July 18, 2011

The “phone-hacking” scandal that has gripped the U.K. is now making waves on this side of the pond. It stems from an alleged series of intrusions into the wireless voicemail boxes of high profile celebrities and 9/11 victims. The news stories about this scandal make it sound as if the attacks were sophisticated — an investigation into exactly what happened is still pending — but many people would be surprised to learn just how easy it is to “hack” into someone’s voicemail.

For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that if you haven’t set up your voicemail account to require a PIN for access, your messages may be vulnerable to snooping by anyone who has access to caller ID “spoofing” technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.

I wanted to check whether this is possible with my AT&T account — so I chose my wife’s new iPhone as the target; I was reasonably sure she hadn’t set a PIN on her voicemail. I surfed over to spooftel.com and found that I still had $10 in credits in my account. I instructed Spooftel to call her number, and to use that same number as the caller ID information that gets transmitted to my wife’s phone. Her phone rang 4 times before going to voicemail; I pressed the # sign on my iPhone and was immediately presented with her saved messages.

The same method may work against other major providers, but I have only tested it against AT&T. The Boston Globe ran a story earlier this month claiming that Sprint and T-Mobile also do not require customers to enter a PIN to access voicemail. According to The Globe’s Hiawatha Bray, Verizon is alone in requiring that customers must establish a PIN for voicemail access.

Surely there must be a better way for AT&T (the second-largest wireless carrier in the United States) and Sprint and T-Mobile to verify the identity of a caller other than by trusting caller ID; hackers and phreakers have been spoofing this identifier for decades. How hard would it be for these providers to follow Verizon’s lead and require customers to pick a PIN for voicemail access?

The FBI says it is investigating whether News Corp. employees hacked into the voicemail boxes of 9/11 victims, and several lawmakers on Capitol Hill are calling for an official congressional inquiry. If Congress does hold hearings on this scandal, lawmakers would be remiss if they didn’t ask wireless providers why they have persisted in making it so easy for voicemail snoops to intrude.

If you don’t want others to snoop on your mobile phone messages, be sure to take a moment to set up a PIN for your voicemail access. This process differs for each provider, but most voicemail systems let you access the main options menu by pressing and holding the “1” key.

Update, Aug. 8: AT&T says it is changing its voicemail password policy. From the company’s blog: Beginning today, AT&T writes, “we will automatically set the default voicemail setting to Password Protect on any new subscriber or new line added to an existing account.  In addition, beginning in early 2012, we will set the default voicemail setting to Password Protect anytime you upgrade or change your handset.  That means whenever you get a new device, you will be required to set a password and use it unless you affirmatively turn the feature off.


24 thoughts on “Is Your Voicemail Wide Open?

  1. Owen

    Unfortunately though, when people are required to set a PIN, they often choose “1234” or “1111” anyway.

  2. Neej

    Apparently a completely different method was being used in the UK. I have seen and heard this on multiple places including a Dispatches documentary and BBC World Service.

    How the “hack” (kinda I suppose) occurred in these cases was the target’s number was rung. At the same time a different phone was used to ring the same number. For some reason this then allowed access to the targets voicemail although only if the target had not changed their default pin (something idiotic like 0000 or something). I think this is how it was being reported: check out the BBC archives or the Dispatches episode called Tories, Tabloids and Telephone hacking.

    Needless to say many people apparently don’t change their default voicemail pin.

  3. Jim J.

    Sorta on topic. I left AT&T several years past. AT&T is the epitome of incompetence, disgraceful support, rude associates and fraudulent charges.

    I will not waste white space elaborating.

  4. Jerry

    Your article misses a bigger hole but glosses over it by discounting that your wife set a password. Even with a password set on ATT voice mail spoofing lets you right in to the voice mail box.

    ATT likely does this to stop the “hassle” of having to enter your pin every time you check your voice mail.

  5. kmullersdorf

    One more security gap that need to be addressed
    I guess the same arguments go here
    “No one cares about my personal messages or emails”
    Well, what happens when you bring the same behavior to your workplace?

  6. TJ

    For those using Google Voice, you’ll want to specifically require the use of a PIN when calling into your GV number from EVERY forwarded number. Otherwise, calls to your GV# from a forwarded number will go directly into voicemail.

    This adjustment can be found under: Options > Voice settings > Phones > (Phone #) Edit > Show Advanced Settings

  7. Clive Robinson

    Brian,

    You might want to go over to the Camb Labs site Prof Ross Anderson has a write up on the technical and policy asspects of this,

  8. Tom Byrnes

    I’ve tested this on Sprint (which I have), using our VOIP trunks, and it works. So, everyone SHOULD require a PIN (if it’s default off, there’s usually an option to turn it on), and make it something not easily guessable.

  9. wiredog

    So I need a pin to access the ATM. And the voicemail. And for the keypad at work. And for a few other things…

    So, given that my memory isn’t perfect, do I write them all down on a piece of paper kept in my wallet, or use the same pin everywhere?

    1. Clive Robinson

      Wiredog,

      There are many strategies for storing multiple pin numbers without actually writing the pin down. Most depend on your ability to do mental arithmetic.

      One old method was to write down a list of genuine telephone numbers and by some simple process you gain a new numper (ie the pin) from two or more other numbers. The simplest is to add the two numbers mod 10 (ie add with no carry).

