Thursday 3 January 2013

Phone "Hacking" or Opportunistic Access?


A lot of mobile phone owners may have been worried by all the talk of “'phone hacking”. Customers often ask me what they can do to protect their phones, and what it’s all about anyway. In effect there is no actual phone hacking involved, it’s more of people taking advantage of lax security.

What we are talking about is opportunistic illegitimate access to voicemail messages. These could be mobile phone messages, or messages on a home answering machine.  Since the police inquiry into the News of the World scandal, mobile network have operators greatly improved their security mechanisms to increase protection of users.

A big problem with voicemails arose from the use of well-known default PINs for voicemail access. Most customers will probably have never have used their PIN code to access voicemail. On most mobile phones, the network recognises that it is your phone calling and makes life easy for you by recognising that it is you and replaying the messages.

Operators often provide an external number through which you can call to access your voicemail remotely, but the easiest way to pick up your voicemail remotely is to call your own number. Usually when in starts the voicemail message you can enter a PIN number to access the voicemail. On O2 the default used to be 8701. (You key a star first). I remember a friend of mine being horrified when I demonstrated to him how easy it was for anyone to listen to his voicemail.

As with computer passwords people who do set up PIN numbers often use their birthday or some other well known number that someone else could easily guess at. That makes it a bit too easy for someone to access your stuff.

Sadly there are now newer methods that do verge on hacking - These methods involve faking a phone’s Caller Line Identity so it can spoof access into voicemail. To block this type attack, you need to set-up a PIN to access your voicemail. By doing this you prevent automatic access to your voicemail. A bit of a pain to have to use it every time, but at least it make thing more secure.

I touched on home answering machines earlier – If you look at the operating instructions here. (See page 36 – remote access) They are much like the mobile phone set-up. Many people would leave the pin as the default 000 – a bit too easy for someone else to guess!

Soon I intend to blog about what the real hackers can do.