Thursday, 7 July 2011

Voicemail hacking and the 'phone hacking' scandal - how it worked, questions to be asked and improvements to be made

A few people have asked me to explain what the whole phone hacking thing means. The first thing to mention is that the phone hacking episode has nothing at all to do with actual 'phone' hacking. It is actually illicit voicemail access. Access can be gained by using some technical knowledge and or tools, but on the whole it is through system and process weaknesses.

Eric Jones [CC-BY-SA-2.0 (www.creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons

The second thing to mention is, this is a very long blog post. So either go and make yourself a coffee before reading this, or if you don't have time, read the really quick short version of this I've created.

It's quite clear from the press and revelations that illicit voicemail access has been a practice which has been exercised for a long time. I was speaking to a former journalist last night who told me of a private detective who would run through a checklist in a real matter-of-fact way - "so we'll do the bins, do the phones". The prices quoted were extremely low too.

Attack mechanisms

What I've tried to do is break down some of the methods to access the voicemail a bit. I should also add that nearly all of these methods and avenues of attack have been shutdown by the mobile operators, although as you will see in one case, issues remained in March of this year.

A word on default PINs

Default PINs are used as 'origin' protection and unfortunately, time and time it is proven to fail because it relies on a secret that is shared amongst almost every customer. Without forcing a user to change a default PIN, chances are it will remain the same. Also, the option was available (and is still the case in many instances) to not use a PIN, which is the preferred option for nearly every customer because of increased convenience. Let's be honest, for 99% of customers this also the sensible option because their convenience needs outweigh their security needs.

Let's have a look at some historical advice and information on default PINs from websites that kept the info. I like the advice on Yabedo in particular:

I quote. For Orange:

"You require a voicemail pincode, when you use a normal fixed line to retrieve your Voicemail messages as the network cannot not give you direct access.
Instead you will be requested to enter a valid pincode. 
This pincode prevents unauthorised access to your Voicemail messages.

How do I know what my voicemail pincode is?
If you have never used or changed your voicemail pincode it will be set to the default 1111."

Nice.

For Vodafone:

Note: Obvious pincodes like 0000, or 1111 are not accepted by Vodafone. If your PIN number is 3333 (default PIN number) you will need to change it otherwise we cannot deliver your greeting.

Try to enter something memorable like a birthday e.g.: 08 Jan (0801)."

Impressive, good job I know that celebrity's birthday! - oh yes, and the default.

Here's O2:

"How do I know what my voicemail pincode is?
If you have never used or changed your voicemail pincode it will be set to the default 8705."
Thanks ;-)

and where have I seen this before?
"(Or your new pincode, if you have already changed from 8705)
Then select 6 (to change your pincode)
Follow the instructions, to enter your new pincode."
...
"We recommend you use a memorable number like a birthday (e.g. 12th May = 1205)."
!!!

OK, so maybe T-Mobile / Virgin are better?

"If you have never used or changed your voicemail pincode it will be set to the default pincode 1210."
Hmm.. How about if I want to change my PIN?

"Enter your new pincode followed by the # key. 

Your new Voicemail pincode will be saved.

You can immediately use this new pincode to transfer your new greeting. 
We recommend you use a memorable number like a birthday (e.g. 30th Dec = 3012)."

Agh!!

So you get the general idea. There are numerous examples of this across the web for different network operators, it really was (and I emphasise was because a lot of what we're talking about is historical) an absolute disaster waiting to happen from a security perspective. In the government select committee hearing mentioned below, the Everything Everywhere representative stated that T-Mobile had a default PIN prior to 2002 for remote access to voicemail. It's not clear when the others changed, but it would be interesting to know when and why the access rules were changed.


Remote Access to Voicemail


From the reports, it seems that most of the hacking (that was detectable at least) came through calling the remote voicemail access number for that particular network operator (again obviously public on the web). You then enter the number of the phone you need to access and it's PIN and you're in. The key issue here is that if the user hadn't changed their PIN from the default (and why would they?), they wouldn't know that their voicemail was wide open. There would be no SMS notification that the voicemail had been remotely accessed. The victim would be using their own voicemail without a PIN, dialling in from their own phone - the PIN was only necessary from a 'remote' number. This is the real flaw.

