As the News of the World scandal in the United Kingdom showed, it is fairly easy to tap into voicemail messages and does not require very sophisticated methods.
The techniques used by the staffers at News of the World to listen
in on thousands of voicemail messages were fairly low-tech, but voicemail fraud
is a growing problem, experts said.
Rival-publication The Guardian revealed July 5 how employees
of the United Kingdom-based tabloid News of the World illegally accessed
voicemail messages of celebrities, royal family members and regular citizens.
In the resulting furor, parent company News Corp announced July
7 it will shut down the tabloid. Prime Minister David Cameron announced two
separate inquiries into the allegations will begin after the police conclude
their current investigation. As many as
4,000 people may have been targeted by the paper.
What the News of the World staffers did was not actually
hacking in the strictest sense, as they just illegally logged into other
people's voicemail systems and used a very rudimentary method to do so. Many
voicemail systems are set up to be accessible just by calling the user's number
directly, and then entering the PIN code.
Other systems use a different number that users can call for
the express purpose of remotely retrieving voicemail messages. With the correct
phone number and a shortlist of potential PIN codes
in hand, it's easy to break
into the system and access messages, Nir Simionovich, chief architect at
Israel-based Humbug Telecom Labs, told eWEEK.
"Voicemail systems were created to be very simple, to
be used by Joe Everybody," Simionovich said. Thus there isn't a lot of
security built-in. Security usually just consists of a four-to-six digit PIN
, and not all voicemail systems require them, he noted.
People tend to use repeating numbers as their passcode, or a
date-based combination, such as they year they were born in or their birthdays,
Simionovich said, "making thousands of possible combinations
redundant." This type of voicemail fraud, where the perpetrators are
trying to access messages, usually relies on brute-force attempts to find the
PIN, according to Simionovich. With between 300 to 400 combinations being the
most likely codes, it usually takes attackers only a few minutes, he said.
For the News of the World, it was even easier because many
users never changed the PINs from the default code that cellular carriers set,
according to news reports.
"You would never even think that someone could access
your voicemail by just dialling a number and entering a well-known default PIN,"
David Rogers, a mobile phone security expert, wrote on the Sophos NakedSecurity
If the codes couldn't be brute forced, social engineering
tricks may be employed, Rogers said, such as calling the cellphone providers
and pretending to be the users while requesting that the access codes be reset
to the default.
However, there are other forms of voicemail fraud, such as
hacking corporate PBX systems to initiate outbound calls to premium numbers and
eavesdropping on phone conversations, Simionovich said. Software that can sniff
out phone conversations is readily available online, he said, noting that
they'd been originally developed for legitimate purposes. Cellular networks
aren't entirely secure, as conversations can still be intercepted.
There are more than 15 different methods alone to unlock a
PBX, Simionovich said, and there are "new methods discovered every
Enterprises can check their PBX settings to make sure unused
features were not enabled by default, Simionovich said. If the company does not
need employees to make outgoing calls from the voicemail system, that should be
turned off, for example. Simionovich also recommended that companies take
advantage of a feature that instantly emails voice messages to user Inboxes as
sound files and deletes from the PBX. That way, if miscreants did
somehow get into the PBX or the user's voicemail, they'll find no messages to
listen to, he said.
Cellular users will need to rely on their carriers to make
security changes across the board, Simionovich said. Not setting default codes
is one step. Britain's major cellphone companies appear to have some measures
in place. Orange, Three and T-Mobile no longer provide default voicemail pass
codes and O2 and Vodafone will set codes only on devices they sell. Vodafone also
alerts customers if three failed attempts are made to enter the number and O2
locks voice mail services.
According to the Communications Fraud Control Association
2009 Global Fraud Loss Survey, global fraud loss is estimated to be between $72
billion and $80 billion annually and PBX/voicemail fraud accounts for about a
fifth of that, or about $15 billion. Simionovich did not attempt to break out
how much each type of fraud cost.
London's Metropolitan Police said its News of the World
investigation was focused on "the illegal interception of messages relayed by
telecommunications that were not intended for the person who has intercepted