A lot of mobile customers are bewildered by the events going on in the world press at the moment with all this talk of phone hacking. Many of my friends have asked me what they can do to protect their phones and what the whole thing is about. The truth is, there is no actual phone hacking involved and it is also wrong to call what went on hacking.
What’s really being discussed is illicit access to voicemail messages.
I’m going to explain a bit about what exactly is behind this, how it works and what you can do to protect yourself from people wanting to access your voicemails.
There are several possible methods to gain access to someone’s voicemail illicitly. In the UK at least, given the original police inquiry into the News of the World scandal, mobile network operators improved their security mechanisms to increase protection of users.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
The good thing is, you can test out these mechanisms yourself as you can see below — if your operator hasn’t taken steps to close down the basic loopholes, ring them and tell them!
A lot of the problems that arose in the voicemail scandal arose from the use of well-known default PINs for voicemail access. In fact, you as a customer may never have used a PIN for accessing your voicemail. That is because on most mobile phones, the network recognises that it is your phone calling in and makes life more convenient for you.
So you would never even think that someone could access your voicemail by just dialling a number and entering a well-known default PIN. These PINs can be found across the web — they naturally needed to be publicised to customers so they knew how to get remote access if they wanted.
As you’re probably thinking right now, this is a really poor security measure. Although the use of default PINs appears to have been brought to a halt in the UK, if you live in another country, it might be worth checking to see whether this practice is still being used by your mobile operator.
As late as March 2011, voicemails of politicians in the Netherlands were exposed by the use of a default PIN.
Remote Access to Voicemail
Operators often provide an external number through which you can call to access your voicemail remotely. This was one of the mechanisms allegedly used by the News of the World phone hackers to get access to people’s voicemails without their knowledge.
If you’d never set up a PIN, the attackers would get in via well publicised default PINs. If they came up against someone who was using their own PIN, they would then use social engineering techniques to trick the operator into resetting the PIN to the default.
Homework: If you haven’t ever used it before, find out what the remote access number is to your voicemail. What happens? You should be asked for a PIN code. If you don’t already use a PIN, use the web to see if you can find the default voicemail your provider has advertised in the past. If you enter the default, what happens? Now try entering a wrong PIN. Do you get an SMS on your mobile telling you about it? Be careful not to block yourself out of your account, another security measure will be to block access if there are three wrong attempts.
Calling your own phone
Another not-so-well-known method of accessing voicemail is to actually call your own mobile number.
Claims about the voicemail -hacking scandal say that one journalist would call up a celebrity to engage the phone while another would then go into the voicemail using this method. This seems pretty likely as a lot of celebrities’ phones are looked after by personal assistants, not the celebrity themselves so it could look fairly legitimate to call up the PA.
More homework: Call your own mobile phone number. While you’re listening to the bit where it asks you to leave a message, press the * (star) key. You should then be brought to your own voicemail menu! The system should ask you to enter a PIN. Follow the same process as above and see what happens.
One of the security measures that have been introduced is to notify the customer more often by SMS when something goes on that they should know about. Remember that if a third-party was accessing your voicemails remotely, you as a customer wouldn’t normally get to know that anyone had been there. In some cases, the attackers deleted the voicemails.
The type of notifications you could get could tell you that there has been a remote access to your voicemail, that there was an invalid PIN code attempt or that your voicemail PIN has been changed — all useful bits of information.
This is something that has been borrowed from the banking industry. It is a simple, effective early warning mechanism that something could be wrong. Because it shouldn’t happen very often, you shouldn’t be plagued by messages, equally you are the best person to know if it is dodgy activity or not.
However, always be careful with any message you receive. The best thing to do if you are unsure is to ring the customer helpline of your operator who’ll be able to tell you whether the message is genuine.
Newer methods of hacking voicemails
Sadly, there are always people who want to find out what others are up to, illegally. The methods for doing this are continually evolving.
Some of the newer methods involve faking a phone’s displayed number so it can trick access to voicemail. This technique has been used in the US and recently in the Netherlands to get access to the voicemails of politicians.
To block this attack, you need to set up a PIN to access your voicemail. By doing this you prevent automatic access to your voicemail (as if you were ringing from your own mobile).
You now know how it works and you’ve been able to check whether you’re properly protected and set up your own PIN. The customer service websites of operators should also be able to give you some good advice on PIN security and their voicemail service.
Remember that with all the publicity around the issue, it’s not only the operators who are reacting to the revelations; there will be bad people out there who are only now starting to exploit illicit voicemail access. Don’t let yourself be a victim.
What happens next?
Well, customer use of voicemail technology has evolved a lot, even in the past five years with the result that habits are changing. That is why I am asking the network operators to look at the use of remote voicemail access in general, with the proposal that they should consider shutting remote access down entirely.
*David Rogers is a mobile phone security expert and the owner of Copper Horse Solutions Ltd, a software and security company. This article originally appeared in the Sophos blog Naked Security.