I just want to get you thinking for a moment, do we as consumers really need this as a service?

Calling the victim's phone


One method that has been documented as being used is to call the phone itself and then access the voicemail.

Why don't you try it on your own mobile phone? Dial your own number, wait for the voicemail message to start telling you you're not available, then press the * key - you should be prompted to enter your your voicemail PIN. If you haven't setup a PIN, does it still ask you for one? It probably should and it probably shouldn't be a default PIN from the ones lying around the internet as previously mentioned. Have a play around to check for yourself. The PIN attempts should lock out fairly quickly and after a certain number of attempts you should now get an SMS explaining that. These mechanisms were all put in place (some of them very recently) to help protect against illicit voicemail access.

In my view, it's probably time this function was turned off. It's marginally handy as a feature (as is the remote access number above), but ask yourself, have you ever used it? If it's significantly more beneficial to an attacker, it's probably better for the network operators to disable it. (Please leave comments below if you use these features regularly and disagree with me!)


Caller ID Spoofing


So what if you could change your phone number so it appears as something else? i.e. your victim's own number? This is one mechanism that has been used recently and has been an ongoing issue for a while in some parts of the world. The attack fools the phone into thinking it is the handset calling the voicemail service and therefore allows voicemails to be listened into (and also recorded). I originally intended to provide some technical details on how this actually works, but given that this is probably still an existing issue, it probably wouldn't be responsible to do that. Here is some press from the Netherlands on a recent demonstration of this ability to get voicemails against members of the Dutch Parliament in March 2011 and Vodafone's subsequent fix. There are also even applications available for one well-known mobile platform to spoof the caller ID.

Social Engineering

In most of the cases above, you will need access to the actual PIN number or get it reset to a known default.


Social engineering allegedly played a large part in the voicemail 'phone hacking' affair. This is where network operator security controls are brought into focus. These controls were not as robust as they could be for a long time. Rumours in the mobile industry abound about authentication between call centres being extremely poor and internal PINs and passwords continuing to be used for months on end. This has been a problem in general for call centres of all types for years as this article from 2006 explains. The two types that could have been used here were social engineering the call centre employees (as another staff member) and impersonating the victim. The main reason to use social engineering would be for 'resetting' pins - to the default numbers that operators used to enable the attacker to remotely access someone's voicemail. As a victim, if you weren't using remote access to your voicemails, you weren't going to get asked for it when you dialled your voicemail from your own handset, so wouldn't actually know that anything had happened (big security hole here).


With social engineering, most of the attacks are multi-stage. The attacker first needs to get enough information on you to get them to the next stage. It may be something like your gas bill with account details and your address on, or some details about the place where you work. Once an attacker has gained some information to prove legitimacy, they can begin the real social engineering process. This article isn't about that, but I wanted to just give a bit of explanation for context. Another thing to think about, if someone is determined to get information about you, they will get it. For the majority of people, that will never be a problem in their life, but for anyone who crosses the media radar this has been and sadly will still be a problem.

For further reading, have a look at Kevin Mitnick's Art of Deception .

Analysis



So now I've talked about the actual mechanisms involved, what is happening in the mobile industry and what direction will this take next?


What the network operators have to say

By Maurice from Zoetermeer, Netherlands (The British Parliament and Big Ben) [CC-BY-2.0 (www.creativecommons.org/licenses/by/2.0)], via Wikimedia Commons
When the operators gave evidence to the Home Affairs select committee session on Unauthorised Tapping into or Hacking of Mobile Communications on the 14th of June 2011, more details emerged on how victims were identified by the operators. Vodafone's Julie Steele explained that the Police had given them details of suspect numbers. These were then checked to see if they had dialled any [remote] voicemail numbers. They then worked out that on Vodafone there were 40 victims. In total, the operators together identified just over 100 victims [note: at 15:00 on the day of writing, Channel 4 news are quoting the police as saying there are now 4000 potential victims].

