The “phone-hacking” scandal that has gripped the U.K. is now making waves on this side of the pond. It stems from an alleged series of intrusions into the wireless voicemail boxes of high profile celebrities and 9/11 victims. The news stories about this scandal make it sound as if the attacks were sophisticated — an investigation into exactly what happened is still pending — but many people would be surprised to learn just how easy it is to “hack” into someone’s voicemail.
For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that if you haven’t set up your voicemail account to require a PIN for access, your messages may be vulnerable to snooping by anyone who has access to caller ID “spoofing” technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.
I wanted to check whether this is possible with my AT&T account — so I chose my wife’s new iPhone as the target; I was reasonably sure she hadn’t set a PIN on her voicemail. I surfed over to spooftel.com and found that I still had $10 in credits in my account. I instructed Spooftel to call her number, and to use that same number as the caller ID information that gets transmitted to my wife’s phone. Her phone rang 4 times before going to voicemail; I pressed the # sign on my iPhone and was immediately presented with her saved messages.
The same method may work against other major providers, but I have only tested it against AT&T. The Boston Globe ran a story earlier this month claiming that Sprint and T-Mobile also do not require customers to enter a PIN to access voicemail. According to The Globe’s Hiawatha Bray, Verizon is alone in requiring that customers must establish a PIN for voicemail access.
Surely there must be a better way for AT&T (the second-largest wireless carrier in the United States) and Sprint and T-Mobile to verify the identity of a caller other than by trusting caller ID; hackers and phreakers have been spoofing this identifier for decades. How hard would it be for these providers to follow Verizon’s lead and require customers to pick a PIN for voicemail access?
The FBI says it is investigating whether News Corp. employees hacked into the voicemail boxes of 9/11 victims, and several lawmakers on Capitol Hill are calling for an official congressional inquiry. If Congress does hold hearings on this scandal, lawmakers would be remiss if they didn’t ask wireless providers why they have persisted in making it so easy for voicemail snoops to intrude.
If you don’t want others to snoop on your mobile phone messages, be sure to take a moment to set up a PIN for your voicemail access. This process differs for each provider, but most voicemail systems let you access the main options menu by pressing and holding the “1” key.
Update, Aug. 8: AT&T says it is changing its voicemail password policy. From the company’s blog: Beginning today, AT&T writes, “we will automatically set the default voicemail setting to Password Protect on any new subscriber or new line added to an existing account. In addition, beginning in early 2012, we will set the default voicemail setting to Password Protect anytime you upgrade or change your handset. That means whenever you get a new device, you will be required to set a password and use it unless you affirmatively turn the feature off.