Sophos Cloud Optix
Mobile phone security expert David Rogers of blog.mobilephonesecurity.org explains how “phone hacking” is done, and how you can better protect your mobile phone’s voicemail.
A lot of mobile customers are bewildered by the events going on in the world press at the moment with all this talk of ‘phone hacking’. Many of my friends have asked me what they can do to protect their phones and what the whole thing is about. The truth is, there is no actual phone hacking involved and it is also wrong to call what went on hacking.
What’s really being discussed is illicit access to voicemail messages.
I’m going to explain a bit about what exactly is behind this, how it works and what you can do to protect yourself from people wanting to access your voicemails.
There are a number of possible methods to gain access to someone’s voicemail illicitly. In the UK at least, given the original police inquiry into the News of the World scandal, mobile network operators improved their security mechanisms to increase protection of users.
The good thing is, you can test out these mechanisms yourself as you can see below – if your operator hasn’t taken steps to close down the basic loopholes, ring them and tell them!
Default PINs
A lot of the problems that arose in the voicemail scandal arose from the use of well-known default PINs for voicemail access.
In fact, you as a customer may never have used a PIN for accessing your voicemail. That is because on most mobile phones, the network recognises that it is your phone calling in and makes life more convenient for you.
So you would never even think that someone could access your voicemail by just dialling a number and entering a well-known default PIN.
These PINs can be found across the web – they naturally needed to be publicised to customers so they knew how to get remote access if they wanted.
As you’re probably thinking right now, this is a really poor security measure. Although the use of default PINs appears to have been brought to a halt in the UK, if you live in another country, it might be worth checking to see whether this practice is still being used by your mobile operator.
As late as March 2011, voicemails of politicians in the Netherlands were exposed by the use of a default PIN.
Remote Access to Voicemail
Operators often provide an external number through which you can call to access your voicemail remotely. This was one of the mechanisms allegedly used by the News of the World ‘phone hackers’ to get access to people’s voicemails without their knowledge.
If you’d never setup a PIN, the attackers would get in via well publicised default PINs.
If they came up against someone who was using their own PIN, they would then use social engineering techniques to trick the operator into resetting the PIN to the default.
Homework: If you haven’t ever used it before, find out what the remote access number is to your voicemail.
What happens? You should be asked for a PIN code. If you don’t already use a PIN, use the web to see if you can find the default voicemail your provider has advertised in the past. If you enter the default, what happens?
Now try entering a wrong PIN. Do you get an SMS on your mobile telling you about it? Be careful not to block yourself out of your account, another security measure will be to block access if there are three wrong attempts.
Calling your own phone
Another not-so-well-known method of accessing voicemail is to actually call your own mobile number.
Claims about the voicemail hacking scandal say that one journalist would call up a celebrity to engage the phone while another would then go into the voicemail using this method.
This seems pretty likely as a lot of celebrities’ phones are looked after by personal assistants, not the celebrity themselves so it could look fairly legitimate to call up the PA.
More homework: Call your own mobile phone number. While you’re listening to the bit where it asks you to leave a message, press the * (star) key.
You should then be brought to your own voicemail menu! The system should ask you to enter a PIN. Follow the same process as above and see what happens.
Notifications
One of the security measures that have been introduced is to notify the customer more often by SMS when something goes on that they should know about.
Remember that if a third-party was accessing your voicemails remotely, you as a customer wouldn’t normally get to know that anyone had been there. In some cases, the attackers deleted the voicemails.
The type of notifications you could get could tell you that there has been a remote access to your voicemail, that there was an invalid PIN code attempt or that your voicemail PIN has been changed – all useful bits of information!
This is something that has been borrowed from the banking industry. It is a simple, effective early warning mechanism that something could be wrong. Because it shouldn’t happen very often, you shouldn’t be plagued by messages, equally you are the best person to know if it is dodgy activity or not.
However, always be careful with any message you receive. The best thing to do if you are unsure is to ring the customer helpline of your operator who’ll be able to tell you whether the message is genuine.
Newer methods of hacking voicemails
Sadly, there are always people who want to find out what others are up to, illegally. The methods for doing this are continually evolving.
Some of the newer methods involve faking a phone’s displayed number so it can trick access to voicemail. This technique has been used in the USA and recently in the Netherlands to get access to the voicemails of politicians.