During this session, members of the committee were most interested in how the operators had acted in contacting the victims. Only O2 had proactively gone out and told victims they had been hacked. I personally think this is an issue of miscommunication more than anything else. The Met's John Yates had "assumed" that the operators were going to contact the victims, the operators probably assumed that the Police would do that. This was also confused by the fact that the Police had originally specifically asked them not to contact the affected customers, Overall, they both had a responsibility to do it but should have been more coordinated because quite rightly, the operators were taking the lead from the Police because they could have accidentally prejudiced the inquiry. The Police also didn't respond to some letters from operators.


From the responses during the session, it appears that the Police didn't fully brief the operators on who they thought / knew were affected. In fact, it could be argued that the Police sent the operators on a 'fishing trip' to try and work out potential victims for them based on the calls that suspects had made to voicemail numbers on their networks. This was the Police's job to do really - once they had the raw call records they could analyse the data.

The session revealed much of what I have described in this post, that having a PIN at all was optional prior to the original investigation, that measures have been put in place to make the whole system and call centres more robust. O2's Adrian Gorham appears to have performed in the most knowledgeable way with James Blendis (in my opinion) looking like he was way out of his depth.


With revelations coming out daily on the number of 'normal' people who could have been targeted, even murder victims and relatives of soldiers who have died - the problem now for all of us is that most of the evidence is likely to be lost. The call records that the police directly asked for six years ago, related to specific known suspect handsets and therefore linked to victims they have, but other information will have been deleted, as acknowledged to the select committee. We may end up only having the information from Glen Mulcaire's notebook which Michael Meecher said in the House of Commons on the 6th of July was about 11000 lines of information. The complexities of prosecution are not to be ignored either. The Police had to be careful about how they approached the issue, especially with the definition of 'interception' - because voicemails that had already been listened to can't really be described as such. A technicality, but an important one nonetheless.


In the commons debate on the 6th, Keith Vaz, the Chair of the Home Affairs select committee again brought up the role of mobile operators. I can see where he is heading. My view - yes, they were caught napping, but can we really lay the blame on the operators? I don't think it is fair to do this because at the end of the day, somebody willfully and criminally accessed the systems and processes to get that information. Once the operators found out, they did put systems in place to prevent it happening again (with the caveat of my suggestions above).


Specifically on the call centre issue, it should be said that they have high staff turnover anyway so this is always going to be a weak point for security and to be fair, the operators are pretty robust about dealing with staff trying to re-sell SIM unlock codes or snooping into celebrity accounts.



Summary


There will always be people who want to listen in to the calls or messages of others illegally and we must remember that this has happened in the past and it will happen again. A Reuters article explored the area recently (although I don't agree with everything Karsten Nohl says in it).


Techniques for illicitly getting access to information about people are always developing and the problem is not going to go away. Network operators need to go a step further in relation to voicemail access themselves. They should not just look at fixing the procedural flaws and loopholes that allow voicemails to be accessed, they should question the whole provision of any form of remote access to voicemail. How many people use it and could it be killed off if it ultimately cuts off this avenue of attack? I would argue that it is a step worth taking. The fraud and security departments can then concentrate on hampering the other techniques through further technical validation.

If I was on the Home Affairs select committee, I would be asking the following questions of the network operators:

1) Did mobile network operators consider that this was a widespread activity and therefore complete a full review of remote access to voicemails of (as a starting point) high-profile individuals, that were not directly related to the 'suspect' numbers given by the Police?
2) Given the seriousness of the investigation and the potential for many, many other customers to have been breached from phones as yet unknown, why was all data on external voicemail accesses not retained as potentially pertinent to the investigation? *

* Note: I do realise how much data that is by the way!

and the following questions of the Police:

1) Given where the evidence was leading, were other reporters' call records checked to see whether they had accessed any voicemail remotely?
2) Were any other private investigators linked to national newspapers questioned over the methods they use to gather information?


