP service providers permit users to set their own caller ID and ANI, it remains possible to “spoof” a number attached to a particular Google Voice account, unless the Google Voice account holder changes the default account setting to require entry of a PIN in order to gain access to the account.

Voxilla confirmed the larger SIP vulnerability earlier in the day Tuesday using a Linksys SPA942, an inexpensive IP phone. With its proxy set to the Google Voice IP and the Display Name set to a mobile number attached to a Google Voice account, dialing the Google Voice number permitted access to the account.

A recent post in the Google Voice support forum mentioned this vulnerability, though it is not clear whether that prompted Google to move to close the SIP flaw.

Voxilla has contacted Google officials to make them aware of the remaining security vulnerability and to ask for comment. We will post updates when we hear back from them.

Be Sociable, Share!
  • chris

    “Though SIP access to a Google Voice account is no longer possible in such a manner, continued existence of some vulnerability was still apparent Tuesday night. Voxilla was able to set the caller ID of a PBX extension to a mobile number attached to Google Voice account and call in, using a business VoIP trunk, to gain access.”

    thats not an exploit, thats the way phone systems are designed if you have a PBX.

    You have the ability to change your callerID..

    And take some AT&T customers for example – who have auto voice mail login.. boom. you are in there.

    it works with all companies that have that feature.

  • http://www.voxilla.com Lonnie Lazar

    @chris: Access to voice mail is one thing, access to the ability to make calls is quite another, don’t you think?

  • http://www.1up-games.com sanjuro

    I’m afraid I’ll have to stick with my good old Nokia phone in the meanwhile.

  • mattjackets

    Posting the SIP URI used would be very handy for us who have been wanting the ability to call users directly using SIP instead of going through POTS. Since they closed the hole using the SIP approach, this information would still hold legitimate use.

  • Gusvan

    mattjackets: I think you want the address of the Google Voice SIP server, not a SIP URI. If so, it is 216.239.37.15 and it’s entered through port 5061. With this information and some additions to configuration files, you can use Asterisk and make calls directly through GV without touching POTS.

  • http://nerdvittles.com Ward Mundy

    Tutorial to integrate GV into Asterisk available here: http://nerdvittles.com/?p=593