Is Your Cellphone Voicemail Still Wide Open?
There is a scene in my novel where I needed the protagonist, a computer hacker called Brody, to gain access to someone else’s mobile phone voicemail. Like most people, I remember the July 2011 phone hacking scandal that brought down the News of the World. So, at the time of writing the scene in the book, almost two years on from the scandal, and many years on from the actual phone hacking events, I naturally assumed that it would be much harder to hack into a UK mobile phone’s voicemail service. That, in those two years, the UK mobile operators would have increased the security measures on our phones. So I decided to check. I wanted to make sure that the techniques Brody used were up-to-date and realistic.
So how did those News of the World journalists hack into the mobile phones of murdered schoolgirl Milly Dowler, relatives of deceased British soldiers and victims of the 7/7 London bombings? They used a technique called caller id spoofing.
It involves tricking the telephone network to display a phone number on the recipients display that is not actually the originating number. It makes it appear to the recipient that the phone call has been made by someone else. There are hundreds of internet sites available that provide this as a service. Just google “caller id spoofing” and you’ll see them listed.
Non-malicious uses might involve pranksters playing a joke on a friend or an employee working at home making a phone call to a customer as if they were at their office. Or if someone is ignoring your calls and you really want to get through, spoof a different number!
But malicious uses seem to outweigh the innocent ones. Some journalists, private detectives and telemarketers have all used these services illegally, or at least illicitly, in the past even though these industries all have codes of conducts that discourage the practice.
So how does caller id spoofing crack voicemails? Simple, if you phone the mobile phone number whose voicemail you want to access (or the mobile operator’s voicemail service itself) and spoof the phone number of the phone whose voicemail you want to access, the network thinks that the owner of the phone is accessing their voicemail from their actual phone.
Mobile operator companies, by default, don’t ask for a security pin when the voicemail is being accessed from the originating phone. But they do ask for a pin if the voicemail is being accessed from a different phone number. And they do allow you to change your security settings so that it forces a pin to be provided even if accessing the voicemail from the originating phone. But very few people every think to do this, or know that they can.
And so by spoofing the originating number the voicemails can all be listened to. A smart hacker will go through the menu options and even mark each message listened to back to a status of ‘unread’, so that the real owner of the number is doesn’t become suspicious later.
That’s how it was done by the journalists of the News of the World. So has anything changed? Have any of the five main UK mobile phone operators changed the default security settings to enforce requiring a pin, even when accessing voicemail from the originating phone.
The answer is a resounding NO. O2, Vodafone, Orange/T-Mobile (now combined as EE), and Three all default to having no pin number when accessing voicemails from your own phone. Absolutely nothing has changed in two years. Any malicious hacker can gain access to anyone’s voicemail simply by spoofing the caller id – unless the owner of the number has made a point of increasing their own security settings.
T-Mobile sums up their logic best:
Because many customers have asked for the security feature to be turned off to allow speedy access to voice mail messages, your voice mailbox is automatically set up to NOT ask you for your password.
So, Brody, my fictional hacker, found it incredibly easy to hack into his target’s mobile phone voicemail. After all, I wanted the scene to reflect the real world where it is also far too easy.
Here are links to the specific pages of each of the five UK mobile operators web sites where they state the default security option is to have no pin, but that a pin can be put in place:
It’s as if the News of the World phone hacking scandal never happened. But it did.
And it will again.
- Is Your Voicemail Wide Open? (Krebs n Security)
- Phone-hacking made easy: pick up messages from phones with this fail-safe technique (nextlevelofnews.com)