Mobile phone hacking – a warning to all

Posted on July 7, 2011. Filed under: security | Tags: , , , , , , , , |

In the UK we are currently undergoing a media frenzy about “mobile phone hacking” – unauthorised access to voicemail. Firstly, the rant – IT’S NOT HACKING! (well technically it is – but it’s not some fancy complicated technical attack requiring specialist knowledge and equipment).

A lot of people are under the impression that mobile phone voicemail is only accessible from the mobile phone itself and some may even believe that messages are stored on the phone. In fact, messages are recorded at the mobile network providers’ data centres and played back over the network when the user dials in to pick them up. It isn’t even necessary to have access to the mobile phone itself to get access to someone’s voicemail account – dialling their number while the phone is off or busy on another call results in call diversion so a message can be left, and this is where the “hack” can start. By pressing the right key sequence during the “please leave a message” welcome message, anyone can get to the menu which allows voicemail to be played back. It’s a feature designed to let users listen to their messages from anywhere in the world, whether their phone is working or not, and is genuinely useful – but it creates a backdoor through which messages can be accessed.

Of course, a PIN is required to gain access to the mailbox but many people leave the default PIN on their account, and these are very well known – most are published on the network providers’ websites or are available in the manuals available with any phone or SIM from the provider. In other cases, PINs can be guessed in the same way as passwords by doing a little bit of background research to find out things like birthdays of relatives, friends or pets, other significant dates or registration numbers of cars. Other methods, like social engineering – where carefully crafted questions and behaviour are used to get the target to reveal their PIN or even just “shoulder surfing” (watching someone enter their PIN while they listen to their messages) can be very successful too.

However the PIN is obtained, once the attacker has it, they have full control of the voicemail system and can listen to and delete messages at will.

For some users this could lead to personal data being disclosed, while for businesses it could be used to discover sensitive material.

If you don’t need voicemail, turn it off. If you do need it – don’t use the default PIN, use a number which isn’t associated with anything that is obviously connected to you – and change it regularly. Avoid obvious PINs like 1111, 1234, 9999 and so on – treat it like the PIN for your bank card, it could have similar value to someone who wants to spy on you. The same rules also apply to the answering machine on your land line – most of them have remote access capabilities so anyone who dials your number could listen to your messages if they can guess the access code.

Get into the habit of checking your voicemail. If you regularly seem to be receiving messages without the network telling you that they’re waiting, it could be an indication that someone else is listening to them. Don’t store sensitive messages on the server for too long either. Delete them as soon as you can.

If you’re going to leave a message for someone – don’t disclose any sensitive material, or better yet send a text message. SMS is far more difficult to intercept without legal authority.

Of course, there is another way to access voicemail – but that does require some technical skill and access to right equipment. It would be unprofessional of me to describe it here though. Suffice to say that OFCOM take an interest in anyone trying to offer the service commercially.

n-gate ltd.

Read Full Post | Make a Comment ( None so far )

New year, new technology

Posted on January 31, 2010. Filed under: 1, life | Tags: , , , , , |

Well, not strictly new technology for the new year since I actually got the latest toy back in November.

It’s a Palm Pre to replace my venerable Palm Centro which finally succumbed to one too many attempts to fix the keyboard problems I was having with it (took ages to break it properly 😉 )

The Pre is a bit of revelation for someone like me who usually travels with at least one laptop so I can check e-mail and write on the move. As a challenge, I took just the Pre and a notepad on a trip to London a couple of weeks ago. Apart from the battery taking a hammering and dropping rapidly on the train due to low signal strength and too much checking of e-mail and web while listening to Led Zeppelin (yes, iPhone fans – the Pre MULTI-tasks, it really can do several things at once) – it performed pretty much flawlessly. GPS worked well and Google Maps allowed me to find BCS HQ in London without any problems – no wrong turns, no drama. E-mail worked well on GPRS, 3G and in-train WiFi. Phone calls were made by clicking on numbers found on web pages and in e-mails.

This is the device I’ve been waiting for. Finally, smart-phones make proper sense to me. Now, if only they could sort out the battery life issue it would become a device for road-warriors. As it is, for someone like me who tend to stay behind a desk it works well as a portable cloud access device. The Touchstone inductive charger means I can just drop the Pre onto it’s little stand whenever I don’t need it in my pocket and it’s always ready to go. I’ve even found myself using it to stream radio (Motel California on Accuradio mostly) and play video (The Italian Job) in preference to using one of the big boxes that live under the desk.

Roll on WebOS 1.4 which is supposed to improve battery life, enable the GPU for 3D gaming and faster screen access and bring Flash to the mobile world at last.

Now, if I could just control it from my car stereo the way we can with Shirley’s iPod nano…

Read Full Post | Make a Comment ( 2 so far )

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: