FI1: IBM's Voice Mail System by ICEMAN
Freedom Issue 1, December 24, 1992
File 3/7
IBM's Voice Mail System
By ICEMAN
Disclaimer
As the author of this article, I am not responsible for any actions that may result from the information in this article. This file is for informational and educational purposes only, detailing the features of this particular VMB system. None of this information should not be used without the permission of the authorized people in charge.
Introduction
I haven't encountered a VMB system such as the one IBM is using in our area yet, so i've decided to write an article on it. The specific system in this case is only a local system, and I'm not at all sure if IBM is using it on any 1-800's that they run. I have heard something about ROLM in the past while but I haven't been able to get any info on it in time for this issue... maybe there'll be a part ][ in the next one.
First steps
Once you have called up the IBM VMB system, a high quality voice will answer and give you the following options:
- Press 1 if you are using a touchtone phone
- Hold the line if you are using a rotary dial phone
Note that you want to select 1. If you are using a rotary dial phone, get a touch tone phone. If you hold the line you will be connected to a live operator, and this defeats the purpose.
Next you will be presented with the following options:
- Press 1 if you know the name of the person you are trying to call
- Press 2 if you want to make a service call
- Press 3 if you would like information on IBM's products or services
- Press 4 if you want to leave a comment about the automated phone system
Now you want to pick option 1, since the whole purpose of your call is to get into the actual Voice Mail section.
Finding Valid VMB's
After choosing 1, you are prompted to enter the persons name of who you want to reach. You enter the name by using your touch-tone keypad corresponding to the first 3 letters of the persons last name. If you want to reach someone with a last name of Doe, you would enter 363 (DOE). Since the letters Q and Z don't appear on standard keypads, use the 7 key for Q and the 9 key for Z.
It will probably be difficult to actually find a valid mail-box, so it may help by actually calling up the local IBM service department and using some social engineering skills to get some of the employee names out of the operator. Or you could go as far as dumpster diving, but this is probably far too much trouble to get a person's name.
After finding 1 valid Mailbox it is easier to scan for others as well. When the voice asks you to enter the mailbox number, after 2 invalid attempts, enter one the valid ones which you have found. This will prevent the system from hanging up on you and you can keep on scanning from there.
Once you have entered a valid name, the system will say something like this: 'You dialed ', then an actual recording of the persons voice will be played, saying his own name, so the result will be 'You have reached John Doe'. It sounds a little silly mind you, but at least you've found a valid Mailbox. It will then ask you if this is correct.
- Press # if it is the correct person.
- Press * if it is incorrect.
After You've Found One
Now the persons greeting will play, and you will be prompted to enter a message for them. During the greeting, or during message entry if you press the 0 key, you will be presented with the following options:
- Press # if you would like to talk to someone taking calls for John Doe
- Press 0 to talk to an operator
- Press * to enter another persons name (VMB)
- Or enter an extension number, to transfer to another extension.
You probably won't need to use any of these functions, so just continue listening to the greeting. Now it's time to try and get into it by hacking out the persons personal password. To do this you must first enter a message to the person, enter a completely blank message, unless you want to harrass an IBM employee or something (not suggested since you don't want to leave traces of your visit and this would be very unethical). Once the time has elapsed, you will be presented with the following options:
- Press 7 then 3 to replay the message
- Press 1 to re-record the message
- Press # to accept and save the message
- Press 6 to erase the message
- Press 7 to disconnect
You now want to delete the message since you don't want to leave any traces whatsoever of your visit. When selecting 6 you'll be presented with:
- Press # to continue deletion
- Press 1 to re-record the message
Select # to delete the message and proceed. You will then be presented with the following options:
- Press 0 to transfer to another extension
- Press # to access the phone mail features
Now we want to access the phone mail features so press #. You will now once again be prompted to enter an extension or name, once again enter the same name that you are currently hacking. You now have the following options:
- Press * if this is the incorrect person (Obviously not)
- Enter the password for this Mailbox, then press #
Ah-Hah. We have finally reached the password entry prompt. You now have your chance to try to enter the correct password try every combination of the VMB number that you can think of or any other information about the employee that could be relevant.
These systems are incredibly secure (This is IBM we're dealing with here), and after 3 invalid password entries, you will be unable to get to the password entry prompt again. This is a major drawback and will deter all but the patient, determined individual. You must wait for the person who owns the mailbox to talk to the system administrator to 'unlock' the mailbox and then try again the next day. The person will probably become extremely paranoid due to people trying to hack into their mailbox every day, and change their password often. I'm currently not sure of the length of the password since you are able to enter as many digits as you like before pressing the pound key.
The fact that you are only allowed 3 attempts to enter the correct password seems quite stupid in my opinion since even though you are locked out from attempting to access the VMB so is the owner of the mailbox. This means that the owner is unable to read their mail or do anything about it. This could become very annoying to them if done repeatedly and would be one way to really get on their nerves. There's no telling what IBM can or will do. This is wasting their time, they could go as far as installing traces since this is probably considered mischief. So it may be a good idea to do it from a payphone, if you must.
Summary
Here is a simplified rundown of what to do:
- Call the VMB system
- Press 1 since you have a touch-tone phone
- Press 1 to enter a persons VMB number
- Press # if it's the correct person
- Wait for the greeting to finish, and enter the blank message
- Press 6 to erase the message
- Press # to verify deletion
- Press # to access phone mail features
- Enter the Mailbox number again
- Enter the password then # to complete
After this you are on your own. We have been unable to enter ANY boxes to date due to the tight security involved.
If you are able to actually get into one of these mailboxes please let us know or write up a text file explaining the options available from within. Considering the options available on other similar systems, these could range from Forwarding Messages, Mass Messages, Creating Guest Accounts, Placing outgoing calls (an outdial), Listening to your Messages (obviously), Programming Mailboxes to Call certain phone numbers, and play certain messages at specified times, plus may other possible features.
ICEMAN