spaf@cs.purdue.edu (Gene Spafford) (09/14/90)
Two comments on short security codes on answering machines. But
first, the background story:
A few months ago, I started getting harassing phone calls from some
phreaks/crackers who evidently did not like my association with the
CERT (tenuous as it is). So, at 3am, the phone would ring and it
would be these guys in a conference call making threats. It really
got old quickly, and bothered the spousal unit something fierce
(especially when they started threatening her instead of me).
So, I pulled out my answering machine and set it up to answer the
phone, and then shut our phone off at 11pm every night. Sure enough,
that night at 3am, they tried to finger-phreak the security code. The
machine is one of the PhoneMate models that comes with a single-digit
code. For some reason, they missed the code and spent the rest of
their call recording interesting vulgarities.
I called PhoneMate to see if there was a way to disable the remote
feature. None.
I asked why the code was only one digit. The reply? They tried
longer codes once, but too many customers complained because they
couldn't remember the codes. How long were the codes? Three
digits...
For a small fee, I shipped the machine back to them and they modified
it so it takes a hand-held tone-key now to trigger the remote
features. I dunno how many different keys they have, but I suspect
that not many people have them, and from the sounds of it, it has some
hairy harmonics in it that would prevent any simple spoofing.
If your machine has too short a security code, call the manufacturer
and see what they can offer. PhoneMate told me if my machine was
still under warranty, the modification to the machine would be free,
and I'd only have to pay for the key.
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf