VoiceMailAutomator – Compromising Online Accounts by Cracking Voicemail Systems

voicemailautomator is a tool that serves as a Proof of Concept for “Compromising online accounts by cracking voicemail systems”.

voicemailautomator supports two actions:

  • “message” – retrieves and records the newest message in the voicemail system. It returns a URL with the recording.
  • “greeting” – changes the greeting message to specific DTMF tones


It uses webhooks to obtain information about the ongoing calls and act accordingly. It starts a Webserver on localhost:8080 and uses service to reach the machine running the script.



You will need a funded Twilio account, setup TwiML bins and configure to accept Webhooks. Check the “Twilio setup” section in the script and add the missing information

account_sid = “” # Obtain from Twilio auth_token = “” # Obtain from Twilio twimlPayloadChangeGreeting = “” # twimlPayloadChangeGetNewestMessage = “” # status_callback_url = “” # Obtain from



python message --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000
python greeting --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000 --payload 1234 is:


vociemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. voicemailcrackerlaunches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN.



Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13.



voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all.



vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed.



Instead of call flooding, we can use OSINT techniques to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight.




So what? We can compromise voicemails… big deal! Probably, if you are like me, all messages you have are scammers and marketing campaigns. Well, this was the point of my DEF CON talk. There is much more to it. If an attacker has access to your voicemail, he may be able to compromise your email, social networks, financial services, private conversations, track you and more…


Automated phone calls as a secure channel

You may not be as familiar with this as with SMS but have you ever tried to reset your password and got a 6 digit code on your phone you had to enter to complete the password reset process? Turns out, many online services allow you to receive an automated phone call instead of a SMS. A recording will reveal the secret code and you can finish resetting your password. My question to you is, what happens if you don’t pick up the phone? The voicemail system will, and the automated call can’t tell if it was you or the voicemail who picked up. The recording will play the secret code, the voicemail will store the message, and the attacker has now access to it.


To Top