t-mobile

Voicemail hacking and the ‘phone hacking’ scandal – how it worked, questions to be asked and improvements to be made

mobilephonesecurity93684333131 Comments

A few people have asked me to explain what the whole phone hacking thing means. The first thing to mention is that the phone hacking episode has nothing at all to do with actual ‘phone’ hacking. It is actually illicit voicemail access. Access can be gained by using some technical knowledge and or tools, but on the whole it is through system and process weaknesses.

Eric Jones [CC-BY-SA-2.0 (www.creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

The second thing to mention is, this is a very long blog post. So either go and make yourself a coffee before reading this, or if you don’t have time, read the really quick short version of this I’ve created.

It’s quite clear from the press and revelations that illicit voicemail access has been a practice which has been exercised for a long time. I was speaking to a former journalist last night who told me of a private detective who would run through a checklist in a real matter-of-fact way – “so we’ll do the bins, do the phones”. The prices quoted were extremely low too.

Attack mechanisms

What I’ve tried to do is break down some of the methods to access the voicemail a bit. I should also add that nearly all of these methods and avenues of attack have been shutdown by the mobile operators, although as you will see in one case, issues remained in March of this year.

A word on default PINs

Default PINs are used as ‘origin’ protection and unfortunately, time and time it is proven to fail because it relies on a secret that is shared amongst almost every customer. Without forcing a user to change a default PIN, chances are it will remain the same. Also, the option was available (and is still the case in many instances) to not use a PIN, which is the preferred option for nearly every customer because of increased convenience. Let’s be honest, for 99% of customers this also the sensible option because their convenience needs outweigh their security needs.

Let’s have a look at some historical advice and information on default PINs from websites that kept the info. I like the advice on Yabedo in particular:

I quote. For Orange:

“You require a voicemail pincode, when you use a normal fixed line to retrieve your Voicemail messages as the network cannot not give you direct access.
Instead you will be requested to enter a valid pincode. 
This pincode prevents unauthorised access to your Voicemail messages.

How do I know what my voicemail pincode is?
If you have never used or changed your voicemail pincode it will be set to the default 1111.”

Nice.

For Vodafone:

Note: Obvious pincodes like 0000, or 1111 are not accepted by Vodafone. If your PIN number is 3333 (default PIN number) you will need to change it otherwise we cannot deliver your greeting.

Try to enter something memorable like a birthday e.g.: 08 Jan (0801).”

Impressive, good job I know that celebrity’s birthday! – oh yes, and the default.

Here’s O2:

“How do I know what my voicemail pincode is?
If you have never used or changed your voicemail pincode it will be set to the default 8705.”

Thanks 😉

and where have I seen this before?

(Or your new pincode, if you have already changed from 8705)
Then select 6 (to change your pincode)
Follow the instructions, to enter your new pincode.”

“We recommend you use a memorable number like a birthday (e.g. 12th May = 1205).”

!!!

OK, so maybe T-Mobile / Virgin are better?

“If you have never used or changed your voicemail pincode it will be set to the default pincode 1210.”

Hmm.. How about if I want to change my PIN?

“Enter your new pincode followed by the # key. 

Your new Voicemail pincode will be saved.

You can immediately use this new pincode to transfer your new greeting. 
We recommend you use a memorable number like a birthday (e.g. 30th Dec = 3012).”

Agh!!

So you get the general idea. There are numerous examples of this across the web for different network operators, it really was (and I emphasise was because a lot of what we’re talking about is historical) an absolute disaster waiting to happen from a security perspective. In the government select committee hearing mentioned below, the Everything Everywhere representative stated that T-Mobile had a default PIN prior to 2002 for remote access to voicemail. It’s not clear when the others changed, but it would be interesting to know when and why the access rules were changed.

Remote Access to Voicemail

From the reports, it seems that most of the hacking (that was detectable at least) came through calling the remote voicemail access number for that particular network operator (again obviously public on the web). You then enter the number of the phone you need to access and it’s PIN and you’re in. The key issue here is that if the user hadn’t changed their PIN from the default (and why would they?), they wouldn’t know that their voicemail was wide open. There would be no SMS notification that the voicemail had been remotely accessed. The victim would be using their own voicemail without a PIN, dialling in from their own phone – the PIN was only necessary from a ‘remote’ number. This is the real flaw.

