Feeds

Reg probe bombshell: How we HACKED mobile voicemail without a PIN

Months after Leveson inquiry, your messages are still not secure

Secure remote control for conventional and virtual desktops

Special report Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson's press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security.

Your humble correspondent has just listened to the private voicemail of a fellow Reg journalist's phone, accessed the voicemail inbox of a new SIM bought for testing purposes, and the inbox of someone with a SIM issued to police doing anti-terrorist work. I didn’t need to use nor guess the login PIN for any of them; I faced no challenge to authenticate myself.

There was a lot of brouhaha over some newspapers accessing people's voicemail without permission, but one of the strange things about it all is that at no stage have any fingers been pointed at the mobile phone networks for letting snoops in. And some doors are still open.

Photo by Keven Law

Charlotte Church ... tabloid tapped her inbox (source)

It's believed the infiltrated inboxes merely had default PINs, or passcodes that were far too easy to guess, allowing eavesdroppers to easily drop by. People were urged to change their number codes for their voicemail, but, as we shall see, that advice is useless – you simply don't need to know a PIN to listen to someone's messages.

Going down the rabbit hole

The login flaw was discovered during development work I was doing on a virtual mobile phone network that's aimed at folks who struggle with modern technology: it allows, for example, an elderly subscriber to ring up a call centre and ask to be put through to a friend or relative, rather than flick through a fiddly on-screen contacts book.

In this case, the operator makes the connection between the subscriber and the intended receiver, but the "calling line identification" (CLI) shown at the receiving end is that of the subscriber and not of the call centre. CLI is the basis of caller ID in the UK, but it's a bit of a misnomer because it can be changed as required.

I’d long suspected that miscreants were hacking voicemail by spoofing their CLIs to fool the phone system into thinking it was the handset collecting the messages – but surely that's too easy? It is trivial to set an arbitrary CLI when making a call. I had to find out if voicemail systems were vulnerable to spoofing.

I was emboldened by an email from Register reader Sebastian Arcus, who had set up some software for making voice calls over the internet (VoIP in other words) using his mobile phone number, and was surprised that he was able to collect his voicemail from his VoIP client without having to hand over an access PIN. I was further goaded in a chat in the pub with a Reg colleague, who bet me I couldn’t hack his voicemail. I should’ve asked for money to back that one up.

How it should work and how it falls apart

If you call your voicemail service from a handset linked to the account, you go through to your message inbox without the need to enter a PIN, presumably as a convenience. Use any other phone and you are asked for a PIN access code. If there is no PIN set, you don’t get to the voicemail. So far, so good.

The special sauce here is how does the mobile phone network know which phone you are calling from? The easy way is to look at the CLI sent when establishing a call.

Unfortunately, as our reader found out, this caller identification isn’t at all secure and can be spoofed, so we looked at Three, EE (and Orange), O2 and Vodafone.

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.