UK Newspaper Scandal Shows How It's Easy to Tap Into Phone Mailboxes

As the News of the World scandal in the United Kingdom showed, it is fairly easy to tap into voicemail messages and does not require very sophisticated methods.

The techniques used by the staffers at News of the World to listen in on thousands of voicemail messages were fairly low-tech, but voicemail fraud is a growing problem, experts said.

Rival-publication The Guardian revealed July 5 how employees of the United Kingdom-based tabloid News of the World illegally accessed voicemail messages of celebrities, royal family members and regular citizens.

In the resulting furor, parent company News Corp announced July 7 it will shut down the tabloid. Prime Minister David Cameron announced two separate inquiries into the allegations will begin after the police conclude their current investigation. As many as 4,000 people may have been targeted by the paper.

What the News of the World staffers did was not actually hacking in the strictest sense, as they just illegally logged into other people's voicemail systems and used a very rudimentary method to do so. Many voicemail systems are set up to be accessible just by calling the user's number directly, and then entering the PIN code.

Other systems use a different number that users can call for the express purpose of remotely retrieving voicemail messages. With the correct phone number and a shortlist of potential PIN codes in hand, it's easy to break into the system and access messages, Nir Simionovich, chief architect at Israel-based Humbug Telecom Labs, told eWEEK.

"Voicemail systems were created to be very simple, to be used by Joe Everybody," Simionovich said. Thus there isn't a lot of security built-in. Security usually just consists of a four-to-six digit PIN code, and not all voicemail systems require them, he noted.

People tend to use repeating numbers as their passcode, or a date-based combination, such as they year they were born in or their birthdays, Simionovich said, "making thousands of possible combinations redundant." This type of voicemail fraud, where the perpetrators are trying to access messages, usually relies on brute-force attempts to find the PIN, according to Simionovich. With between 300 to 400 combinations being the most likely codes, it usually takes attackers only a few minutes, he said.

For the News of the World, it was even easier because many users never changed the PINs from the default code that cellular carriers set, according to news reports.

"You would never even think that someone could access your voicemail by just dialling a number and entering a well-known default PIN," David Rogers, a mobile phone security expert, wrote on the Sophos NakedSecurity blog.

If the codes couldn't be brute forced, social engineering tricks may be employed, Rogers said, such as calling the cellphone providers and pretending to be the users while requesting that the access codes be reset to the default.

However, there are other forms of voicemail fraud, such as hacking corporate PBX systems to initiate outbound calls to premium numbers and eavesdropping on phone conversations, Simionovich said. Software that can sniff out phone conversations is readily available online, he said, noting that they'd been originally developed for legitimate purposes. Cellular networks aren't entirely secure, as conversations can still be intercepted.

There are more than 15 different methods alone to unlock a PBX, Simionovich said, and there are "new methods discovered every month."

Enterprises can check their PBX settings to make sure unused features were not enabled by default, Simionovich said. If the company does not need employees to make outgoing calls from the voicemail system, that should be turned off, for example. Simionovich also recommended that companies take advantage of a feature that instantly emails voice messages to user Inboxes as sound files and deletes from the PBX. That way, if miscreants did somehow get into the PBX or the user's voicemail, they'll find no messages to listen to, he said.

Cellular users will need to rely on their carriers to make security changes across the board, Simionovich said. Not setting default codes is one step. Britain's major cellphone companies appear to have some measures in place. Orange, Three and T-Mobile no longer provide default voicemail pass codes and O2 and Vodafone will set codes only on devices they sell. Vodafone also alerts customers if three failed attempts are made to enter the number and O2 locks voice mail services.

According to the Communications Fraud Control Association 2009 Global Fraud Loss Survey, global fraud loss is estimated to be between $72 billion and $80 billion annually and PBX/voicemail fraud accounts for about a fifth of that, or about $15 billion. Simionovich did not attempt to break out how much each type of fraud cost.

London's Metropolitan Police said its News of the World investigation was focused on "the illegal interception of messages relayed by telecommunications that were not intended for the person who has intercepted them."