Details are still emerging as to how, exactly, News of the World reporters got into everybody’s giblets. But here are the common – and shockingly simple – phone hacking techniques they likely used.
Voicemail hacking, according to security experts, is not the worst of the things that could happen to you and your secret-spilling mobile phone. These days, it is the least intrusive because voicemail as a message-delivering tool is fading out behind simple caller id, texting and emailing. But it’s still a massive invasion of privacy – even if the only one that still leaves messages is your dad.
To access these messages, mobile providers typically offer an external number you can call to get into your mailbox. The service recognises the phone number calling, which is convenient for everyone – including people trying to get into your voicemail. Phone numbers – that unique identity that we assume belongs only to the object in our pocket – can be spoofed using Voice Over IP and some open source software. “The caller ID is a burst of data before the signal that tells the phone to ring,” explains Chester Wisniewski, a Senior Security Advisor at Sophos. “If you’re not using a commercial service provider, you can set your caller ID to anything.” This means that that external number that you call to check your voicemail may interpret the falsified number as yours and act accordingly.
Typically the service provider’s external number still requires a password, even if you haven’t set one. Bonus! But to get yourself equipped with something unique, each company has a well-known default (like the last four digits of your phone number, for instance) that gives users first time access. And how many of us actually change that pin? Uh oh. Spoof a number, enter the last four digits of that number, and presto: 10 identical voice mail messages from my dad on 10 consecutive Sundays.
Spoofed numbers also allow another access point. Ever called your own phone number? “It automatically dumps you into voicemail and plays your messages,” says Wisniewski. By now you see where I’m going with this: Would be eavesdroppers can get there, too, using your number. To get forwarded to voicemail, someone might be tasked with intentionally occupying your line, while another with the forged number – your forged number – calls you as well. Bam: Voicemail. If not given direct access right then, pushing * during the outgoing message is a reliable way to gain entry.
Passwords would be helpful here, but even strong passwords guarding voicemail are not 100-percent safe from determined snoopers, who have been known to call phone companies to ask for a password reset on a target’s account. Security experts expect that some amount of this type of social engineering took place in the News of the World scandal. What this boils down to is someone tricking an employee at a cell carrier into giving up access. They’d need a few key details of the person’s life to go from, of course, but security experts seem to treat this as a foregone conclusion.
The thing about most voicemail intrusions is that there’s no real way to know they’ve happened. If you’ve already listened to a message, someone playing it for a second time is not going to set off any alarm bells. Steven Rambam, an investigator and director of Pallorium, Inc. explains that that it can go even further. “I can save them as new after I’ve listened to each one so nobody will know.” Alarming, to say the least.
More alarming is the gamut of violations Rambam says are possible. Transgressions range from wriggling into someone’s web portal to accessing call history to legal mobile phone tracking (not the paying-off-cops stuff that was going on in the UK) to sending an email that will embed something on your phone to grab passwords.
But 90 per cent of the above voicemail-specific problems can be prevented if strong passwords are put into place, according to Rambam. That means no patterns on the keyboard (ahem, 2580) or digits repeated four times. “There’s a balance between convenience and privacy,” says Rambam, “and you have to decide if it’s worth it for you.” In other words: Put passwords on everything. Right now.