Voicemail boxes have a history of being compromised for a variety of reasons. Besides simply listening to someone else's messages, voice mailboxes are often exploited because they have call-back or forward features which can be turned on remotely. One of the most popular strategies is to hack a voicemail box and forward that person's calls to an expensive international destination, racking up thousands of dollars of calls in a short amount of time. This makes voicemail password hacking popular even today.

Protection against weak voicemail passwords is fairly simple. FreeSWITCH stores voicemail passwords in plain-text in the database, allowing you to scan for passwords which are weak, such as 1111 or 1234. You can also scan for people who are using their extension number as their voicemail password which is another popular (and insecure) password strategy.

To scan for weak passwords you'll need to write a script that looks for passwords in the voicemail configuration database. Assuming you are using the defaults in FreeSWITCH, the voicemail database is stored in a SQLite file in your FreeSWITCH DB folder. This folder will be in one of various locations depending on how you installed FreeSWITCH, but most commonly it is in /opt/freeswitch/db, /usr/local/freeswitch/db, or /var/lib/freeswitch/db.

A sample way to check your database could be using the following simple SQLite query:

sqlite3 db/voicemail_default.db "select * from voicemail_prefs 
where password=1234 or password=1111" 

This command would use the SQLite3 linux client to look in the voicemail_prefs table for any passwords that are 1111 or 1234. It will print all information about that mailbox on the screen, including the username and domain name of the user who has this password. You can then take corrective action by either resetting the password forcefully or contacting the user to advise them to change their password.