spaf@cs.purdue.edu (Gene Spafford) (09/14/90)
Two comments on short security codes on answering machines. But first, the background story: A few months ago, I started getting harassing phone calls from some phreaks/crackers who evidently did not like my association with the CERT (tenuous as it is). So, at 3am, the phone would ring and it would be these guys in a conference call making threats. It really got old quickly, and bothered the spousal unit something fierce (especially when they started threatening her instead of me). So, I pulled out my answering machine and set it up to answer the phone, and then shut our phone off at 11pm every night. Sure enough, that night at 3am, they tried to finger-phreak the security code. The machine is one of the PhoneMate models that comes with a single-digit code. For some reason, they missed the code and spent the rest of their call recording interesting vulgarities. I called PhoneMate to see if there was a way to disable the remote feature. None. I asked why the code was only one digit. The reply? They tried longer codes once, but too many customers complained because they couldn't remember the codes. How long were the codes? Three digits... For a small fee, I shipped the machine back to them and they modified it so it takes a hand-held tone-key now to trigger the remote features. I dunno how many different keys they have, but I suspect that not many people have them, and from the sounds of it, it has some hairy harmonics in it that would prevent any simple spoofing. If your machine has too short a security code, call the manufacturer and see what they can offer. PhoneMate told me if my machine was still under warranty, the modification to the machine would be free, and I'd only have to pay for the key. Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf