The recent phone hacking scandal, where reporters from Rupert Murdoch’s News of the World were accused of illegally accessing the voicemails of thousands of people including politicians, members of the royal family, the families of soldiers killed in Afghanistan, and terror victims, has grown into a sordid, drawn-out affair resulting in the closure of the newspaper, the arrest of editor Rebekah Brooks, and the resignation of the head of London’s Metropolitan Police. The latest in an international string of “hacking” news such as attacks by LulzSec and Anonymous, the scandal once again brings the threat of information theft and espionage into the news. But what is phone hacking, and how can individuals and organizations defend against such attacks?
Though the media fixates on shadowy, mysterious, all-powerful hackers, unathorized entry into somebody’s voicemail account is usually shockingly easy. When you call your own number or an external number provided by the phone company, you reach your mailbox. All it takes to gain access to another’s messages it to convince the phone that you are its owner. This is usually determined by your caller ID, which can easily be spoofed using Voice Over IP and a bit of code. According to hacker turned security expert Kevin Mitnick, “Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes. If you’re not adept at programming, you could use a spoofing service and pay for it.”
The journalists accused of phone hacking are alleged to have used an even simpler method. Calling the external voicemail number, they had to input a PIN to prove that the the messages they wanted to play were theirs. The majority of cell phone owners, however, keep their default PINs, which are either the last 4 digits of your phone number or a combination that can easily be found online.
Voice mailboxes are targets of opportunity, and most phone hacking could be prevented by first setting your phone to require a PIN when remotely accessing voice mail, and making that PIN as strong as possible. This should come as no surprise, as most attacks can be prevented through information security basics and common sense measures. Looking back at LulzSec’s initial online rampage, for example, most of their attacks were very simple, exploiting reused passwords or SQL injections. While a case can be made for stronger security from the telec0ms surrounding voicemail, just like LulzSec and most criminal hackers, the News of the World journalists leveraged the most basic human failures rather than zero-day exploits on high-end security software. This scandal, and all the nastiness that surrounds it, is a good reminder to prioritize the basics of information systems security, like strong passwords, constant patching, and user vigilance.