The phone hacking scandal engulfing the UK tabloid press has claimed a succession of high-profile scalps, including News International executives, senior police officers, government advisors and the country’s best-selling Sunday newspaper (see BBC timeline). Yet in all the column inches devoted to the story, very little has been written about how the hacks were carried out and whether enough is being done to stop similar intrusions in future.
Indeed, the very use of the word ‘hacking’ to describe what happened irritates many infosec experts. David Rogers, director of UK mobile software and security firm Copper Horse Solutions (who has blogged in depth about the scandal), says: “The media talks about phone ‘hacking’ when really what went on was just illicit access to voicemail. Yet most casual readers have visions of the kind of thing they see in the movies – technical wizards using state-of-the-art technology to listen in to private conversations.”
Equally, though, this wasn’t simply a case of journalists calling voicemail systems, punching in a victim’s number and a default PIN, then hoping for the best. Yes, in the majority of cases that’s probably what happened – but other, more tricksy tactics were also at play here.
Spoofing and Social Engineering
One such technique, known as caller ID (or CLI) spoofing, allowed those attempting to access targets’ voicemail boxes make it appear as if they were calling from the victim’s own phone. They could either use this ruse to gain access to voicemail boxes directly (where operators used the caller ID to authenticate access) or to aid in so-called ‘social engineering’ attacks; for example, phoning a call center and posing as a customer in order to obtain personal details that would then give them the voicemail access they sought.
Indeed, social engineering has always been a key weapon in the hacker’s armory, and it is alleged to have played a large part in this affair. While most people in the late 1990s and early 2000s (when the bulk of these ‘hacks’ took place) didn’t know – and weren’t prompted by operators – that they should change their default PIN (or even that they had one), some of the celebrities whose voicemail was compromised had set up their own PINs. It’s probably true that many of them used easy-to-guess passwords, such as their date of birth, but in other cases it seems journalists and investigators managed to fool operators into divulging information. Rogers says: “A lot of the practices prevalent in call centers at the time could easily be abused. Employees were routinely sharing passwords and other details over the phone with one another.”
By calling up and pretending to be a fellow call center employee, they could often obtain personal information about a customer. They could then call again pretending to be that customer and request a password reset. The ‘hackers’ probably also used other tried-and-tested techniques to obtain victims’ details, such as raiding their trash for discarded mail or phishing for information online. “That sort of thing is bread and butter for social engineers and private investigators”, says Rogers.
Following the initial investigation into phone hacking in 2006, and the resultant flurry of publicity, operators (in the UK at least) were quick to close the obvious voicemail security holes. “In the UK, I’d say they have pretty much taken all the measures they can to deal with voicemail issues – for example, they text you if anyone tries to access your account with an incorrect PIN and lock people out following three incorrect attempts. They’ve also made it mandatory for users to change the default PIN in order to access voicemail remotely, as well as putting in place measures to make the whole system, including call centers, more robust”, says Rogers.
So does that mean your voicemail today is secure? In the UK, Rogers thinks the answer is generally yes, although he advises everyone to check the robustness of their own operators' policies and put pressure on them if these are found wanting. Elsewhere in the world, things can be less certain. “Outside the UK, a lot of operators are still just paying lip service to security”, he says. However, given the global coverage of the scandal in the wake of this summer’s developments, Rogers notes there is increasing pressure on operators in the US and other countries to shape up, and he thinks the “golden era” of voicemail hacking is pretty much over.
But while most of us need not worry about voicemail interception, high-profile figures could still be at risk. Bjoern Rupp, chief executive of Germany-based mobile encryption technology supplier GSMK Cryptophone, says: “While no longer relying on default PINs and CLI as the sole means of authentication is a good start, there are still various ways for outsiders to circumvent typical voicemail authentication mechanisms, or even intercept the call from the phone to the voicemail system. In addition, carriers’ voicemail systems have interfaces for maintenance and lawful interception, so there will always be an insider threat. People with access credentials can pass information on to third parties.”
And despite efforts to tighten up call-center procedures, some experts think social engineering is even easier now. “There is a limit to the controls that can be applied, and today there is a lot of personal information on the internet to help fraudsters impersonate customers”, says Simon Collins, vice president of communications risk management consultancy Praesidium.
Is Anyone Listening?
And what of the danger of voice calls and text messages being intercepted? Well, it’s certainly not as easy as back in the day, when you could pick up cellphone calls on a simple radio scanner (see ‘Scanner’s Story: Life Imitates Art’ box-out). These days, traffic over GSM and 3G is encrypted. Even so, some experts urge caution – at least if you’re a potentially lucrative target such as a celebrity or high-powered business exec. It has been demonstrated a number of times that GSM encryption can be broken in minutes by a skilled hacker, with limited reports of researchers managing to crack 3G.
But you can’t be 100% sure that even 3G calls are secure, especially if – like celebrities, politicians and prominent businessmen – you’re a frequent international traveler, says Ian Meakin, vice president of marketing at global mobile encryption technology specialist Cellcrypt. “In some countries operators turn off encryption for national security reasons and others don’t implement it correctly. Adding your own layer of strong encryption, end-to-end, is the only way to be sure your call is private”, he cautions.
Smartphones: Back to Square One
If the phone hacking scandal teaches us anything about security, though, it’s that operators only act to prevent intrusions after the fact. It’s undoubtedly true that the threat of voicemail hacking and interception of cellphone calls is far less acute than it was when these technologies were in their infancy. Today’s most widespread and potentially damaging threat comes not from these mature technologies, but from the new kid on the block: the smartphone.
Few users today are protected from the rogue apps and other mobile malware that can easily hijack your data, passwords, browsing history, credentials and other personal information – or even monitor your messages and voice calls. Even fewer are aware of the dangers of physical attacks, such as the fact that plugging your phone into a public charge point modified by a hacker could let an attacker extract all your data without your knowledge. As Rogers says: “Those are the kind of things that are realistically going to happen, and that’s where individuals and businesses should really be focusing their attention today.”
Scanner’s Story: Life Imitates Art
Back in the early 1990s, electronic musician and artist Robin Rimbaud (aka, Scanner) made a name for himself by including private cellphone conversations picked up on a simple radio scanner as ‘found sounds’ in his work. To many, it raised important issues about privacy and security in the emerging digital age. It also helped prompt wider public awareness of the practice and, not long after, operators encrypted their mobile networks.
When companies want to roll out a potentially lucrative new technology, security concerns generally come second to ‘speed to market’. As a result, the onus has always been on others to expose and publicize the potential threats introduced by new technologies in order to put pressure on providers to plug any holes.
In 1995, the UK's Sunday Mirror saw it otherwise, however. In an article (reproduced on Rimbaut’s website) the paper said: “The Institute of Contemporary Art in London is paying [...] for his ‘phoney’ art despite the fact what he does is illegal.”
Rimbaud told Infosecurity his work back then simply reflected what was possible with the technology of the time. “These voices were simply being broadcast across the airwaves for anyone to hear”, he says.
He recently revealed that the News of the World had subsequently offered to buy his collection of recorded calls, a request he pointedly refused. The irony is not lost on him, and the central lesson remains the same, he says: “All transmissions offer a level of insecurity and there will always be people who wish to exploit these – mostly in financial terms, unfortunately – so it's worth remaining conscious of the vulnerability of all technologies we use today.”