There is general outrage in the UK following recent revelations about employees of media organisations "hacking" into the voicemail boxes of not just celebrities and politicians but also of murder victims and their bereaved families.
People are, quite rightly, disgusted by the scurrilous intrusion of such snooping, which even distorted the evidence in one missing persons investigation when it was thought that Milly Dowler herself was alive and listening to her voicemails.
Despite the public and political outrage, there has been little comment on the part of the Mobile Network Operators in the UK, still less any admission of responsibility.
For many years these networks have presided over systems so insecure that the term "hacking" flatters those who breached them. Mobile operators deployed voicemail systems in such a way that convenience took precedence over security, with:
- Voicemail boxes easily derived from the phone numbers of subscribers (eg. add 5 to the beginning)
- The same initial PIN is provided to all new subscribers who are not required to change it
- PIN validation by-passed when voicemail is accessed by the owner’s Caller ID
- Once accessed, a voicemail box can be used to return a calls to any caller that has left a message
Indeed many of the operators published the information that enabled the "hacking" on their own websites.
Oh they have cleaned up their acts now, removing the instructions from their websites and some of the vulnerabilities and lax practices that allowed them but many of the hacking sites on the internet still have postings from 2004-2008 which document how easy it was at the time.
Oh they have cleaned up their acts now, removing the instructions from their websites and some of the vulnerabilities and lax practices that allowed them but many of the hacking sites on the internet still have postings from 2004-2008 which document how easy it was at the time.
If Facebook or Google handled personal communications in such a flagrantly insecure way, they would be out of business. O2, Orange, T-mobile and Vodafone have done their best to cover their tracks but there are still plenty of hacking websites that publish their past vulnerabilities:
- http://www.textfiles.com/
phreak/VOICEMAIL/ - http://www.cashloopholes.co.
uk/free-mobile-phone- loopholes-secrets/3669- hacking-voicemail.html - http://www.break.com/
usercontent/2007/8/HOW-TO- HACK-INTO-CELL-PHONE- VOICEMAIL-342982.html - http://100waystogetrevenge.
wordpress.com/2009/07/11/cell- phone-voice-mail-hacking/
Even today, mobile operators are doing little to enhance the security of their voicemail systems apart from suggesting subscribers set a voicemail PIN,.
Even when a subscriber sets a PIN, however, it can easily be derived by the dialing robot scripts used by hackers.
Because the systems are still set up for convenience, many include a feature that bypasses PIN validation when accessed from the owner's phone. Most operators don't give their subscribers the option of using this feature or not.
Spoofing hackers exploit it using software that can be configured to dial using any configured Caller ID. With full access to the mailbox they can then listen to voicemails, change the greeting and return calls (again made with the dialling software) to international and premium numbers.
See the video posted here for a demo.
Spoofing hackers exploit it using software that can be configured to dial using any configured Caller ID. With full access to the mailbox they can then listen to voicemails, change the greeting and return calls (again made with the dialling software) to international and premium numbers.
See the video posted here for a demo.
In one famous case, a US operator presented their customer with a $12,000 bill.
The same vulnerabilities have been exploited since the mid-90s and due to internet sites, the vulnerabilities of voicemail systems are well known to hackers – ranging from amateurs to organised crime families.
Isn’t it time that more was done to protect the privacy and accounts of mobile subscribers?
For starters the operators could put in place the following simple security features to prevent hacking attempts:
- Subscriber opt-in for voicemail access based on caller-ID
The Voicemail System should disable PIN-bypass by default and allow the subscriber to consciously activate it at his or her own risk.
- Voicemail access through complex random PIN with 3-strike locking
To hinder a security breach because of customers not setting a PIN, the VMS should send a complex, random PIN by SMS to voicemail subscribers upon registration to the service. This PIN code can have multiple different locks on the VMS's Interactive Voice Response and web interfaces. If an incorrect PIN is entered more than 3 times, the account is then locked and can only be released with operator permission.
These measures would show that the Operators are serious about protecting their subscribers against snooping and fraud and gives the subscriber the freedom to choose convenience or security for access to their private messages stored on the mobile operator’s systems.
I agree that more needs to be done by mobile operators to highlight and rectify mobile security. I think most people including myself are ignorant of mobile security issues. For instance i don't have a PIN number. Maybe this crisiis can put pressure on providers to tighten up as you suggest. I am not sure why the Information Commissioner whose role is to protect public data has not been on their case...maybe you could send your ideas to him.
ReplyDeleteGlad to see you used scurrilous...great word that...conveys contempt and disgust well !