Grazing Voicemail Passwords

by Non-Sequential

When it comes to password security, most people know that they should use strong passwords on their computers, but this doesn't stop many of them from using weak passwords on their voice mail.

Voice mail passwords, sometimes referred to as PINs, can provide much more than just access to voice mail in an office PBX.  Depending on the PBX, it can mean access to the extension's settings, the ability to answer calls remotely, or the power to make calls through the phone system at the business' expense.

I recently had access to configuration information for several thousand phone systems currently in use in the field, which happen to store voice mail passwords in clear text.

40,310 extensions in these systems had passwords.  I decided to take this opportunity to compile some interesting statistics based on this real-world data.  I put together a few scripts and thought I'd share the results with my fellow readers.

Length of Passwords

This particular system required a minimum of 3-digits for passwords, up to a maximum of 10-digits.

I expected that most users would use the bare minimum length, but actually many more people seem to feel better about going above and beyond with a minimum + 1 length password.

As you'd expect, very few used the maximum 10-digit length.

Here's the breakdown:

Length Occurrences Percentage 4 22858 56.7% 3 10340 25.6% 6 3164 7.8% 5 2155 5.3% 7 904 2.2% 8 521 1.3% 10 202 0.5% 9 166 0.4%

Over 80% of the passwords were 3- or 4-digits; that certainly narrows the field for anyone looking to guess these passwords.

Depending on the system and whether it has a delay between password attempts or does any kind of locking after a number of failed attempts, brute-forcing a 3- or 4-digit password is well within reason.

Common Passwords

Let's take a look at some commonly used passwords.

As you can imagine, with over 80% of the passwords in the 3- to 4-digit range, there aren't that many possiblities, so there are lots of duplicate passwords.

I decided to limit this to the top 25 most frequently occurring numbers, as the percentages dropped off quite a bit beyond that:

Rank Password Occurrences Percentage 01 123 1582 3.9% 02 1234 1520 3.8% 03 111 587 1.5% 04 1111 410 1.0% 05 999 317 0.8% 06 007 255 0.6% 07 333 207 0.5% 08 555 199 0.5% 09 369 198 0.5% 10 0000 180 0.4% 11 000 152 0.4% 12 777 146 0.4% 13 9999 146 0.4% 14 7777 136 0.3% 15 6969 129 0.3% 16 2580 126 0.3% 17 5555 122 0.3% 18 2001 119 0.3% 19 321 116 0.3% 20 2222 107 0.3% 21 3333 99 0.2% 22 7997 98 0.2% 23 4444 97 0.2% 24 4748 93 0.2% 25 2000 85 0.2% Total Percentage: 17.9%

I excluded passwords that are extension numbers above because it's so painfully common it deserves its own statistic.

The number of passwords that were the same as the extension number: 3799 (9.4%).  Yikes!

The passwords above account for more than 25% of all passwords in the data, meaning there's a one in four chance of guessing an extension's password using just these 26 passwords.

If someone's goal is to make calls through a phone system, then all they may need is control of one extension.  Being able to break one out of four extension passwords quickly is more than enough.

Words in Digits

Some PBXs refer to the passwords as PINs, some as passwords.

Since this system refers to them as passwords, I was curious how many people took that to heart and entered their passwords as a word on their phone keypad.  I took a dictionary file and wrote a script that converted it to digits based on a phone keypad, then compared it to the passwords ijn the data.

Of course, I can't tell for sure that these were entered on purpose, but I limited the search to 5- to 10-digit passwords since smaller passwords had a higher chance of being purely coincidence.

While there weren't any major standouts as far as commonality goes, there were some that caught my eye that I doubt were coincidence:

Password Occurrences stuff 9 elephant 6 enter 5 dragon 3 swinger 3 warlock 3 magician 2 president 2 hobbit 1 lollipop 1 messages 1 rosebud 1 secret 1 swordfish 1

Most of these are pretty amusing, and I think many of the words being a little geekier makes sense; users who are somewhat more security conscious are probably a little geekier and are entering a longer number in a way that they can easily remember.

Although the occurrence of president made me picture the president of a small company who thinks way too highly of himself.

A Few Others

There were a few more passwords I just had to search for:

Password Occurrences Percentage 007 & 007007 334 0.8% 666 84 0.2% 420 17 0.0% 1984 10 0.0% 8675309 5 0.0% 2600 3 0.0% 314159 1 0.0%

Wrapping Up

The results weren't all that surprising:

• People use short passwords.
• They tend to use their extension number or sequential or repetitive sequences.

There are many people who can count to four, others who think they're James Bond and many more who can't be bothered with remembering a number other than their extension.

I would guess that many of the 7- or 10-digit passwords could be phone numbers, maybe even the office that the phone system is at, but I don't have a great way of verifying that idea.

If you're a PBX administrator, it may be difficult to police your users' passwords.

Your best bet is to make sure your PBX doesn't allow any remote access that isn't absolutely necessary, such as calling through the system remotely or forwarding an extension remotely to an outside phone number.  Don't assume that remote access features aren't enabled by default; double-check, as some PBXs ship with them enabled.

Of course, you'll need to make sure these settings can't be altered remotely either.

Overall, it seems that people just don't care about the security of their PBX extensions.

Once their office gets a $30,000 phone bill from one long weekend of international calls through their hacked extension, maybe they'll give it a little more thought - and odds are it will happen sooner rather than later.