To block this attack, you need to setup a PIN to access your voicemail. By doing this you prevent automatic access to your voicemail (as if you were ringing from your own mobile).
Summary
You now know how it works and you’ve been able to check whether you’re properly protected and set your own PIN number up. The customer service websites of operators should also be able to give you some good advice on PIN security and their voicemail service.
Remember that with all the publicity around the issue, it’s not only the operators who are reacting to the revelations; there will be bad people out there who are only now starting to exploit illicit voicemail access. Don’t let yourself be a victim.
What happens next?
Well, customer use of voicemail technology has evolved a lot, even in the last five years with the result that habits are changing. That is why I am asking the network operators to look at the use of remote voicemail access in general, with the proposal that they should consider shutting remote access down entirely.
These methods are common knowledge to the higher end users but not for the common phone user. Thanks for posting this, it may make a few more users more secure.
The only method I think you have missed is social engineering the operator customer service to change your PIN. Most operators will do this by sending a text message of your new PIN, but some times they can be persuaded to give this out over the phone.
@Stuart, thanks for this, I cover some of this on my longer blog about this over at blog.mobilephonesecurity.org , but you're right about the giving the PIN out over the phone bit. I would hope that is banned in call centres. If not, it should be. As far as I understand the resetting the PIN to default was the more common activity.
I just tried this, and tried a couple of codes (unsuccessfully). I then got a text from the company saying that someone had tried to access the voicemail, and to contact customer services if it wasn't me!
No-One should be leaving messages by any means that contains sensitive information anyway.
The idea of using a caller ID spoofing service to access someone's mobile phone voicemail email is a few years old, not new. A description of my experience with testing some US mobile carriers is at http://blog.sharpesecurity.com/2010/02/14/budget-…. Can anyone confirm which UK-based mobile carriers caller ID spoofing works with. Thank you!
All of them. Caller ID is trivially spoofed from any ISDN line. There are carrier rules which are supposed to reject presented CLI numbers which don't belong to the enduser but these are rarely enforced.
ANI (automatic number identification) is not spoofable, but most systems seem to rely on CLID, despite ANI being available.
I've heard rumours that systems are being updated to use ANI to compbat this kind of issue but have seen nothing concrete
USA Caller-ID is additionally spoofable on voice calls because of the way it works and doing so requires a burst of data be sent between the time the handset is lifted and the receiver reaches the user's ear – it doesn't hide the original calling number but it overwrites it with new data. Users scrolling back will see this as the last entry.
So what's Sophos' position on mobile operators basically letting anyone access their customer's private data (eg. voicemail messages)?
I guess one other suggestion for people to make themselves safer is to consider disabling their voicemail service all together.
I find this odd, because by default all the cell phones I have had with various providers in Canada since 1998 have required passwords to access voicemail even when calling your number from the phone using that number. That there are companies out there without that basic protection is mind-boggling.
I use Metro-PCS…I am not prompted for a pin when calling my voice mail. I have a number in my settings that is called voice mail, have never called it. As for calling vm from another phone, hold on, I will try it….yep, I am asked for identifying information…just phone #, mailbox # and pin.
Living in germany, I think these discussions are a bit strange – this CallerID issue has been well known since at least 2005, which was when all german mobile operators switched to SIM identification instead (as long as you're in their local network) and enforced PIN codes for use outside of germany.
Why is this news all of a sudden?
“That is why I am asking the network operators to look at the use of remote voicemail access in general, with the proposal that they should consider shutting remote access down entirely.”
So… better to never be able to check the messages on a misplaced phone, or one that’s out of power?
Requiring PIN access even from own number might be a good start for better security, given the ease of spoofing caller ID. As well as requiring people to set PINs.
"The truth is, there is no actual phone hacking involved"
I'm not sure if there's a generally accepted definition of the word "hacking," but think it would more accurate to say that no specific examples of phone hacking have yet been described. That does not necessarily mean that it did not happen.
the best way to stop yourself being hacked is just simply phone your mobile operator and ask them to deactivate your voice mail
I am yet to see any hacker who can actually listen to the phone conversation!
Well just impossible for them as the signals are encrypted over the air. Only police can listen to it (via a mobile network feature called lawful interception – connecting directly to the MSC – mobile switching centre).
So if your phone conversation is hacked into, that's either corrupted police, or the operator itself.