So this is the longest blog post I've written (and hope to write for a long time!). Thankyou for reading this far and please do feel free to leave your thoughts and comments (and any corrections!).

Bootnote: As a lot of news is being published on this subject at the moment by the minute as I write this, today's New York Times article is pretty good.

32 comments:

  1. Have just tried hacking my personal phone (on Vodafone). I only got as far as 'entering the number followed by the # key' as I've never set a pin on my voicemail. The message then tells me instructions on how to set remote access up, again, something I'll never need.

    ReplyDelete
  2. It's interesting that very few people are suggesting that the mobile operators bear any 'blame' for offering an unwanted(*) feature with lax security. Nor, even more pointedly, threatening to sue for damages.

    The response to most IT-related attacks seem to be to go after the very visible attacker, and let the quieter attacker remain in the shadows. Fixing the poorly engineered systems is a more rational response.

    The operators must have - or be able to assemble - statistics on how many customers use the ability to access voicemail from another phone. Perhaps they'd like to share? Or has voicemail hacking been rife up and down the country among jilted lovers and inquisitive parents/offspring?

    (*) Until recently (and maybe still now in some cases) you needed the PIN when calling in from abroad. I guess that was because the network didn't successfully pass the caller ID?

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Right you are, my good man, right you are :D

      Delete
  4. One remote access voicemail user here:

    I live in the US, but travel to the UK. I leave roaming (85p/min) off, and retrieve my voicemail remotely by calling my US number from a landline (12p/min on the worst carrier).

    My PIN is a random (meaningless) 6-digit number.

    ReplyDelete
  5. Interesting that you do not lay much blame at the operators.
    If it was banks and their ATM systems that put such a flawed system in place would you be of the same opinion as bank accounts were emptied by anyone who wanted to?
    The first time i had a mobile phone in the early 90's i was shocked to realise how easy it was for others to get into my voicemail (about 30 seconds after learning about remote access to it i could see the flaws!).
    The scary thing is that apart from the spoofing, which has not required any technical ability for a while now, it was never a small exploitable flaw but a wide open gate for anyone to walk through.

    ReplyDelete
  6. I use remote access, and I want remote access. Is it a problem when there aren't obvious precautions and protections put in place to fence access in? Of course. But that doesn't mean that killing off remote voicemail access is the solution.

    In fact, I think it's somewhat interesting that people are going ape over remote VM access when there are other systems besides voicemail that also have the same issue, but nobody's bothered to question those. (I realize the reason why VM remote access has specifically come into question here is because of the media blitz surrounding this particular scandal, but still.) I mean, think about it: for about 95% of users, e-mail, by its very nature, is *inherently* remote access, and I would argue that most people would be more worried about someone accessing their e-mail than their voicemail. (I know I would: most of my own voicemails that I have both delivered as well as received have been vague, with little in the way of detail included, along with a generic request to receive a callback. The actual voice call that follows the voicemail is when anybody plans to convey those details to the other party. In contrast, you can pick up an entire thread of conversation via e-mail that might span days, weeks, or even months, and which will be brimming with details.)

    I think the answer to solving most of our VM "hacking" problem is simply a dose of common sense by the providers/carriers:

    1. When a new mobile voice account is activated, access to the voicemail account either via remote OR straight from the handset should be prohibited until the account holder has initialized his/her voicemail box.

    2. Initialization should only be accomplished from the associated handset itself; remote access can only be utilized after said initialization.

    3. There should be no default PIN: upon initial logon from the handset and during voicemail initialization, the owner would be required to generate a unique PIN right then and there, as part of the setup process. They should not be allowed to proceed to main voicemail access without choosing a PIN (so hanging up in the middle of the setup and then calling back would simply start the setup process over again from the beginning until they get all the way through it).

    4. PIN entry should be required by default even for access from the handset. If the user wants the "convenience" of not being required to enter a PIN every time he/she checks voicemail, then the user should be allowed to turn off the PIN requirement when accessing from the handset after they have weighed the security risk for themselves, but the option should be explicitly OPT-IN.

