network operators

Last night I gave a talk as part of Oxford University’s Information Security and Privacy Programme. I decided to talk about the problem of mobile phone theft as it is something I have been involved in tackling for a number of years, mainly on the handset security side. I still work with the UK Police now on some of these issues. It really is an increasing issue that doesn’t look to have an obvious solution. Future technologies will provide another incentive to steal a device so it is clear that further effort must be put into addressing theft. There are many different reasons why someone would want to steal a phone and what they subsequently will do with it. On the industry side, network operator customer service management is difficult, particularly when people are lying to you. Getting all network operators in the world to share accurate information to the Central Equipment Identity Register (CEIR) is a tough call, even if they were interested in doing it in the first place.

I got some great feedback on twitter when I said I was going to give this talk. Two in particular stood out – @realbelahzur wrote this blog and focused on one particular aspect – the theft of service, how far a network operator has to go and the responsibility a user must also take in keeping their own property safe. @paul_clarke pointed me at his blog about his experience of blocking and unblocking a phone.

The slides and notes from the presentation are re-posted here. Please feel free to tweet me and leave comments on your theft experiences and ideas for helping to deal with / manage the problem.

Mobile Phone Theft: An unsolvable problem?

View more presentations from David Rogers.

This is the very quick version of my much longer blog:

Voicemail hacking and the ‘phone hacking’ scandal – how it

worked, questions to be asked and improvements to be

made

In brief, there are three main mechanisms for illicitly accessing voicemail: firstly social engineering the call centre to reset or change the PIN for you as precursor to one of the following 1) call the remote voicemail number and access it using the default (or acquired PIN), 2) ringing the actual phone, going into the voicemail menu by pressing the * key or 3) using an advanced mechanism to fool the phone into opening up the voicemail. There are some loopholes still existing and as technology evolves new ones will emerge.

This is not ‘phone hacking’. It is illicit or illegal access to voicemail.

The mobile operators are coming under some pressure from the Home Affairs Select Committee, led by Keith Vaz. Both the Police and network operators will have responsibilities in terms of their actions over the affair, although the operators took the Police lead on what to do. It is unlikely that the full list of victims will ever emerge as the data has likely been deleted after all this time.