Feeds

Reg probe bombshell: How we HACKED mobile voicemail without a PIN

Months after Leveson inquiry, your messages are still not secure

Security for virtualized datacentres

What Three and EE must do next

There is a lot that the two networks could do. Using CLI, or at least CLI alone, is shoddy. As a telco, they get all the necessary signalling information to know if the call is coming from their network or another one. This is true even if the handset is roaming, not least so that they can charge you for the call. Networks are never shy of charging for calls. They can also look at the Home Location Register (HLR) and see if the phone calling them is actually in a call.

By using these techniques they don’t have to resort to the Vodafone system of always asking you for your number and a PIN when you call the long voicemail collection number, but they could be sure that you are who you say you are. The network also gets the cell tower ID and IMEI of the incoming call. Now these are different systems, but linking the two together would be belt and braces.

We approached Three about this, and a spokesman said: "The advice we've always given customers about security is to mandate their PIN. This is particularly so for people who worry that if a phone is stolen, it might be used to access their voicemail. This advice is given under the voicemail security pages of the Three website."

Meanwhile, EE wanted to reassure its customers that it is investigating and systems are being updated to mitigate this technical issue. EE also gave us this statement"

First and foremost it’s illegal to access a voicemail account without the owner’s permission. If any customer has concerns about voicemail security we would advise them to follow a few simple steps on their device and set up PIN entry.

Comment

The mobile phone networks are more than missing a trick. While they complain about how the over-the-top players, such as WhatsApp and Skype, are stealing their lunch money, they do have one thing no one else can offer: complete control over the signalling and voice path. They could offer security at a level that would command a significant premium and yet they leave the door keys under the flower pot. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.