Recycled burner number sends lovemaking worker s clients to security researcher, ZDNet
Recycled ‘burner’ number sends lovemaking worker’s clients to security researcher
A security researcher got an eyeful of a lovemaking worker’s client base when he investigated a VoIP service whose disposable "burner" phone numbers are being recycled.
By Violet Blue for Zero Day | September 9, two thousand fourteen — 12:02 GMT (05:02 PDT) | Topic: Security
A security researcher got an eyeful of a hook-up worker’s client base when he investigated a VoIP service whose "burner" phone numbers are being recycled.
Neohapsis Labs Senior Security Consultant Rob Beck was on an engagement that had him checking out the "burner" feature of a VOIP company.
It turns out the disposable numbers aren’t being disposed of — they’re being given to the next customer in line.
More Violet Blue
Beck found out quickly and explicitly that the service had issued him the "disposable" number of an escort — and her clients clearly thought she was still at the same number. Beck said: "Going based solely on the contents of the SMS messages received, as well as some of the voicemails left on my trial number messaging service, the previous possessor was also a specialized professional who is use to charging an hourly rate; lets just say that her chosen profession was of a much more discreet and intimate nature."
When he commenced the engagement, he initiated the "burner" number and moved to other work to let the trial period run out. Only forty eight hours after Beck activated the "burned" number, Beck said, "I was introduced with text upon text message asking if he/she was available, what their hourly rate was, as well as a few much more graphic explanations of specific requests the potential clients would like performed."
Burner numbers aren’t "fake" phone numbers; they can be used like a regular number, including text functions — and as Beck found out, also for exchanging SMS photos.
"What was more surprising, and traumatizing," Beck said, "Was that some of these individuals had chosen to send naughty-gram picture messages of their previous work with this professional, private pictures in admiration of this person, and well, you have an imagination."
Beck explained that none of the previous number’s clients had any clue that they had been contacting their escort via a burner number — or more importantly, that it was now in possession of another person altogether.
He commented, "The problem was made worse for them because of the features provided by this service, as previously mentioned the VoIP service offers Caller ID; I was not only receiving the correspondence from this lengthy list of previous contacts, but now I had the phone numbers they were using to reach me." He continued:
"This situation now not only posed a risk to the previous proprietor of this phone number, permitting me access to their contacts who had reached out to her, but exposed her clients and potential clients to exposure from an unknown individual now in possession of their information.
(. ) Due to the disclosure of their phone numbers coupled with the power of Google and other search engines, the potential for extortion by a random individual who is now in possession of compromising photos is also a reality."
Special Feature
Why do many boards leave IT security primarily to security technicians, and why can’t techies woo their boards to spend scarce cash on protecting stakeholder information? We suggest guidance on how to close the IT security governance gap.
Beck doesn’t think it’s good form to name the company engaging in these shady practices. He told ZDNet, "There are a number of apps like this for iOS and Android, with more appearing every month, some of the more well-known ones are: Burner, Hushed, Lineup, and YOONumbers."
He wants his practice to be a warning to anyone thinking that "burner" phone number apps expire your number instantaneously — or don’t recycle them.
A "burner" typically refers to a throwaway prepaid cell phone, made popular in the US by the HBO series "The Wire", where burner phones were used by drug dealers to evade wiretapping.
A burner app, such as the one tested by Beck, lets users purchase disposable phone numbers for short-term use.
A burner app has many practical everyday uses, such as permitting people to buy and sell things on Craigslist or eBay without compromising their phone number privacy.
Burner numbers are a particularly clever privacy safeguard for women who want to attempt out online dating.
The most popular burner app for iOS and Android, appropriately named "Burner", states that each Burner number is disposable and expires after seven days or twenty minutes (or sixty text messages) of use, whichever comes very first.
Burner (the app) is especially careful about deep-sixing their users’ numbers. Regarding the end of a number’s use, Burner states,
Done with the number? Click "burn" and the Burner number goes out of service, wiping it from your phone and stopping texts or calls to the number.
Beck tells us, "When a traditional number is deactivated there is a period of callers receiving that, ‘This number is no longer is service’, a constant busy signal, text messages failing to supply, or some other subtle means of letting the caller know that the number is dead. Phone providers have the luxury of doing this because of the large amount of phone numbers they have to allocate among their existing and fresh user base."
He explained that apps assigning burner numbers don’t have the same "luxury."
"They have to procure their phone number pools ahead of time, then they set up their VoIP servers and map all the end-points. If the service is intended to be used as this sort of “burner” one-stop shop, they’ll inevitably have to recycle their numbers at a much more rapid rhythm just to stay ahead of their users’ needs; this doesn’t permit them the capability to truly suggest the deactivation period to signal to others that the number is in flux.
The services themselves aren’t doing anything beyond what they have to make their users blessed, which is kind of the unwritten agreement inbetween the service and the user – we give you a number for a finite period of time, you use it for whatever purpose you need it for, no other warranties or security features are explicitly called out.
Sadly this last chunk is what offloads the responsibility (and liability) of op-sec to the recipients of these numbers."
Solving this problem, Beck told ZDNet, is going to pose fairly a challenge.
He said, "In the script that I encountered during my testing, a solution might have been something as elementary as a social challenge/response, but again. this would have been something the needed to be set up and agreed upon with the previous user of the phone number."
Beck seems to think that protecting ourselves from scripts like this means a shift in the way we think of phone numbers. "We need to treat phone numbers as untrusted resources that build up trust with us over time as they’re used regularly by the same people to communicate with us – I think that’s where the fattest issues are, in perception of what a phone number is when it’s provided to us. Traditionally a phone number was a pretty static thing, we’re just not use to phone numbers being as disposable as email addresses, and I think that has to switch for a lot of us."
Beck added, "I suspect we’ll see a fresh service suggesting going forward, services that identify burner number pools and providers that are used for burner numbers."
Until then, it’s caller — and receiver — beware when it comes to burner numbers.
Leave a Reply