Reg probe bombshell: How we HACKED mobile voicemail without a PIN
Months after Leveson inquiry, your messages are still not secure
Special report Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson's press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security.
Your humble correspondent has just listened to the private voicemail of a fellow Reg journalist's phone, accessed the voicemail inbox of a new SIM bought for testing purposes, and the inbox of someone with a SIM issued to police doing anti-terrorist work. I didn’t need to use nor guess the login PIN for any of them; I faced no challenge to authenticate myself.
There was a lot of brouhaha over some newspapers accessing people's voicemail without permission, but one of the strange things about it all is that at no stage have any fingers been pointed at the mobile phone networks for letting snoops in. And some doors are still open.
It's believed the infiltrated inboxes merely had default PINs, or passcodes that were far too easy to guess, allowing eavesdroppers to easily drop by. People were urged to change their number codes for their voicemail, but, as we shall see, that advice is useless – you simply don't need to know a PIN to listen to someone's messages.
Going down the rabbit hole
The login flaw was discovered during development work I was doing on a virtual mobile phone network that's aimed at folks who struggle with modern technology: it allows, for example, an elderly subscriber to ring up a call centre and ask to be put through to a friend or relative, rather than flick through a fiddly on-screen contacts book.
In this case, the operator makes the connection between the subscriber and the intended receiver, but the "calling line identification" (CLI) shown at the receiving end is that of the subscriber and not of the call centre. CLI is the basis of caller ID in the UK, but it's a bit of a misnomer because it can be changed as required.
I’d long suspected that miscreants were hacking voicemail by spoofing their CLIs to fool the phone system into thinking it was the handset collecting the messages – but surely that's too easy? It is trivial to set an arbitrary CLI when making a call. I had to find out if voicemail systems were vulnerable to spoofing.
I was emboldened by an email from Register reader Sebastian Arcus, who had set up some software for making voice calls over the internet (VoIP in other words) using his mobile phone number, and was surprised that he was able to collect his voicemail from his VoIP client without having to hand over an access PIN. I was further goaded in a chat in the pub with a Reg colleague, who bet me I couldn’t hack his voicemail. I should’ve asked for money to back that one up.
How it should work and how it falls apart
If you call your voicemail service from a handset linked to the account, you go through to your message inbox without the need to enter a PIN, presumably as a convenience. Use any other phone and you are asked for a PIN access code. If there is no PIN set, you don’t get to the voicemail. So far, so good.
The special sauce here is how does the mobile phone network know which phone you are calling from? The easy way is to look at the CLI sent when establishing a call.
Unfortunately, as our reader found out, this caller identification isn’t at all secure and can be spoofed, so we looked at Three, EE (and Orange), O2 and Vodafone.