I just want to get you thinking for a moment, do we as consumers really need this as a service?

Calling the victim’s phone

One method that has been documented as being used is to call the phone itself and then access the voicemail.

Why don’t you try it on your own mobile phone? Dial your own number, wait for the voicemail message to start telling you you’re not available, then press the * key – you should be prompted to enter your your voicemail PIN. If you haven’t setup a PIN, does it still ask you for one? It probably should and it probably shouldn’t be a default PIN from the ones lying around the internet as previously mentioned. Have a play around to check for yourself. The PIN attempts should lock out fairly quickly and after a certain number of attempts you should now get an SMS explaining that. These mechanisms were all put in place (some of them very recently) to help protect against illicit voicemail access.

In my view, it’s probably time this function was turned off. It’s marginally handy as a feature (as is the remote access number above), but ask yourself, have you ever used it? If it’s significantly more beneficial to an attacker, it’s probably better for the network operators to disable it. (Please leave comments below if you use these features regularly and disagree with me!)

Caller ID Spoofing

So what if you could change your phone number so it appears as something else? i.e. your victim’s own number? This is one mechanism that has been used recently and has been an ongoing issue for a while in some parts of the world. The attack fools the phone into thinking it is the handset calling the voicemail service and therefore allows voicemails to be listened into (and also recorded). I originally intended to provide some technical details on how this actually works, but given that this is probably still an existing issue, it probably wouldn’t be responsible to do that. Here is some press from the Netherlands on a recent demonstration of this ability to get voicemails against members of the Dutch Parliament in March 2011 and Vodafone’s subsequent fix. There are also even applications available for one well-known mobile platform to spoof the caller ID.

Social Engineering

In most of the cases above, you will need access to the actual PIN number or get it reset to a known default.

Social engineering allegedly played a large part in the voicemail ‘phone hacking’ affair. This is where network operator security controls are brought into focus. These controls were not as robust as they could be for a long time. Rumours in the mobile industry abound about authentication between call centres being extremely poor and internal PINs and passwords continuing to be used for months on end. This has been a problem in general for call centres of all types for years as this article from 2006 explains. The two types that could have been used here were social engineering the call centre employees (as another staff member) and impersonating the victim. The main reason to use social engineering would be for ‘resetting’ pins – to the default numbers that operators used to enable the attacker to remotely access someone’s voicemail. As a victim, if you weren’t using remote access to your voicemails, you weren’t going to get asked for it when you dialled your voicemail from your own handset, so wouldn’t actually know that anything had happened (big security hole here).

With social engineering, most of the attacks are multi-stage. The attacker first needs to get enough information on you to get them to the next stage. It may be something like your gas bill with account details and your address on, or some details about the place where you work. Once an attacker has gained some information to prove legitimacy, they can begin the real social engineering process. This article isn’t about that, but I wanted to just give a bit of explanation for context. Another thing to think about, if someone is determined to get information about you, they will get it. For the majority of people, that will never be a problem in their life, but for anyone who crosses the media radar this has been and sadly will still be a problem.

For further reading, have a look at Kevin Mitnick’s Art of Deception .

Analysis

So now I’ve talked about the actual mechanisms involved, what is happening in the mobile industry and what direction will this take next?

What the network operators have to say

By Maurice from Zoetermeer, Netherlands (The British Parliament and Big Ben) [CC-BY-2.0 (www.creativecommons.org/licenses/by/2.0)], via Wikimedia Commons

When the operators gave evidence to the Home Affairs select committee session on Unauthorised Tapping into or Hacking of Mobile Communications on the 14th of June 2011, more details emerged on how victims were identified by the operators. Vodafone’s Julie Steele explained that the Police had given them details of suspect numbers. These were then checked to see if they had dialled any [remote] voicemail numbers. They then worked out that on Vodafone there were 40 victims. In total, the operators together identified just over 100 victims [note: at 15:00 on the day of writing, Channel 4 news are quoting the police as saying there are now 4000 potential victims].