    ReplyDelete
  7. (As an addendum, I should add a #5: remote access should be disabled unless explicitly enabled by the user, much like the PIN requirement from the handset at #4. That would take care of the majority of remote access attack vectors on voicemail accounts owned by people who both don't use remote access and who would otherwise be too lazy to set up and properly secure their account.

    And I would add that my #4 suggestion would likewise take care of the majority of cases in which caller ID spoofing could be used as an attack vector. If required PIN entry were enabled by default unless specifically disabled, I am guessing that most people would not bother to disable it or might not even realize that it's even an OPTION to disable it, and so would eventually get used to the fact they have to type in 4-digits to access their voicemails.)

    ReplyDelete
  8. The PIN for remote access is also required when accesing your voicemail from abroad (Caller ID does not always work when roaming).

    I suspect that, for convenience, the same system is used when the voicemail access number is dialed.

    ReplyDelete
  9. probably this event will cause all mobile / telephone operators to tune up their security measures & make life difficult for hackers

    ReplyDelete
  10. @Nathan Anderson:
    most of the time there isnt anything useful in voice mail, but sometimes there is that call to a man from his mistress, or sometimes just information about WHO is leaving messages which works as one part in a multi-stage attack (every piece of information is vital and important when planning an attack or just gaining more information)

    now of course an email gives more obvious advantages whole conversations as you mentioned, not to mention any site the person is registered to with a "forgot my password" option and is set to that email could also be compromised. but voice mail can still let you gather information on who they are talking to, perhaps give information about when or where they are meeting so you can get more information. this could be used for blackmail, or just voyeurism.

    it is a different KIND of vector though, one requiring some familiarity with the victim, one performed more in the real world than annonymously over the internet. which can be the worst vector of all.

    ReplyDelete
  11. As a voicemail developer I can tell you a couple of things:
    1. there is no security difference if you allow remote access or abroad (roaming) access. In both cases Caller ID comes from unknown source and can be incorrect or even spoofed.
    2. About spoofing: if call comes from your own network and network components are securelly configured ( like caller ID is confirmed or at least checked by network equipment ) it will be pretty expensive if ever possible to spoof the ID. Calls from foreign networks must be treated as remote access/abroad.
    3. If you implement everything correct it will be cheaper for companies to not turn on PIN-Code check as default and deal with possible but pretty difficult and rare spoofing attempts, rather then turn it always on and have a huge traffic to the support callcenter with one common question: how to turn it off, because it was off before or it is off by friends/relatives/colleagues.

    ReplyDelete
  12. I was involved with a business selling these voicemail systems (I worked on a different part of the business, but know a bit about it).

    The only time that I have ever used this service is when abroad. I don't answer incoming calls (to save on roaming charges), and use an international number to ring my service provider (currently Vodafone) to retrieve the voicemails. It is cheaper that way.

    I know this is marginally useful to me, but wouldn't really miss it. I can't see anyone else using it at all.

    ReplyDelete
  13. I'm wondering how much of this is just a UK carrier problem vs a global issue. I live in the US and have to enter a non-default pin on my cell phone every time I use it to access my voice mail. While it's been a number of years since I opened the account I doubt that turning on that extra level of security is something I'd've bothered to do unless forced by Verizon when I got the phone.

    ReplyDelete
  14. I think this discussion leaves in question the security flaw inherent in a non-technical user base. As long as the provider expects there will be calls of the "I forgot my PIN" sort, catering to that user will inevitably make the social engineering attack easy.

    ReplyDelete
  15. I don't want the remote access service removed. I use it when abroad, presumably because the carrier doesn't pass the caller id. Although this is a rare case for me it's when I'm in a critical and vulnerable situation and the access is vital.

    I also use it a lot nowadays as the reception on an iphone is terrible. If someone leaves a message and I can't hear it I can't just ask them to repeat it so I listen to it from a landline.

