Secure your GrandCentral voicemail

GrandCentral: I love ‘em, but their beta status never strays too far from mind. Today, for instance, I discovered that for an attacker with any sort of ill will and very basic internet skills, my voice mailbox is wide open.

Have you ever noticed that, when you call your voicemail number (your GrandCentral number, that is, from your cell phone), you’re not asked for a PIN? You’re simply whisked straightaway to your messages. I never noticed, and if I had, I’d have probably chalked it up as one more convenient feature of GrandCentral’s design. As it turns out, though, a little thought reveals that this “feature” opens up a huge security flaw.

Think of how GrandCentral processes an incoming call to your GC phone number. It needs to determine first whether it’s you calling or someone else. So, in essence, it determines whether the caller hears your voice mailbox or your Ringshare. GrandCentral makes this determination using the only information that the caller has provided: his or her phone number, via the caller ID standards. If GrandCentral doesn’t think the phone number it’s seeing belongs to you, then your phone rings. If it recognizes the number as the one you’ve told it is your cell phone, then bam! instant access to your inbox.

Notice the lengths I went to to avoid saying simply that if it’s your cell phone, you get your inbox. That’s because GrandCentral truly doesn’t know a thing about your cell phone, except that it has some ten digit phone number — and that’s only because you told it so when you set up your account. You can see where the problem might lay, then: if there’s a situation where some other phone still registers as having your cell phone number, then Bad Things could start happening.

And today, that situation is very possible. Caller ID was never meant to serve as an form of authentication; as such, it’s very easy to spoof. If someone knows your GrandCentral phone number and can operate Google using no more complicated keywords than I just did, he or she can get access to your voicemail. If you haven’t set a PIN on your account, the attacker could even change your call settings and re-record your voicemail greetings. I leave it to the reader to imagine the problems that that capability could cause.

Fortunately, the workaround is simple, if not elegant. First, if you haven’t set up a PIN, do it! Now! In addition to being a good idea in general, it’s also required to make the “fix” work. Second, go to the “Phones” section of the “Settings” tab. What you need to do is relabel your cell phone(s) as something else. Straight from the horse’s mouth:

“If you want to be prompted for the PIN when you call from your cell just change the category on the Phone Settings from our Site. Change the cell phone category from cell to office or home and every time you call from your cell you will be prompt for the pin.”

(This comes from a support email I received when I asked GrandCentral about this problem.) Apparently, GrandCentral is assuming that you and you alone make calls from your cell phone, while others might use your work or home phones. At any rate, these other categories ring through as if you were calling yourself, and this is exactly what we want. Now when you call your voicemail number from your cell, just hit “*” as the phone’s ringing, and you’ll be prompted for your PIN. Voila! Safer voicemail!