During this session, members of the committee were most interested in how the operators had acted in contacting the victims. Only O2 had proactively gone out and told victims they had been hacked. I personally think this is an issue of miscommunication more than anything else. The Met’s John Yates had “assumed” that the operators were going to contact the victims, the operators probably assumed that the Police would do that. This was also confused by the fact that the Police had originally specifically asked them not to contact the affected customers, Overall, they both had a responsibility to do it but should have been more coordinated because quite rightly, the operators were taking the lead from the Police because they could have accidentally prejudiced the inquiry. The Police also didn’t respond to some letters from operators.

From the responses during the session, it appears that the Police didn’t fully brief the operators on who they thought / knew were affected. In fact, it could be argued that the Police sent the operators on a ‘fishing trip’ to try and work out potential victims for them based on the calls that suspects had made to voicemail numbers on their networks. This was the Police’s job to do really – once they had the raw call records they could analyse the data.

The session revealed much of what I have described in this post, that having a PIN at all was optional prior to the original investigation, that measures have been put in place to make the whole system and call centres more robust. O2’s Adrian Gorham appears to have performed in the most knowledgeable way with James Blendis (in my opinion) looking like he was way out of his depth.

With revelations coming out daily on the number of ‘normal’ people who could have been targeted, even murder victims and relatives of soldiers who have died – the problem now for all of us is that most of the evidence is likely to be lost. The call records that the police directly asked for six years ago, related to specific known suspect handsets and therefore linked to victims they have, but other information will have been deleted, as acknowledged to the select committee. We may end up only having the information from Glen Mulcaire’s notebook which Michael Meecher said in the House of Commons on the 6th of July was about 11000 lines of information. The complexities of prosecution are not to be ignored either. The Police had to be careful about how they approached the issue, especially with the definition of ‘interception’ – because voicemails that had already been listened to can’t really be described as such. A technicality, but an important one nonetheless.

In the commons debate on the 6th, Keith Vaz, the Chair of the Home Affairs select committee again brought up the role of mobile operators. I can see where he is heading. My view – yes, they were caught napping, but can we really lay the blame on the operators? I don’t think it is fair to do this because at the end of the day, somebody willfully and criminally accessed the systems and processes to get that information. Once the operators found out, they did put systems in place to prevent it happening again (with the caveat of my suggestions above).

Specifically on the call centre issue, it should be said that they have high staff turnover anyway so this is always going to be a weak point for security and to be fair, the operators are pretty robust about dealing with staff trying to re-sell SIM unlock codes or snooping into celebrity accounts.

Summary

There will always be people who want to listen in to the calls or messages of others illegally and we must remember that this has happened in the past and it will happen again. A Reuters article explored the area recently (although I don’t agree with everything Karsten Nohl says in it).

Techniques for illicitly getting access to information about people are always developing and the problem is not going to go away. Network operators need to go a step further in relation to voicemail access themselves. They should not just look at fixing the procedural flaws and loopholes that allow voicemails to be accessed, they should question the whole provision of any form of remote access to voicemail. How many people use it and could it be killed off if it ultimately cuts off this avenue of attack? I would argue that it is a step worth taking. The fraud and security departments can then concentrate on hampering the other techniques through further technical validation.

If I was on the Home Affairs select committee, I would be asking the following questions of the network operators:

1) Did mobile network operators consider that this was a widespread activity and therefore complete a full review of remote access to voicemails of (as a starting point) high-profile individuals, that were not directly related to the ‘suspect’ numbers given by the Police?
2) Given the seriousness of the investigation and the potential for many, many other customers to have been breached from phones as yet unknown, why was all data on external voicemail accesses not retained as potentially pertinent to the investigation? *

* Note: I do realise how much data that is by the way!

and the following questions of the Police:

1) Given where the evidence was leading, were other reporters’ call records checked to see whether they had accessed any voicemail remotely?
2) Were any other private investigators linked to national newspapers questioned over the methods they use to gather information?

So this is the longest blog post I’ve written (and hope to write for a long time!). Thankyou for reading this far and please do feel free to leave your thoughts and comments (and any corrections!).

Bootnote: As a lot of news is being published on this subject at the moment by the minute as I write this, today’s New York Times article is pretty good.