How phone hacking worked and how to make sure you're not a victim

Filed Under: Featured, Law & order, Mobile, Privacy

Mobile phone and keyboardMobile phone security expert David Rogers of blog.mobilephonesecurity.org explains how "phone hacking" is done, and how you can better protect your mobile phone's voicemail.

A lot of mobile customers are bewildered by the events going on in the world press at the moment with all this talk of 'phone hacking'. Many of my friends have asked me what they can do to protect their phones and what the whole thing is about. The truth is, there is no actual phone hacking involved and it is also wrong to call what went on hacking.

What's really being discussed is illicit access to voicemail messages.

I’m going to explain a bit about what exactly is behind this, how it works and what you can do to protect yourself from people wanting to access your voicemails.

There are a number of possible methods to gain access to someone’s voicemail illicitly. In the UK at least, given the original police inquiry into the News of the World scandal, mobile network operators improved their security mechanisms to increase protection of users.

The good thing is, you can test out these mechanisms yourself as you can see below – if your operator hasn’t taken steps to close down the basic loopholes, ring them and tell them!

Default PINs

A lot of the problems that arose in the voicemail scandal arose from the use of well-known default PINs for voicemail access.

Voicemail buttonIn fact, you as a customer may never have used a PIN for accessing your voicemail. That is because on most mobile phones, the network recognises that it is your phone calling in and makes life more convenient for you.

So you would never even think that someone could access your voicemail by just dialling a number and entering a well-known default PIN.

These PINs can be found across the web – they naturally needed to be publicised to customers so they knew how to get remote access if they wanted.

As you’re probably thinking right now, this is a really poor security measure. Although the use of default PINs appears to have been brought to a halt in the UK, if you live in another country, it might be worth checking to see whether this practice is still being used by your mobile operator.

As late as March 2011, voicemails of politicians in the Netherlands were exposed by the use of a default PIN.

Remote Access to Voicemail

Operators often provide an external number through which you can call to access your voicemail remotely. This was one of the mechanisms allegedly used by the News of the World ‘phone hackers’ to get access to people’s voicemails without their knowledge.

KeypadIf you’d never setup a PIN, the attackers would get in via well publicised default PINs.

If they came up against someone who was using their own PIN, they would then use social engineering techniques to trick the operator into resetting the PIN to the default.

Homework: If you haven’t ever used it before, find out what the remote access number is to your voicemail.

What happens? You should be asked for a PIN code. If you don’t already use a PIN, use the web to see if you can find the default voicemail your provider has advertised in the past. If you enter the default, what happens?

Now try entering a wrong PIN. Do you get an SMS on your mobile telling you about it? Be careful not to block yourself out of your account, another security measure will be to block access if there are three wrong attempts.

Calling your own phone

Another not-so-well-known method of accessing voicemail is to actually call your own mobile number.

Woman on phoneClaims about the voicemail hacking scandal say that one journalist would call up a celebrity to engage the phone while another would then go into the voicemail using this method.

This seems pretty likely as a lot of celebrities' phones are looked after by personal assistants, not the celebrity themselves so it could look fairly legitimate to call up the PA.

More homework: Call your own mobile phone number. While you’re listening to the bit where it asks you to leave a message, press the * (star) key.

You should then be brought to your own voicemail menu! The system should ask you to enter a PIN. Follow the same process as above and see what happens.

Notifications

One of the security measures that have been introduced is to notify the customer more often by SMS when something goes on that they should know about.

Remember that if a third-party was accessing your voicemails remotely, you as a customer wouldn’t normally get to know that anyone had been there. In some cases, the attackers deleted the voicemails.

SMS messageThe type of notifications you could get could tell you that there has been a remote access to your voicemail, that there was an invalid PIN code attempt or that your voicemail PIN has been changed – all useful bits of information!

This is something that has been borrowed from the banking industry. It is a simple, effective early warning mechanism that something could be wrong. Because it shouldn’t happen very often, you shouldn’t be plagued by messages, equally you are the best person to know if it is dodgy activity or not.

However, always be careful with any message you receive. The best thing to do if you are unsure is to ring the customer helpline of your operator who’ll be able to tell you whether the message is genuine.

Newer methods of hacking voicemails

Sadly, there are always people who want to find out what others are up to, illegally. The methods for doing this are continually evolving.

