A security researcher got an eyeful of a sex worker's client base when he investigated a VoIP service whose "burner" phone numbers are being recycled.
Neohapsis Labs Senior Security Consultant Rob Beck was on an engagement that had him checking out the "burner" feature of a VOIP company.
It turns out the disposable numbers aren't being disposed of -- they're being given to the next customer in line.
Beck found out quickly and explicitly that the service had issued him the "disposable" number of an escort -- and her clients clearly thought she was still at the same number. Beck said: "Going based solely on the contents of the SMS messages received, as well as some of the voicemails left on my trial number messaging service, the previous owner was also a specialized professional who is use to charging an hourly rate; lets just say that her chosen profession was of a much more discreet and intimate nature."
When he started the engagement, he initiated the "burner" number and moved to other work to let the trial period run out. Only 48 hours after Beck activated the "burned" number, Beck said, "I was presented with text upon text message asking if he/she was available, what their hourly rate was, as well as a few much more graphic explanations of specific requests the potential clients would like performed."
Burner numbers aren't "fake" phone numbers; they can be used like a regular number, including text functions -- and as Beck found out, also for exchanging SMS photos.
"What was more surprising, and traumatizing," Beck said, "Was that some of these individuals had chosen to send naughty-gram picture messages of their previous work with this professional, personal pictures in admiration of this person, and well, you have an imagination."
Beck explained that none of the previous number's clients had any clue that they had been contacting their escort via a burner number -- or more importantly, that it was now in possession of another person altogether.
He commented, "The problem was made worse for them because of the features provided by this service, as previously mentioned the VoIP service offers Caller ID; I was not only receiving the correspondence from this lengthy list of previous contacts, but now I had the phone numbers they were using to reach me." He continued:
"This situation now not only posed a risk to the previous owner of this phone number, permitting me access to their contacts who had reached out to her, but exposed her clients and potential clients to exposure from an unknown individual now in possession of their information.
(...) Due to the disclosure of their phone numbers coupled with the power of Google and other search engines, the potential for extortion by a random individual who is now in possession of compromising photos is also a reality."
Beck doesn't think it's good form to name the company engaging in these shady practices. He told ZDNet, "There are a number of apps like this for iOS and Android, with more appearing every month, some of the more well-known ones are: Burner, Hushed, Lineup, and YOONumbers."
He wants his experience to be a warning to anyone thinking that "burner" phone number apps expire your number immediately -- or don't recycle them.
A "burner" typically refers to a throwaway prepaid cell phone, made popular in the US by the HBO series "The Wire", where burner phones were used by drug dealers to evade wiretapping.
A burner app, such as the one tested by Beck, lets users purchase disposable phone numbers for short-term use.
A burner app has many practical everyday uses, such as allowing people to buy and sell things on Craigslist or eBay without compromising their phone number privacy.
Burner numbers are a particularly smart privacy safeguard for women who want to try out online dating.
The most popular burner app for iOS and Android, appropriately named "Burner", states that each Burner number is disposable and expires after 7 days or 20 minutes (or 60 text messages) of use, whichever comes first.
Burner (the app) is especially careful about deep-sixing their users' numbers. Regarding the end of a number's use, Burner states,
Done with the number? Click "burn" and the Burner number goes out of service, wiping it from your phone and stopping texts or calls to the number.
Beck tells us, "When a traditional number is deactivated there is a period of callers receiving that, 'This number is no longer is service', a constant busy signal, text messages failing to deliver, or some other subtle means of letting the caller know that the number is dead. Phone providers have the luxury of doing this because of the large amount of phone numbers they have to allocate among their existing and new user base."
He explained that apps assigning burner numbers don't have the same "luxury."
"They have to procure their phone number pools ahead of time, then they set up their VoIP servers and map all the end-points. If the service is intended to be used as this sort of “burner” one-stop shop, they’ll inevitably have to recycle their numbers at a much more rapid pace just to stay ahead of their users’ needs; this doesn’t permit them the ability to really offer the deactivation period to signal to others that the number is in flux.
The services themselves aren’t doing anything beyond what they have to make their users happy, which is kind of the unwritten agreement between the service and the user – we give you a number for a finite period of time, you use it for whatever purpose you need it for, no other warranties or security features are explicitly called out.
Sadly this last piece is what offloads the responsibility (and liability) of op-sec to the recipients of these numbers."
Solving this problem, Beck told ZDNet, is going to pose quite a challenge.
He said, "In the scenario that I encountered during my testing, a solution might have been something as simple as a social challenge/response, but again... this would have been something the needed to be set up and agreed upon with the previous user of the phone number."
Beck seems to think that protecting ourselves from scenarios like this means a shift in the way we think of phone numbers. "We need to treat phone numbers as untrusted resources that gain trust with us over time as they’re used regularly by the same people to communicate with us – I think that’s where the biggest issues are, in perception of what a phone number is when it’s provided to us. Traditionally a phone number was a pretty static thing, we’re just not use to phone numbers being as disposable as email addresses, and I think that has to change for a lot of us."
Beck added, "I suspect we’ll see a new service offering going forward, services that identify burner number pools and providers that are used for burner numbers."
Until then, it's caller -- and receiver -- beware when it comes to burner numbers.