Security Experts:

You Call That Phone Hacking?

Who will it be this week?

I mean, whose nude photos will be released online after their phone is hacked? Hacking a phone is one thing, but hacking voicemail is something else, and while your voicemail does have some protection, breaking into it is probably not complicated. Let’s get real here - the single best security for your voicemail is your voicemail PIN – which is basically just a numerical password – and we should all have a great sense for just how effective passwords are. We should definitely look at hacking voicemail and hacking your phone as two completely different things.

Setting the PIN

Phone HackingGetting to your voicemail normally requires knowing your PIN. Your phone company installed a default PIN for your account – probably 0000, or 1111, or the last four digits of your phone number. For most cellular services, this number can be from four to seven numbers. If you leave the PIN on the default setting, anyone can get into your voicemail by dialing the wireless carrier’s voicemail line, or by dialing your own phone and escaping into voicemail. On my service, you do this by simply pressing # to interrupt your outgoing greeting, enter your password, and you can retrieve your voicemail. Worst case, someone could guess the default PIN in probably three tries or less.

Getting the PIN

If someone wants your PIN, they have six options:

1. Try a default (like 0000, 1234 or the last four digits of a phone number). While some users never change their voicemail password, some providers require you to define a new PIN when you setup your voicemail.

2. Guess it - My first guesses would be the phone’s number, 0000000, 1234567, and Jenny’s number (867-5309). Next, I would try the user’s birthday 1290, or 122190 – finding this type of information is what Facebook is for, right? If I was desperate, after that I would use patterns, like 147258, and 1397, or 112233. My guess is that this would cover something a majority of voicemail PINs in use today.

3. Steal your phone – Since some phones have the option to cache your voicemail PIN, potentially eliminating that bothersome step of actually entering a PIN every time you want to check voicemail (that PIN is soooo annoying, isn’t it?)

4. Call the provider and talk them into resetting the voicemail PIN, giving the attacker the reset PIN. This locks the real user out of their voicemail, since their PIN has changed, and could go unnoticed until the user checks their voicemail. Resetting voicemail PINs rely on the providers being undisciplined, and falling for social engineering attacks. Providers are better than they used to be, but when done correctly social engineering can still be effective. Depending on the exact progress through an attack, the provider may require some additional form of verification, like the subscriber’s birthday and address, but, again, we have Facebook for help. Default PIN resets are usually going to be distributed to the device, or sent via account email, which reduces the chances of success. Compromising someone’s provider account to change settings, like the destination of the account email, is part of a more advanced attack.

5. Attackers can spoof phone numbers to help increase their chances of success. You can search them out if you wish, but spoof services and tools are easily available, despite the fact that they are normally used with nefarious intent. An attacker who could spoof your phone number would be able to dial your voicemail, pretending to be you. Calling in to your cellular provider, while showing your spoofed phone number, can help increase their chances of a successful social engineering attack. Spoofing phone numbers in the US was actually legal until passage of the 2010 Truth in Caller ID Act.

6. Bribery. Pay an employee at a cellular provider to provide you PINs and other account information. Money talks.

7. Okay. Technically, they have seven options since the legal authorities can get to your phone information with proper warrants and documentation. For purposes of our discussion we are going to assume that the police have not been involved in targeting you.

Keeping the PIN

Your best protection from voicemail hacking is to turn off voicemail if you don’t use it. Personally, my kids never listen to voicemail. If they don’t answer, I have to send them a text. Otherwise, your best options are:

1. Reset your PIN from the default.

2. Use a real PIN. Make your PIN more complex than just a sequence of numbers, and don’t use any of your phone number or street address in the sequence. One option is to think of the PIN as a password and spell it out as a number substitution. “vmail” becomes 86245, but work a little harder than that. Don’t use number substitution for your name either, and don’t type your phone number backwards. And, if you do have the option, don’t cache your voicemail password in your handset. I find it oddly disturbing that my provider’s support site has literally pages of people asking how to automate voicemail login.

3. Don’t let someone steal your phone. Set a good phone lock password, and use a remote wipe service. If your phone is stolen or lost, the chances are that you are NOT getting it back - so just forget that notion –wipe it and move on.

4. Protect your online account to help ensure that it is not compromised. That means doing all of those desktop security things (good passwords, anti-virus, anti-malware, browse smart, etc.) that security geeks always stress. Someone with account access could easily change your PIN at will. The only other option you have as a user is to periodically call your voicemail to ensure that your PIN has not changed. Some cellular providers support sending a text message if private information, such as your PIN, changes.

5. You have no protection that will stop an attacker from spoofing your cellular number, though you can reduce your problems by not caching your voicemail password.

6. Hmm. Unless you want to call your provider and volunteer to pay a higher rate so that they can make sure all of their employees are well compensated, you don’t really have any way to fight the bribed employee. You have to rely on the cellular company to do good employee screening and track employee activities.

Not Voicemail?

So, ultimately, what is the risk? The risk is that someone will listen to and/or delete your voicemail. Personally, I would not really call that “hacking”, and it certainly does not get pictures off the phone – no one stores pictures in their voicemail. This level of information was valuable for News of the World in the UK phone “hacking” scandals last year, since it seems like NOTW pretty much attacked voicemail for most if not all of their “scoops”.

The obvious question is, then, how do all these photos get released? “Publicity” seems like a pretty reasonable answer, but, in the real world, not everyone wants their pictures floating around. To get those pictures, you need access to the phone text messages, and more likely to the phone file system. In which case, you need to compromise the phone. To compromise your phone, someone needs to install software on it.

1. The most direct method is to get physical access to the phone and install spyware on it. If someone can get access to your unlocked phone they have the opportunity to install something malevolent that could make copies of information on the phone, including text messages and pictures.. Obviously, keeping good physical control over your phone can go a long way towards defeating a physical attack.

2. Bluetooth attacks are also possible if the attacker is in reasonable proximity to your phone. While Bluetooth was designed to work at shorter ranges, testers have had success connecting with longer ranges of over 1000 feet. Some Bluetooth attacks require permission to connect by entering the Bluetooth access code on the target phone the first time the devices connect, so again, require physical access, if even only for a few seconds. But, some Bluetooth-based attacks like Bluesnarfing work without the target’s interaction. The good news is that you cannot be compromised through Bluetooth that you have turned off because you are not using it. As a side benefit, you will save battery life too.

3. Remote installation of software is possible if the user can be tricked into visiting a hostile website, or emailed/texted an evil attachment. We have already seen applications in both iTunes and Google Play that are downloaded as games or utilities, but have other, unwanted side effects. Seeing Android apps like screen savers or maps that want you to accept privileges that allow access to private phone information, including settings, full contact list, text messages, and stored files (including photos), should be a pretty good clue that something fishy is going on. Apps that included software like DroidDream have gathered and forwarded private information, and have already been found on both stores. You should be following your normal “App” security screening process by researching them carefully, and actually read all of the detail in the app’s permission request in Android.

Part of the point is that for an attack like this to be successful, the user has to participate by either giving up access to their phone, or by accepting the installation of software which allows someone else to steal information. Several companies now offer anti-malware solutions that run on smartphones, though there are other features in mobile security suites that may prove even more useful. Software that helps identify hostile or suspicious websites before the phone even gets infected can be even more valuable.

Then again, the easy answer is that people should just stop taking pictures of their naughty bits.

Related: How Vulnerable Are You to Cell Phone Hacks?

Related: Got Android? Some Considerations on Permissions and Security

Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.