Main:
how to break into a variety of answering machines
Section 1: The Introduction
Many years ago I remember reading a tutorial called "Hacking Answering Machines". This tutorial was apparently written back in 1989, when answering machines were just blossuming into the market. This was back during the days of cassette-recorder answering machines. The tutorial spoke of different vendors and models that used for the most part 2-digit passwords for remote access. It is now the year 2005, and for the most part cassette-recorder answering machines are a thing of the past, replaced by digital answering machines. Surely they've beefed up security since then, right? Wrong. The truth is though most answering machines are now digital, and many new features have been added to them since then, the password scheme is still pretty much the same. That is where this tutorial comes into play. To show you, the reader, how to gain access into these newer digital answering machines using the same techniques that were used 15 years ago (yeah, I know, sad isn't it?). So without further crap....
Section 2: Gaining Access
The easiest way to gain access into an answering machine is to use it's preset access code. This is the access code set at default by the vendor on the given device. The best thing about this is that most users don't bother to change the access code to their device, if they even know that they have such a feature. Even worse yet, some of the manuals given for the device by it's vendor even tells the user that changing the access code is optional, not necessary. So of course since most people only do what they feel is necessary, these access codes are many times if not usually set at default. So what I'm going to do for you now is list the different popular vendors out there, and include their preset access codes, how to use them, and controls to use after gaining access. Keep in mind that if there is no model number beside the vendor, then that means that the information given works on most of their models. Likewise of course if there is a model identification beside the vendor name (placed in parenthesis) then that of course means that the information provided is model dependant. So let's begin, shall we?
1) AT&T - preset access code is 10 - when the answering machine picks up punch in the access code
7 - play messages
6 - play new messages
# - stop/pause
2 - repeat message
5 - skip message
4* - record announcement (push # to end recording)
41 - play announcement
* - record memo
33 - delete all messages
3 - delete selected
0 - turn system on
88 - turn system off
99 - change remote code
2) BellSouth - preset access code is 555, Mailbox 1: 555, 2: 666, 3: 777, 4: 888 - when the machine picks up hit * and then punch in the access code
0 - help (use this to get the commands available)
3) Freestyle - preset access code is 000 - when the machine picks up push in the D button and then punch in the access code
2 - play all messages
3 - play new messages
4 - skip back during messages
5 - delete during messages
6 - skip forward during messages
8 - play outgoing message
9 - record new outgoing message
0 - set answering machine on/off
1 - hear main menu
4) Vtech (VT650) - preset access code is 0000 - enter access code during announcement
#4 - repeat message
#5 - pause message
#6 - skip to next message
#7 - delete message
#8 - skip backwards
#9 - stop/exit any function
*8 - room monitor
5) Vtech (VT2650/VT2468) - preset access code is 50 - enter access code during announcement
#4 - repeat message
#6 - skips message
#5 - stops
#9 - delete message
#7 - review announcement (after beep press 7 to record an announcement and use #5 to stop)
6) Vtech (HK5886) - preset access code is 48 - enter access code during announcement
#1,2,3 - play new or old messages
#4 - repeat message
#6 - skip message
#5 - stop
#9 - delete message
#7 - review announcement (after beep press 7 to record an announcement and use #5 to stop)
7) Olympia (OL2410) - preset access code is 0000 - enter access code during accouncement
1,2,3 - select and play messages
4 - repeat message
44 - ignore message
6 - play next message
7 - delete current message
8 - record memo
9 - record announce (5 to stop)
0 - toggle answer on/off
* - play help menu
8) Doro - preset access code is 321 - enter access code right after outgoing message has played (or during)
1 - repeat/skip to previous message
2 - play/pause message
3 - skip to next message
4 - play current outgoing message
5 - record new outgoing message
6 - stop
7 - erase current message
8 - switch off answering machine
9 - switch on answering machine/select outgoing message
0 - (after playback) erases all messages
# - end playback
## - end call
9) Virgin Pulse cordless phone - preset access code is 123 - enter access code during outgoing message
1 - review current message
2 - skip to next message
3 - erase the current message
4 - play all or new messages
7 - repeat voice menu
0 - turn on/off TAD
10) Panasonic - preset access code is 11 or 1111 - enter access code during outgoing message
4 - new message playback
5 - all message playback
1 - repeat
2 - skip
9 - stop
7 - record new announcement (use 9 to end recording)
There are also a few random vendors that don't automatically preset an access code on the machine, forcing it's user to set one up him/herself. This is a small step forward as far as security is concerned, but every vendor I saw that did this still used a mere 2-digit access code. To test and see if your target has this type of setup press # when the machine start, and then press 0. If the machine returns to the annoucement then you know this is the kind of machine it is. Of course, in reality, this isn't all that bad of a scheme since you have 100 different combinations available for the access code. However, most users simply set these access codes as 11, 22, 69, etc. So yeah, just try it out. If it disconnects you after so many tries, call back from another payphone (which you should be using in this case).
Section 3: The Conclusion
Again, it's sad that the same failed access code schemes that were used 15 years ago are still used today. It's just more proof that common sense just can't keep up with the pace of technology. We can create devices that can store more data, run such data more efficiently, and have it held on smaller and smaller devices, but it seems we just can't keep that data secure. No matter how many advisories are released, no matter how many security lectures are given, none of it matters, because in the end people prefer ease over security. So until this mentality changes the same crap that worked 15 years ago, will work 15 years from now.
