A continuing little Telstra privacy breach

There was movement at the station, for word had passed around that the media was picking up their pens…

This post follows on from yesterday’s revelation that the new recipient of a completely formatted iPhone is receiving my voicemail…

Today kicked off at full speed when I woke to a swathe of support and comments from my reddit post. There was the suggestion again that the IMEI of my old device was part of the problem, concern about the overarching privacy issues and someone suggesting that I contact Apple, which I didn’t believe was necessary. Apple definitely knows about the issue now though! But let’s take a step back…

Early this morning I received a tweet from Telstra offering to investigate the issue, again reiterating this was unique and shouldn’t be possible. Shortly after this a journalist from a tech news site got in touch, though I didn’t have any more for him than was available online. Things then got a little more exciting when I finally received a call mid-afternoon from someone who deals with Telstra’s “complex complaints”. While he once again left me feeling like he didn’t believe this was happening, he seemed to be in more of a position to get the wheels rolling, which they did tonight, finally.

Late in the day another major newspaper also got in touch. Both journalists said they had reached out to Telstra…

The big news though is that at around 19:30 tonight I received a message from a very senior Telstra voicemail engineer. Straight off the bat I knew he was the guy who would get this sorted. I will respect his privacy here as I doubt he’s in a public role, but after all of the disbelief and hand-balling, he confirmed that the logs showed my voicemail account being accessed by two separate devices and with a direct contact at Apple, he now had them in disbelief himself.

I want to do some reading about visual voicemail now so I can understand the service’s architecture, but ultimately my old device has retained some level of authentication with the service and is stuck in the mode of thinking the new owner has visual voicemail enabled, which he doesn’t. The records show the other device is accessing my voicemail without requesting authentication. Needless to say, Telstra finally acknowledges and is concerned about the issue and Apple is closely watching the outcome of further tests.

The engineer also confirmed that yesterday’s deactivation and reactivation of my visual voicemail wouldn’t change any security on the service, so it was never going to work. He has now completely removed my visual voicemail service and created a new one with new authentication tokens. For now he can see my old device continuing to request messages (using its cached and now invalid credentials), but won’t receive any. Excellent!

There is clearly a wealth of investigation still to do; he’ll probably want to get his hands on that device! And while my ultimate quest for answers and a guarantee that systems and processes will be established to prevent this ever happening again is far from over, but the immediate privacy concern has abated.

Oh, an hour ago Telstra’s twitter team updated me that they’re still investigating the issue, but again suggested I’ve left my Apple ID signed into the device… ¯\_(ツ)_/¯

Stay tuned for more. 🙂

6 Comments

  1. Hi Richard,
    I had the same thing happen to me when I passed an old iphone 5 onto my mother-in-law. She was getting my voicemail for about 6 months.
    I believe the problem is when the iphone 5 activates using a Telstra SIM card it pulls down all the voicemail setting (including Visual Voicemail). I tried to delete the voicmail setting etc, but this didn’t work. I ended up wiping the iphone and used a Telstra Pre-Paid sim to activate the phone. This finally fixed the issue.
    please contact me if you need more info. Cheers
    Matt

    Reply
    • Thanks Matt. I will definitely get in touch! Would love to ask a couple of questions. I’ve mentioned your comment to the Telstra engineer I’m in touch with (without revealing your details of course) but haven’t heard anything from him since Saturday. Your description makes sense – though that this continues with a new service on the device is clearly a problem.

      Reply
  2. Just wanted to provide some info about how visual voicemail works, or at least used to work based on my own reverse-engineering done in mid-2013.

    VVM is basically a standard IMAP mailbox with voice messages attached to standard email items (can’t remember the exact format of the messages, but it doesn’t matter in your case). When the mobile network detects a new IMEI/IMSI pair connect to the network, it sends out a text with the address of the IMAP server and an username/password pair. This text is interpreted by MVV-capable smartphones and is not shown to the user.

    For some reason Telstra sent *your* VVM credentials to the new phone even though the IMSI was different (maybe you bought the phone fron them so the IMEI is associated to your contract and for some reason the IMEI alone was sufficient in sending the credentials, bypassing the IMSI check to see whether your SIM card was actually in the phone). In any case, the Apple ID has absolutely nothing to do with this and is only a prime example of customer service incompetence.

    Reply
    • Thank you for providing this info! The use of “invisible” TXTs for communicating between carriers and devices is something I have only learnt about during this process. And the fact VVM is pretty much IMAP. It’s fascinating, thanks.

      Telstra have said on record that the IMEI is never used for authentication with VVM but they’re trying to work out how that authentication – even if it was originally sent correctly (i.e. back when I used the device) – continued to work with someone else’s SIM in the device.

      Reply
    • Thanks! That is very interesting reading. If I hadn’t had such a bad experience with early Blackberry devices I’d consider the switch. 😉

      Reply

Leave a Comment.