Monday, 25 July 2011

How phone hacking worked and how to make sure you’re not a victim | Naked Security

How phone hacking worked and how to make sure you're not a victim

Facebook logoOver 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Twitter logoHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

YouTube logoDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos. X

RSS logoHi there! If you're new here, you might want to subscribe to the RSS feed for updates. X

Filed Under: Featured, Law & order, Mobile, Privacy

Mobile phone and keyboardMobile phone security expert David Rogers of blog.mobilephonesecurity.org explains how "phone hacking" is done, and how you can better protect your mobile phone's voicemail.

A lot of mobile customers are bewildered by the events going on in the world press at the moment with all this talk of 'phone hacking'. Many of my friends have asked me what they can do to protect their phones and what the whole thing is about. The truth is, there is no actual phone hacking involved and it is also wrong to call what went on hacking.

What's really being discussed is illicit access to voicemail messages.

I’m going to explain a bit about what exactly is behind this, how it works and what you can do to protect yourself from people wanting to access your voicemails.

There are a number of possible methods to gain access to someone’s voicemail illicitly. In the UK at least, given the original police inquiry into the News of the World scandal, mobile network operators improved their security mechanisms to increase protection of users.

The good thing is, you can test out these mechanisms yourself as you can see below – if your operator hasn’t taken steps to close down the basic loopholes, ring them and tell them!

Default PINs

A lot of the problems that arose in the voicemail scandal arose from the use of well-known default PINs for voicemail access.

Voicemail buttonIn fact, you as a customer may never have used a PIN for accessing your voicemail. That is because on most mobile phones, the network recognises that it is your phone calling in and makes life more convenient for you.

So you would never even think that someone could access your voicemail by just dialling a number and entering a well-known default PIN.

These PINs can be found across the web – they naturally needed to be publicised to customers so they knew how to get remote access if they wanted.

As you’re probably thinking right now, this is a really poor security measure. Although the use of default PINs appears to have been brought to a halt in the UK, if you live in another country, it might be worth checking to see whether this practice is still being used by your mobile operator.

As late as March 2011, voicemails of politicians in the Netherlands were exposed by the use of a default PIN.

Remote Access to Voicemail

Operators often provide an external number through which you can call to access your voicemail remotely. This was one of the mechanisms allegedly used by the News of the World ‘phone hackers’ to get access to people’s voicemails without their knowledge.

KeypadIf you’d never setup a PIN, the attackers would get in via well publicised default PINs.

If they came up against someone who was using their own PIN, they would then use social engineering techniques to trick the operator into resetting the PIN to the default.

Homework: If you haven’t ever used it before, find out what the remote access number is to your voicemail.

What happens? You should be asked for a PIN code. If you don’t already use a PIN, use the web to see if you can find the default voicemail your provider has advertised in the past. If you enter the default, what happens?

Now try entering a wrong PIN. Do you get an SMS on your mobile telling you about it? Be careful not to block yourself out of your account, another security measure will be to block access if there are three wrong attempts.

Calling your own phone

Another not-so-well-known method of accessing voicemail is to actually call your own mobile number.

Woman on phoneClaims about the voicemail hacking scandal say that one journalist would call up a celebrity to engage the phone while another would then go into the voicemail using this method.

This seems pretty likely as a lot of celebrities' phones are looked after by personal assistants, not the celebrity themselves so it could look fairly legitimate to call up the PA.

More homework: Call your own mobile phone number. While you’re listening to the bit where it asks you to leave a message, press the * (star) key.

You should then be brought to your own voicemail menu! The system should ask you to enter a PIN. Follow the same process as above and see what happens.

Notifications

One of the security measures that have been introduced is to notify the customer more often by SMS when something goes on that they should know about.

Remember that if a third-party was accessing your voicemails remotely, you as a customer wouldn’t normally get to know that anyone had been there. In some cases, the attackers deleted the voicemails.

SMS messageThe type of notifications you could get could tell you that there has been a remote access to your voicemail, that there was an invalid PIN code attempt or that your voicemail PIN has been changed – all useful bits of information!

This is something that has been borrowed from the banking industry. It is a simple, effective early warning mechanism that something could be wrong. Because it shouldn’t happen very often, you shouldn’t be plagued by messages, equally you are the best person to know if it is dodgy activity or not.

However, always be careful with any message you receive. The best thing to do if you are unsure is to ring the customer helpline of your operator who’ll be able to tell you whether the message is genuine.

Newer methods of hacking voicemails

Sadly, there are always people who want to find out what others are up to, illegally. The methods for doing this are continually evolving.

Some of the newer methods involve faking a phone’s displayed number so it can trick access to voicemail. This technique has been used in the USA and recently in the Netherlands to get access to the voicemails of politicians.

To block this attack, you need to setup a PIN to access your voicemail. By doing this you prevent automatic access to your voicemail (as if you were ringing from your own mobile).

Summary

You now know how it works and you’ve been able to check whether you’re properly protected and set your own PIN number up. The customer service websites of operators should also be able to give you some good advice on PIN security and their voicemail service.

Remember that with all the publicity around the issue, it’s not only the operators who are reacting to the revelations; there will be bad people out there who are only now starting to exploit illicit voicemail access. Don’t let yourself be a victim.

What happens next?

Well, customer use of voicemail technology has evolved a lot, even in the last five years with the result that habits are changing. That is why I am asking the network operators to look at the use of remote voicemail access in general, with the proposal that they should consider shutting remote access down entirely.

, , , ,

About the author

David Rogers is a mobile phone security expert and the owner of Copper Horse Solutions Ltd, a software and security company. He is the former Head of Security for the Wholesale Applications Community (WAC) and previously headed up Panasonic Mobile’s Product Security and Customer Engineering in Europe. He has advised government and Police organisations on a range of mobile phone security and forensics issues. Follow David on Twitter at @drogersuk or read his blog at http://blog.mobilephonesecurity.org.

Flickr - projectbrainsaver

www.flickr.com
projectbrainsaver's A Point of View photoset projectbrainsaver's A Point of View photoset