      1. Gary

        Or simply create a number from a word “spelled out” on the telephone keypad. For example, “computer” = 26678837 (not that you need 8 digits 🙂

        Pretty hard to guess without knowing the “root word”

    2. Jane

      Bruce Schneier said in 2005: “Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.”
      http://www.schneier.com/blog/archives/2005/06/write_down_your.html

      He referenced: http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html

      Reminder (hopefully unnecessary!) for folks on classified systems though: it is still illegal to write down that password in any useful location.

  10. Dave

    Process to set a PIN for ATT is as follows:

    1. Login to VM.
    2. Press 4 for “Personal Options from the Main Menu.
    3. Press 2 for Adminstrative Options.
    4. Press 1 for Password Options.
    5. Press 1 to Establish a Password. Enter it twice, each time followed by #.

    If you go back to Password Options, you can press 2 to Turn Password On or Off.

    If password is Off, you are not prompted for a password when you press 1 to connect to VM. If password in On, after pressing 1 you will hear “Enter Password”

  11. AlphaCentauri

    If you’re concerned about people making repetitive guesses at your PIN, don’t choose one that starts with digits 01-12 or 19-20. Dates are very common choices.

    The last four digits of a phone number you know well that belongs to someone else is a better choice. (Hey, you usually know the numbers you call frequently a lot better than your own, anyway.)

    But if someone really wants YOUR voice mail and is willing to try 10,000 times, you can’t stop them.

  12. Bill Warhurst

    I have had a Sprint phone for several years. Sprint also required a PIN to access voicemail, then required an updated PIN about three years ago. I was forbidden from using the first 3 or 4 “easy” PINs that I tried.

  13. Andrew

    I think that most of us are missing the point. Perhaps because most security people:

    1. Don’t understand their job as security people.
    2. Think of every issue only in terms of security.
    3. Blame someone else for whatever goes wrong.

    People want to be able to open their phone and get their messages, without having to type a pin. That is a convenience feature. It is a completely legitimate feature, actually a selling point.
    For most phones, having access to the physical phone gets you the text messages, email messages and images. No pin needed. Why should one kind of message be different?

    The problem is not that it is a bad feature. The problem is that the feature is broken. The phone company knows which phone is calling. They shouldn’t be using caller ID for this, use their own signaling information. Fix the broken feature; don’t blame your customers for not using a pin.

    Or will you tell me that I can call a 900 number with a spoofed caller ID and the $4.99/min. bill will go to someone else?

    Too many security people believe that their main job is to keep the bad guys out. As security people, our first priority is to let the good guys in. Or to “Support and facilitate the organization in completing its mission and earning profits.” As developers, our job is to make the features work correctly and safely.

    Yes, no security chief will get fired for insisting on a 16 character mixed case password changed every other week. He will lose his job when all the talented people, and customers, go to a company with less hassle.

  14. Andrew

    One more point:

    Why are we suddenly upset about a news organization doing this? What is different now?

    News organizations have always stolen information to get to the facts. Good investigative reporters have “sources” and “methods” that may not be quite legal or moral. Open a physical mailbox to peek at the letters. Pretend to be someone else to get a piece of evidence. Trespass on private property to peep in a window.

    And if we step on the flower bed to see in that window? Too bad, fourth estate, public’s right to know and all that.

    Perhaps the difference is that the phone is electronic. Perhaps this case is just closer to home. Or perhaps we don’t like these guys as much as the guys at the Times?

    1. Jesse Ruderman

      Trying to learn whether a powerful entity is corrupt is one thing. Violating the personal privacy of an individual, especially someone you find interesting only because they are the victim of a famous terrorist attack, is quite another.

      It’s the difference between “in the public interest” and “of interest to the public”.

  15. MicheleMoore-Happy1

    Easily remembered safe, secure passwords –
    http://www.happinessandsecurity.com/2011/07/easy-secure-passwords.html

    Experts recommend using Complex Passwords – unidentifiable sequences of letters and numbers that do not use common names or nouns like: Oscus$btdel

    This is much harder to guess or crack than common names or nouns which are all to often used as part of passwords. The problem is remembering these complex passwords without writing them down.

    Here’s a tip to make remembering complex passwords easy: Use the first letter of a well known song or poem and add a special character at the end of each phrase. Select a song or poem that has special significance to you or with limited knowledge or recognition.

    Then write a clue that makes it easy for you to remember the song or poem you selected, like: flag$

    And be sure to keep your password clue sheets with your user names absolutely secure.

    Can you easily guess what the phrase was? Take a moment and see if you can figure it out from the clue.

    “Oh say can you see, by the dawn’s early light”

    Or use the chorus of your favorite Rolling Stones song and write down the clue: Stone% and don’t tell people what your favorite Rollings Stones song is.

    Another EASY way to create unique passwords for each site you regularly visit is to use a sentence that includes the name of the site in the password: TspitwsiGM1

    The smartest person in the world signs into GMail – Keep your phrase VERY SECRET! Be careful to select a phrase that is not easily guessed and change your catch phrase regularly.

    Remember that most passwords are easily recoverable and can be quickly reset if you cannot remember the phrase you selected.

    Hope this helps your readers!

  16. Adrien

    So Brian, you wife OK with you hearing her voice mails?

    🙂

Comments are closed.