Feeds

Reg probe bombshell: How we HACKED mobile voicemail without a PIN

Months after Leveson inquiry, your messages are still not secure

The Power of One eBook: Top reasons to choose HP BladeSystem

What Three and EE must do next

There is a lot that the two networks could do. Using CLI, or at least CLI alone, is shoddy. As a telco, they get all the necessary signalling information to know if the call is coming from their network or another one. This is true even if the handset is roaming, not least so that they can charge you for the call. Networks are never shy of charging for calls. They can also look at the Home Location Register (HLR) and see if the phone calling them is actually in a call.

By using these techniques they don’t have to resort to the Vodafone system of always asking you for your number and a PIN when you call the long voicemail collection number, but they could be sure that you are who you say you are. The network also gets the cell tower ID and IMEI of the incoming call. Now these are different systems, but linking the two together would be belt and braces.

We approached Three about this, and a spokesman said: "The advice we've always given customers about security is to mandate their PIN. This is particularly so for people who worry that if a phone is stolen, it might be used to access their voicemail. This advice is given under the voicemail security pages of the Three website."

Meanwhile, EE wanted to reassure its customers that it is investigating and systems are being updated to mitigate this technical issue. EE also gave us this statement"

First and foremost it’s illegal to access a voicemail account without the owner’s permission. If any customer has concerns about voicemail security we would advise them to follow a few simple steps on their device and set up PIN entry.

Comment

The mobile phone networks are more than missing a trick. While they complain about how the over-the-top players, such as WhatsApp and Skype, are stealing their lunch money, they do have one thing no one else can offer: complete control over the signalling and voice path. They could offer security at a level that would command a significant premium and yet they leave the door keys under the flower pot. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.