Stable Door is just fine wide open, Thanks

As reported in the Irish Times of July 8th 2011, "Garda sources said there were currently no criminal investigations into phone hacking by journalists in the Republic because there had been no complaints about the practice."

On Today FM's  Sunday Supplement with Sam Smyth, communications minister, Pat Rabbitte, assured us he saw no need for an investigation of voicemail hacking in the Irish Republic as there was no evidence of it.
He did allow that his position might be naive but can naievity be the defense of someone who in 2006 was himself reportedly concerned about the vulnerabilities of Leinster Houses's voicemail.

Minister Rabbitte's placement of his head in the sand seems to reflect a general tendency in Irish political and media circles to blindly ignore the following facts:

1. There is indeed evidence of journalists in Ireland hacking the voicemail boxes of politicians and private individuals.  See the list of stories below.
2. Voicemail hacking is not the exclusive preserve of journalists or Private Investigators.  Because it is so well documented and demonstrated on several web sites, why should we assume that only journalists would be interested?  Why not also criminals, terrorists, currency speculators, political enemies?
3. Irish Mobile Operators continue to operate their voicemail systems with the most lax security procedures, relying on subscribers to voluntarily set passwords and providing no defense against software that can dial from a configurable caller ID.

If  your neighbour's house is burgled, why would you continue to leave your doors and windows unlocked at night?  

Pat picks up a voicemail

When you are minister for communications why would you allow this to go on?  

Evidence of Journalistic Hacking in Ireland

• Alex Marunchak, Slovak-born editor of the Irish News of the World paid a hacker to intercept emails from the computer of a British army intelligence officer. (But he wouldn't pay for voicemails would he?)
• Paul McMullan, who worked for the Irish News of the World in the 1990s, said the tactics used in Ireland on some stories were the same as those used in the UK.
• In Northern Ireland, the media is suspected of hacking the voicemails of politicians and private individuals.  Are they so much more interesting? 
• The Irish Mirror hacked the voicemail of several Irish politicians back in the late 1990s

There is little evidence that Irish Mobile Operators or corporate voicemail vendors have improved their security since that time and there seems to be no will on the part of the communications minister to force them to take the measures required.


What if Facebook or Google treated their users' private communications like mobile operators treat voicemails?  "We provide a standard password for all new users. You have the option to set a unique one if you want and if you connect from your home IP address, we won't check for a password anyway!"

Who would sign up for that?   How long would the service providers stay in business?

An Irish Times article of July 7th, quotes a spokesman for the Office of the Data Protection Commissioner saying that while "there was no evidence to suggest phone hacking was prevalent within the Irish newspaper industry ...That does not mean, however, it is not happening, just that we have no proof that it is taking place,” He added that legislation was in place “to protect people”.

Legislation does not protect people from burglary, locked doors and windows do.

Hacked off Mobile Operators Cover Their Tracks

There is general outrage in the UK following recent revelations about employees of media organisations "hacking" into the voicemail boxes of not just celebrities and politicians but also of murder victims and their bereaved families.  

People are, quite rightly, disgusted by the scurrilous intrusion of such snooping, which even distorted the evidence in one missing persons investigation when it was thought that Milly Dowler herself was alive and listening to her voicemails.

Despite the public and political outrage, there has been little comment on the part of  the Mobile Network Operators in the UK, still less any admission of responsibility.

For many years these networks have presided over systems so insecure that the term "hacking" flatters those who breached them. Mobile operators deployed voicemail systems in such a way that convenience took precedence over security, with:

• Voicemail boxes easily derived from the phone numbers of subscribers (eg. add 5 to the beginning)
• The same initial PIN is provided to all new subscribers who are not required to change it
• PIN validation  by-passed when voicemail is accessed by the owner’s Caller ID
• Once accessed, a voicemail box can be used to return a calls to any caller that has left a message

Indeed many of the operators published the information that enabled the "hacking" on their own websites. 
Oh they have cleaned up their acts now, removing the instructions from their websites and some of the vulnerabilities and lax practices that allowed them but many of the hacking sites on the internet still have postings from 2004-2008 which document how easy it was at the time.

(Irish Article 2006    US article 2005)

If Facebook or Google handled personal communications in such a flagrantly insecure way, they would be out of business.  O2, Orange, T-mobile and Vodafone have done their best to cover their tracks but there are still plenty of hacking websites that publish their past vulnerabilities:

• http://www.textfiles.com/phreak/VOICEMAIL/
• http://www.cashloopholes.co.uk/free-mobile-phone-loopholes-secrets/3669-hacking-voicemail.html
• http://www.break.com/usercontent/2007/8/HOW-TO-HACK-INTO-CELL-PHONE-VOICEMAIL-342982.html
• http://100waystogetrevenge.wordpress.com/2009/07/11/cell-phone-voice-mail-hacking/

Even today, mobile operators  are doing little to enhance the security of their voicemail systems apart from suggesting subscribers set a voicemail PIN,.   

Even when a subscriber sets a PIN, however, it can easily be derived by the dialing robot scripts used by hackers.

Because the systems are still set up for convenience, many include a feature that bypasses PIN validation when accessed from the owner's phone.  Most operators don't give their subscribers the option of using this feature or not.
Spoofing hackers exploit it using software that can be configured to dial using any configured Caller ID. With full access to the mailbox they can then listen to voicemails, change the greeting and return calls (again made with the dialling software) to international and premium numbers.
See the video posted here for a demo.

In one famous case, a US operator presented their customer with a $12,000 bill.

The same vulnerabilities have been exploited since the mid-90s and due to internet sites, the vulnerabilities of voicemail systems are well known to hackers – ranging from amateurs to organised crime families.

Isn’t it time that more was done to protect the privacy and accounts of mobile subscribers?

For starters the operators could put in place the following  simple security features to prevent hacking attempts:

• Subscriber opt-in for voicemail access based on caller-ID
  The Voicemail System should disable PIN-bypass by default and allow the subscriber to consciously activate it at his or her own risk.

• Voicemail access through complex random PIN with 3-strike locking
  To hinder a security breach because of customers not setting a PIN, the VMS should send a complex, random PIN by SMS to voicemail subscribers upon registration to the service. This PIN code can have multiple different locks on the VMS's Interactive Voice Response and  web interfaces. If an incorrect PIN is entered  more than 3 times, the account is then locked and can only be released with operator permission.

These measures would show that the Operators are serious about protecting their subscribers against snooping and fraud and gives the subscriber the freedom to choose convenience or security for access to their private messages stored on the mobile operator’s systems.