Royal phones hacked, the former prime minister demands a police investigation of possible snooping on his mobile messages, the current prime minister’s director of communications resigns, Rupert Murdoch flies in to London for a crisis meeting, and that is just the start.
Deep into the age of computer hacking, one or more journalists at Murdoch owned British newspaper the News of the World have been accused of carrying out a remarkably old-fashioned hack, that of accessing or ‘phreaking’ voicemail systems used by celebrities and politicians.
Dozens or even hundreds of public figures could in theory be affected and it hasn’t taken long for it to dawn on people that the practice is likely to be more widespread than a single newspaper in a single country, and could also affect a greater range of people.
Voicemail systems have been under attack since the dawn of the answer-machine and business voicemail box, but it was with the arrival of mobile networks that it started to take off. These offer a standardised interface and set of access numbers and come with default security PINs that even non-technical journalists can manage to look up on the Internet.
This is the first security flaw of public voicemail systems; the PIN. A default PIN is usually set on voicemail when the service is enabled, which many users won’t remember to change. Even if the PIN is changed, intruders can attempt to access the mailbox by getting the number reset by phoning up the provider. How hard is this? Nobody knows.
Attackers can get away with such simple access thanks to a second flaw, namely that public voicemail systems don’t record the numbers from which the service is being accessed, only the time of access. This alone would make simple voicemail hacks harder to execute by leaving a trail of evidence of access.
Normally, there are only two further demands on the attacker - they must know or guess the network being used and be prepared to risk the wrath of the law. Accessing voicemail on any system without persmission is clearly against UK and US laws.
A more sinister possibility is that hackers might have paid informants inside mobile phone networks call centres though it is worth pointing out that there is no evidence of this in current cases.
As to corprorate voicemail systems, the same principles apply although these will be more secure due to in-depth authentication designs and longer PINs. PINs and other security measures will also be set up by a security admin and administered according to defined policies.
Beyond walking in the front door, the possibilities get more complex and slightly less likely.
Spoofing systems have appeared in recent times that exploit the fact that when a person calls their voicemail from their own phone (identified by the individual International Mobile Subscriber Identity or IMSI) on some networks they are often able to access the system without entering a PIN at all. All the attacker would need to have – other than the knowhow to use spoofing – is the target mobile number.
Whether this would work on a particular account will depend on the network concerned, in some cases the country and possibly the country in which the system is being used.
Can it be stopped?
The easiest way to avoid having one of these systems hacked is not to use them at all. Voicemail can be turned off as a service, which forces callers back on for the time being more secure systems such as SMS and email. It’s also advisable for the same reason not to use message transcription services (such as replacements for the ill-fated Spinvox) that turn voicemails into text. If a system is a risk, putting a human into that chain only adds to security worries.
A second basic possibility is to reset the default PIN code. Assuming this if four digits, that allows to 10,000 possible combinations for a hacker to guess, not completely secure but a reasonable start. Make sure the PIN is then changed often. Third, use a target could use more than one phone and network. This makes it harder for an attacker to guess and access all of the target’s voicemail.
Ultimately, targeted individuals could become vulnerable even on SMS and email if an attacker can get a piece of spyware on to their smartphone. This is probably the biggest threat in the medium term and would offer attackers a way of getting at anything on the phone from contacts to call logs and to private documents.
The single barrier to rogue apps on smartphones is that the attacker has to take account of the platform of the target's smartphone and get around any appproval systems that might exist. In the case of the smartphone, this is considerable.
What about the calls themselves? There have been a number of theoretical hacks of encrypted live mobile phone calls in the last year though they remain hypothetical. They can be defended against using encryption technology or by abandoning GSM altogether in favour of encrypted satellite phones.