Some of the newer methods involve faking a phone’s displayed number so it can trick access to voicemail. This technique has been used in the USA and recently in the Netherlands to get access to the voicemails of politicians.

To block this attack, you need to setup a PIN to access your voicemail. By doing this you prevent automatic access to your voicemail (as if you were ringing from your own mobile).

Summary

You now know how it works and you’ve been able to check whether you’re properly protected and set your own PIN number up. The customer service websites of operators should also be able to give you some good advice on PIN security and their voicemail service.

Remember that with all the publicity around the issue, it’s not only the operators who are reacting to the revelations; there will be bad people out there who are only now starting to exploit illicit voicemail access. Don’t let yourself be a victim.

What happens next?

Well, customer use of voicemail technology has evolved a lot, even in the last five years with the result that habits are changing. That is why I am asking the network operators to look at the use of remote voicemail access in general, with the proposal that they should consider shutting remote access down entirely.

, , , ,

You might like

27 Responses to How phone hacking worked and how to make sure you're not a victim

  1. These methods are common knowledge to the higher end users but not for the common phone user. Thanks for posting this, it may make a few more users more secure.

  2. Stuart · 1200 days ago

    The only method I think you have missed is social engineering the operator customer service to change your PIN. Most operators will do this by sending a text message of your new PIN, but some times they can be persuaded to give this out over the phone.

  3. @Stuart, thanks for this, I cover some of this on my longer blog about this over at blog.mobilephonesecurity.org , but you're right about the giving the PIN out over the phone bit. I would hope that is banned in call centres. If not, it should be. As far as I understand the resetting the PIN to default was the more common activity.

  4. curiouscat · 1200 days ago

    I just tried this, and tried a couple of codes (unsuccessfully). I then got a text from the company saying that someone had tried to access the voicemail, and to contact customer services if it wasn't me!

  5. No-One should be leaving messages by any means that contains sensitive information anyway.

  6. DavidS · 1200 days ago

    The idea of using a caller ID spoofing service to access someone's mobile phone voicemail email is a few years old, not new. A description of my experience with testing some US mobile carriers is at http://blog.sharpesecurity.com/2010/02/14/budget-.... Can anyone confirm which UK-based mobile carriers caller ID spoofing works with. Thank you!

    • Alan Brown · 1197 days ago

      All of them. Caller ID is trivially spoofed from any ISDN line. There are carrier rules which are supposed to reject presented CLI numbers which don't belong to the enduser but these are rarely enforced.

      ANI (automatic number identification) is not spoofable, but most systems seem to rely on CLID, despite ANI being available.

      I've heard rumours that systems are being updated to use ANI to compbat this kind of issue but have seen nothing concrete

      USA Caller-ID is additionally spoofable on voice calls because of the way it works and doing so requires a burst of data be sent between the time the handset is lifted and the receiver reaches the user's ear - it doesn't hide the original calling number but it overwrites it with new data. Users scrolling back will see this as the last entry.

  7. Mark · 1200 days ago

    So what's Sophos' position on mobile operators basically letting anyone access their customer's private data (eg. voicemail messages)?

  8. I guess one other suggestion for people to make themselves safer is to consider disabling their voicemail service all together.

  9. canuckian · 1200 days ago

    I find this odd, because by default all the cell phones I have had with various providers in Canada since 1998 have required passwords to access voicemail even when calling your number from the phone using that number. That there are companies out there without that basic protection is mind-boggling.

    • cheryl conti · 154 days ago

      I use Metro-PCS...I am not prompted for a pin when calling my voice mail. I have a number in my settings that is called voice mail, have never called it. As for calling vm from another phone, hold on, I will try it....yep, I am asked for identifying information...just phone #, mailbox # and pin.

  10. Living in germany, I think these discussions are a bit strange - this CallerID issue has been well known since at least 2005, which was when all german mobile operators switched to SIM identification instead (as long as you're in their local network) and enforced PIN codes for use outside of germany.

    Why is this news all of a sudden?

  11. Vval · 1196 days ago

    "That is why I am asking the network operators to look at the use of remote voicemail access in general, with the proposal that they should consider shutting remote access down entirely."