Can you say cloning
Thatsthe problem I have; corrupted police phone hacking
My ex partner has been hacking into my phone during our volatile separation, he had access to all text messages, emails (including one’s from my lawyer regarding the split, pictures and GPS tracking. Was wondering if someone could recommens a specialist lawyer, his computers and my mobile and laptop have been siezed by the police.. thanks
I am having a similar problem! How did you uncover what was going on ?
Also,
What proof do you need to get the police to take action?
There a product that blocks out all transmission. I got one here in LA at a convention. It was $20 and called Hushpockets. The guy did a demo in front of me and it worked in 2-3 seconds. It blocked out the call. Then he did another one with gps google map. and after 5 seconds in the hushpocket, it said "signal was lost" a great product for the security conscious person. I think it perfect for celeb or attorneys or finance managers??
is it possible for someone to read my text messages and how can i stop it??wendy
MY problem has nothing to do with my email or voice mail.I have some one who stole my debet card an used it at a western union to transfer my money all of it an picked up the cash, on three differnt times . union states ther info was correct including trans actions that were all ariganated from my moble number ,6 differnt times.Now iam no longer the victum ,i now must convinse the detective that i am not the ring leader .By the way the hackers just took info from my card an leaving it intack in my wallet an carried on a cuple weeks my self not missing my card because it was never gone an yes they befreinded me an i 100% sure who it is. Sorry for the spelling i have a lerning disabilaty .If some one can help me nail this girl . I sure would be greatfull .Lets call me been HACKED .
my wife recieved a text from my cell phone and I had the phone with me the whole time and I didn't send her the text? The text wasn't on my outgoing texes and I didn't forward a text to her and didn't send her that text.. Can someone have hacked her cell phone and sent her the text making it look as though it was me that sent it? I'm at a loss as to how that could have happened if i didn't sent it to her and the phone was in my posession the whole time. Can you help me please?
I myself received a text from SUPPOSEDLY was from my friend on his cell to my cell phone ,, he said it wasn't him and following conversation he has a trac phone and cannot text.. so there is no doubt i've been invaded (and I think I know who btw)
Could this person have hacked my cell phone and sent me the text making it look as though it was my buddy that had sent it?
And if so, what should I do (Apple iPhone4 with verizon as carrier)??
Thank You
Can anyone tell me if it is possible to hack into text messages, and if there is any way that I can find out if someone has done this to me?
i think the phone companys themselves can look at your text messages.maybe to check for offensives things being said.i think periodically they do this anyway.its a worry.
How can I buy Phone Hacker device or tools
When I call someone in Europe. I heard a recorded voice laughing and after that, the person I called answer my call. I told the person about the recorded voice, he has nothing to do with the taunting and he didn’t hear it. What happened there?
All the above methods were well known by many journalists before it all came out and was often openly discussed. Kiss n’ tell sensationalist type journalism essentially relied on ‘hacking’, listening in to private calls [remember the old analogue cordless phones and analogue mobile phones weren’t encrypted and could be easily be eavesdropped with a radio scanner]. Baby monitors, bugs, police scanners… all have been used to get information about a story.
From local papers to national tabloids, they all rely on dramatic headlines, stories and pictures to make sales. The local paper with a dramatic set of pictures of a major fire which killed 2 people is going to shift more copies than a paper with just a headline and an aftermath picture the following day. And given the emergency services rarely if ever give the media the heads up that something is ongoing, unless it’s affecting traffic, the media often listened in to emergency service broadcasts. Such eavesdropping has of course all but gone due to digital encryption.
But listening in could provide all sorts of stories. As well as major accidents, fires and incidents such as UXBs, gas explosions, sieges and bank robberies, the media might find out about arrested celebs crackling over police frequencies.
Phone hacking – or rather voice mail hacking as it technically was – offered a more targeted method of getting a sensationalist story about the cream of tabloid stories – the clebs.
Contacts are all well and good. But they can be hit or miss. And one can often wait endlessly for a contact to call.
Much of today’s tabloid stuff is fake in that the publicist phones the paper/agency and tells them the details of where a cleb might be.
Like most of these things the press were onto a good thing but shot themselves in the foot when hacking the likes of Milly Dowler’s mobile an innocent murder victim. Thus the whole thing unravelled.