Many years ago I remember reading a tutorial called "Hacking Answering Machines". This tutorial was apparently written back in 1989, when answering machines were just blossuming into the market. This was back during the days of cassette-recorder answering machines. The tutorial spoke of different vendors and models that used for the most part 2-digit passwords for remote access. It is now the year 2005, and for the most part cassette-recorder answering machines are a thing of the past, replaced by digital answering machines. Surely they've beefed up security since then, right? Wrong. The truth is though most answering machines are now digital, and many new features have been added to them since then, the password scheme is still pretty much the same. That is where this tutorial comes into play. To show you, the reader, how to gain access into these newer digital answering machines using the same techniques that were used 15 years ago (yeah, I know, sad isn't it?). So without further crap....
Section 2: Gaining Access
The easiest way to gain access into an answering machine is to use it's preset access code. This is the access code set at default by the vendor on the given device. The best thing about this is that most users don't bother to change the access code to their device, if they even know that they have such a feature. Even worse yet, some of the manuals given for the device by it's vendor even tells the user that changing the access code is optional, not necessary. So of course since most people only do what they feel is necessary, these access codes are many times if not usually set at default. So what I'm going to do for you now is list the different popular vendors out there, and include their preset access codes, how to use them, and controls to use after gaining access. Keep in mind that if there is no model number beside the vendor, then that means that the information given works on most of their models. Likewise of course if there is a model identification beside the vendor name (placed in parenthesis) then that of course means that the information provided is model dependant. So let's begin, shall we?
1) AT&T - preset access code is 10 - when the answering machine picks up punch in the access code
7 - play messages
6 - play new messages
# - stop/pause
2 - repeat message
5 - skip message
4* - record announcement (push # to end recording)
41 - play announcement
* - record memo
33 - delete all messages
3 - delete selected
0 - turn system on
88 - turn system off
99 - change remote code
2) BellSouth - preset access code is 555, Mailbox 1: 555, 2: 666, 3: 777, 4: 888 - when the machine picks up hit * and then punch in the access code
0 - help (use this to get the commands available)
3) Freestyle - preset access code is 000 - when the machine picks up push in the D button and then punch in the access code
2 - play all messages
3 - play new messages
4 - skip back during messages
5 - delete during messages
6 - skip forward during messages
8 - play outgoing message
9 - record new outgoing message
0 - set answering machine on/off
1 - hear main menu
4) Vtech (VT650) - preset access code is 0000 - enter access code during announcement
#4 - repeat message
#5 - pause message
#6 - skip to next message
#7 - delete message
#8 - skip backwards
#9 - stop/exit any function
*8 - room monitor
5) Vtech (VT2650/VT2468) - preset access code is 50 - enter access code during announcement
#4 - repeat message
#6 - skips message
#5 - stops
#9 - delete message
#7 - review announcement (after beep press 7 to record an announcement and use #5 to stop)
6) Vtech (HK5886) - preset access code is 48 - enter access code during announcement
#1,2,3 - play new or old messages
#4 - repeat message
#6 - skip message
#5 - stop
#9 - delete message
#7 - review announcement (after beep press 7 to record an announcement and use #5 to stop)
7) Olympia (OL2410) - preset access code is 0000 - enter access code during accouncement
1,2,3 - select and play messages
4 - repeat message
44 - ignore message
6 - play next message
7 - delete current message
8 - record memo
9 - record announce (5 to stop)
0 - toggle answer on/off
* - play help menu
8) Doro - preset access code is 321 - enter access code right after outgoing message has played (or during)
1 - repeat/skip to previous message
2 - play/pause message
3 - skip to next message
4 - play current outgoing message
5 - record new outgoing message
6 - stop
7 - erase current message
8 - switch off answering machine
9 - switch on answering machine/select outgoing message
0 - (after playback) erases all messages
# - end playback
## - end call
9) Virgin Pulse cordless phone - preset access code is 123 - enter access code during outgoing message
1 - review current message
2 - skip to next message
3 - erase the current message
4 - play all or new messages
7 - repeat voice menu
0 - turn on/off TAD
10) Panasonic - preset access code is 11 or 1111 - enter access code during outgoing message
4 - new message playback
5 - all message playback
1 - repeat
2 - skip
9 - stop
7 - record new announcement (use 9 to end recording)
There are also a few random vendors that don't automatically preset an access code on the machine, forcing it's user to set one up him/herself. This is a small step forward as far as security is concerned, but every vendor I saw that did this still used a mere 2-digit access code. To test and see if your target has this type of setup press # when the machine start, and then press 0. If the machine returns to the annoucement then you know this is the kind of machine it is. Of course, in reality, this isn't all that bad of a scheme since you have 100 different combinations available for the access code. However, most users simply set these access codes as 11, 22, 69, etc. So yeah, just try it out. If it disconnects you after so many tries, call back from another payphone (which you should be using in this case).
Section 3: The Conclusion
Again, it's sad that the same failed access code schemes that were used 15 years ago are still used today. It's just more proof that common sense just can't keep up with the pace of technology. We can create devices that can store more data, run such data more efficiently, and have it held on smaller and smaller devices, but it seems we just can't keep that data secure. No matter how many advisories are released, no matter how many security lectures are given, none of it matters, because in the end people prefer ease over security. So until this mentality changes the same crap that worked 15 years ago, will work 15 years from now.
Posted by 