    So... better to never be able to check the messages on a misplaced phone, or one that's out of power?

    Requiring PIN access even from own number might be a good start for better security, given the ease of spoofing caller ID. As well as requiring people to set PINs.

  12. RJJ · 1194 days ago

    "The truth is, there is no actual phone hacking involved"

    I'm not sure if there's a generally accepted definition of the word "hacking," but think it would more accurate to say that no specific examples of phone hacking have yet been described. That does not necessarily mean that it did not happen.

  13. jason · 1188 days ago

    the best way to stop yourself being hacked is just simply phone your mobile operator and ask them to deactivate your voice mail

  14. wang · 1188 days ago

    I am yet to see any hacker who can actually listen to the phone conversation!

    Well just impossible for them as the signals are encrypted over the air. Only police can listen to it (via a mobile network feature called lawful interception - connecting directly to the MSC - mobile switching centre).

    So if your phone conversation is hacked into, that's either corrupted police, or the operator itself.

  15. Palmans · 1119 days ago

    My ex partner has been hacking into my phone during our volatile separation, he had access to all text messages, emails (including one's from my lawyer regarding the split, pictures and GPS tracking. Was wondering if someone could recommens a specialist lawyer, his computers and my mobile and laptop have been siezed by the police.. thanks

    • Tilly · 1054 days ago

      I am having a similar problem! How did you uncover what was going on ?
      Also,
      What proof do you need to get the police to take action?

  16. privacyminded · 1074 days ago

    There a product that blocks out all transmission. I got one here in LA at a convention. It was $20 and called Hushpockets. The guy did a demo in front of me and it worked in 2-3 seconds. It blocked out the call. Then he did another one with gps google map. and after 5 seconds in the hushpocket, it said "signal was lost" a great product for the security conscious person. I think it perfect for celeb or attorneys or finance managers??

    • wendy · 992 days ago

      is it possible for someone to read my text messages and how can i stop it??wendy

  17. David · 976 days ago

    MY problem has nothing to do with my email or voice mail.I have some one who stole my debet card an used it at a western union to transfer my money all of it an picked up the cash, on three differnt times . union states ther info was correct including trans actions that were all ariganated from my moble number ,6 differnt times.Now iam no longer the victum ,i now must convinse the detective that i am not the ring leader .By the way the hackers just took info from my card an leaving it intack in my wallet an carried on a cuple weeks my self not missing my card because it was never gone an yes they befreinded me an i 100% sure who it is. Sorry for the spelling i have a lerning disabilaty .If some one can help me nail this girl . I sure would be greatfull .Lets call me been HACKED .

  18. Charles · 872 days ago

    my wife recieved a text from my cell phone and I had the phone with me the whole time and I didn't send her the text? The text wasn't on my outgoing texes and I didn't forward a text to her and didn't send her that text.. Can someone have hacked her cell phone and sent her the text making it look as though it was me that sent it? I'm at a loss as to how that could have happened if i didn't sent it to her and the phone was in my posession the whole time. Can you help me please?

    • guest johnnyE. · 670 days ago

      I myself received a text from SUPPOSEDLY was from my friend on his cell to my cell phone ,, he said it wasn't him and following conversation he has a trac phone and cannot text.. so there is no doubt i've been invaded (and I think I know who btw)

      Could this person have hacked my cell phone and sent me the text making it look as though it was my buddy that had sent it?

      And if so, what should I do (Apple iPhone4 with verizon as carrier)??

      Thank You

  19. Mary · 743 days ago

    Can anyone tell me if it is possible to hack into text messages, and if there is any way that I can find out if someone has done this to me?

    • vic · 729 days ago

      i think the phone companys themselves can look at your text messages.maybe to check for offensives things being said.i think periodically they do this anyway.its a worry.

  20. Thu · 445 days ago

    How can I buy Phone Hacker device or tools

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

David Rogers is a mobile phone security expert and the owner of Copper Horse Solutions Ltd, a software and security company. He is the former Head of Security for the Wholesale Applications Community (WAC) and previously headed up Panasonic Mobile’s Product Security and Customer Engineering in Europe. He has advised government and Police organisations on a range of mobile phone security and forensics issues. Follow David on Twitter at @drogersuk or read his blog at http://blog.mobilephonesecurity.org.