    ReplyDelete
  16. I guess an interesting question for the operators would be whether voicemail remote access should be switched off by default.

    Sophisticated users who really need to use it (along the lines of several of the other folks commenting above) will choose to switch it on at which point they can be said to be taking responsibility for managing that access via a suitable PIN etc

    If the feature is switched on by default - even worse with a default PIN - then that assumption of responsibility is rather harder to make.

    As a side note I personally don't have voicemail enabled on my phone at all. I used to spend tens of minutes per days listening through unnecessary messages to find the one or two important ones but now I simply assume that if it is actually important the caller will send me an SMS or email - or call again when I can take the call.

    ReplyDelete
  17. As someone who spends a large amount of their day resetting the Voicemail PINs it appears that people still want the service and that the current solution from Vodafone better.

    At present you can gain full access by calling 121 from your own mobile. As it's connect to the network it's possible to confirm if the mobile is really you (stopping CLI hacks). You have the choice to force PIN access on this route if you want, but by default it is off.

    If calling remotely the access is via a generic long dial, here you will be prompted for the mobile number, followed by the PIN. If you don't have a PIN set up it will fail, and inform you that you need to set one up first. If you get the PIN wrong an SMS is sent to the mobile stating someone tried to access your voicemail. After three wrong attempts the account is locked out.

    It is only possible to edit the PIN via a call from the mobile itself, and numbers like 1234, 1111, 2222, 3333 etc are blacklisted.

    Customer services can unlock accounts and reset PINs, however they have no visibility (unlike in the past) as the new PIN will be sent as an SMS to the mobile.

    Of course picking DOB as a PIN is a stupid idea and would still allow people to take a good first guess.

    Finally something to remember is that whilst Glen Mulcaire had thousands of mobile numbers in his book, there is nothing to suggest that he attempted to listen to all their voicemail, just obtain contact details for journalist to use.

    ReplyDelete
  18. Remote VM access is useful for two key reasons:
    - Travelers
    - Destroyed / lost phones

    Given the numbers of both of these, this is not just a 1% feature, but more like 10-20% use feature.

    ReplyDelete
  19. I don't want the remote access service removed. I use it when abroad, presumably because the carrier doesn't pass the caller id. Although this is a rare case for me it's when I'm in a critical and vulnerable situation and the access is vital.
    Cell Phones

    ReplyDelete
  20. Voicemail hacking and the 'phone hacking' for secuirty would like to know more ideas.

    ReplyDelete
  21. There a product that blocks out all transmission. I got one here in LA at a convention. It was $20 and called Hushpockets. The guy did a demo in front of me and it worked in 2-3 seconds. It blocked out the call. Then he did another one with gps google map. and after 5 seconds in the hushpocket, it said "signal was lost" a great product for the security conscious person. I think it perfect for celeb or attorneys or finance managers??

    ReplyDelete
  22. Hmm I took a look at the Hushpockets video - "you cannot hack what you cannot reach" might as well say "you cannot use what you cannot reach!". The solution is effectively a faraday cage bag. It's not really practical in this case, however I have seen some better uses for shielding passports and NFC cards and phones when in your pocket.

    ReplyDelete
  23. While I am commenting on this particular blog, I want to thank everyone for their excellent feedback on here and on the other articles that have appeared around the web about the voicemail scandal. I collated the responses and submitted it as input to the industry work on this topic.

    ReplyDelete
  24. Why do people not simply delete their voicemail messages once heard. Why on earth keep them? Serves 'em right I reckon.

    ReplyDelete
  25. This is a very serious issue although the common public are not that affected but the higher case people can get ruined for the loss of some information.

    ReplyDelete
  26. This reminds me of the Watergate scandal. The only difference is that we're using different technology nowadays

    ReplyDelete
  27. It is kind of a sneak peek in someone else's life.
    Very bad.

    ReplyDelete
  28. Its pleasure to learn all this. But from this you also access the blocked sites.
    access via proxy

    ReplyDelete