Does your Security policy take the Carrier into Consideration? Does it Require Users to Change the Default PIN?
The scandal revolving around the News Corporation’s now defunct British tabloid, “News of the World”, has entered a new phase with the revelation that the hacking techniques are widely used in the British tabloid media and that, worryingly, even political figures were targeted. “Hacking Scandal Widens to Government Secrets,” the New York Times headline proclaimed, stating further, “Britain’s hacking scandal was reported on Tuesday to have broadened significantly into areas of national security with police investigating whether private detectives working for the Murdoch media empire hacked into the computer of a government minister responsible for Northern Ireland.”
Scary stuff, yet the enterprise security community seems strangely quiet on the topic, aside from showing other journalists how easy it is to do. The irony! It's almost as though there is an unspoken understanding that this doesn’t fall into the Information Security arena.
This is utterly mind-boggling, considering the revelation of risk involved.
The main thing we learned from this is that most voicemail systems are not secure. Essentially, a bunch of technically unskilled attackers managed to circumvent the national security precautions of the United Kingdom by exploiting an unsecured 3rd party.
Here is the kicker! Aside from not using the feature, there is not a single thing anyone (except for the carrier) could have done to prevent it.
When you read the security precautions offered by carriers for voicemail, you can only weep and cry and scream in desperation. Essentially, from the perspective of an attacker, there aren’t any precautions per-se, just a few inconveniences.
It boggles the mind even more, because the issues are fundamentally the same as with PBX’s, and these were already known, documented and encountered sufficiently in the 1980s.
So what we learned about the carriers is that they have learned nothing in that regard in almost 30 years.
We also learned that we are possibly four digits away from a compromise. If we are lucky that is, and even that simple precaution has not been disabled.
Now, who has mobile phones in their organization? Who carries them? Your Consultants? Your Salespeople? Your CTO/CSO/COO/CFO? Your legal counsel? Or maybe, just maybe, your Minister or Brigadier General. In addition of course, to all of those BYODs. That probably amounts to a lot of voice-mail likely containing a lot of sensitive information.
Does your security policy take the carrier into consideration? Does your security policy make a point of your users changing the default pin (or in some cases, actually activating the pin in the first place) and setting a password. Even, or especially, in the case of BYOD. Can you legally even do that? Do you instruct employees not to relay sensitive information via voicemail? No?
Then you may just have a gap in your Security Strategy, and if you are in any way important in some industry, region or market, chances are you have already had a data breach and security incident and you never even knew, and will unlikely be able to verify this even if you had a hunch or suspicion.
Consider this: If the know-how has been disseminated so widely that we are seeing it used in this context on this low level of technical expertise, more dangerous but careful and less impulsive eavesdroppers than journalists will have long leveraged this. This is probably also just the tip of the iceberg, because in this case the public nature and method of how the information was used are the only reason it ever came to light at all. But Trade and Defence secrets are an entirely different kettle of fish.
The implications are truly dire. Even Typosquatting, which relies on something as unreliable as bad typing, can yield huge amounts of critical data and pose a major security risk, so that the scope for abuse and data loss from intercepted voice-mails is at least as great, if not more so. People feel safe on the phone, especially to other people they know longer or are familiar with, and this artificial atmosphere of safety and privacy suspends caution. Anything someone will say on a phone, they are likely to leave in a message.
The implications in how easily the perpetrators were able to social engineer the carrier's customer service agents is worrying. If the alarm bells do not go off when dealing with a prominent celebrity’s customer account, it does not bode well that they may perk up for plain John or Jane Doe. Nor did any of the carriers become aware of the compromises, which is also incredibly concerning considering the scale and duration. One can only guess how many occurrences of this form of attack take place; The carriers can’t tell us either apparently.
Even the most simple mechanisms that would assist a customer in investigating such suspicions, such as listing the amount of times and the time a specific message has been retrieved, or a notification SMS when calling the voice-mail service from a new caller id are absent. Security was never a consideration in the design.
Carriers do not offer much flexibility or control over security features, nor is there a way to view or log failed authentication attempts, caller details or any other important data. You are delegating control 100%, even though the feature itself is inherently unsafe. Senators, Congressmen, Generals and CEO’s, all have the same set of security measures as someone who purchases a cheap pay-as-you-go phone. The security is geared towards the lowest common usability denominator, opening a vector for an effective, low-cost, low-tech asymmetric attack with zero risk for the attacker and a return far outweighing the effort.
Yet this technology is ubiquitous and all around us, used by essentially everyone, from the bottom to the top, and is one of the most used and relied on features for business and government users. Most us have entirely missed it as an attack vector, to the extent that there actually are no mechanisms to secure it, even if we now wanted to. This is the inherent danger of bringing consumer items into a business context. They are just not designed for it.
Potentially, if you know the correct mobile number and you can guess 4 Digits, you too can be listening to your elected leaders personal messages. The chances are pretty good that it could be their birthday.