Update: this article was the subject of an interview on Today FM’s Sunday Business Show this morning.
As the phone hacking trial continues in Britain, Technology.ie can exclusively reveal that voice mailboxes on at least two Irish mobile networks are vulnerable to hacking, and the hackers don’t even need to know your PIN.
Last week, the Register reported on an investigation of UK mobile networks’ susceptibility to Caller ID Spoofing as a means of gaining unauthorised access to private voice mailboxes. The Leveson enquiry in Britain revealed that many users had been vulnerable simply because they had not changed the default PIN supplied with their voicemail, but The Register’s Simon Rockman discovered that, even if you lock the door by choosing a PIN, some networks simply “leave the keys under a flower pot“.
So how do you gain access to voicemail without using a PIN? It’s obvious! We do it every day, when we check voicemail from our phones. We dial 171, the network checks the calling number to see who’s calling, and then connects the user with his or her own mailbox. You can also call the specific ‘long’ mailbox number, i.e. by inserting a 5 after the (08x) prefix and then the remaining digits of your phone number. This is often required when roaming – but it can also be used to call from any phone.
Calling the long form of the mailbox number from a different phone should require a PIN and, provided the user has selected a suitable PIN, the mailbox will be secure. However, many networks do not prompt for a PIN if the long form mailbox number is called from the user’s own phone. This is what led Simon Rockman to speculate about what might happen if someone called a mailbox using a spoofed Caller ID to pretend to be the user’s own phone.
The Register investigation revealed two UK networks which allowed access to a user’s voicemail for a VOIP phone masquerading as the user’s own phone by spoofing the Caller ID. The only piece of data required was the user’s phone number.
One of the UK networks, EE, has since closed the vulnerability. The other network, Three, advises customers to change their mailbox settings so that a PIN is mandated for all connections, whether from the user’s own phone or not.
So what about Ireland? We decided to find out. I set up a VOIP phone to transmit a Caller ID matching my phone, and then dialed my voice mailbox using the VOIP phone. I was astonished to find that I got straight through to my private voicemail, without being asked for the PIN. Anyone who knows my number could do the same.
Working with friends who are customers of other networks, we’ve tested three networks so far. For legal and ethical reasons, each person accessed their own mailbox. As the registered users of the phone numbers concerned, we were also justified in using them for caller ID: this is an accepted practice in telephony, especially VOIP.
So what did we find? Two out of three ain’t good. Only one of the three networks prompted us for a PIN. The other two accepted our Caller ID at face value and connected us to voicemail. That was fine in these legitimate circumstances, but how was the network to know we weren’t bogus? The only data we supplied was our phone numbers. We could have been anyone.
We’re not going to name the networks involved at this stage. We haven’t had a chance to contact them for comment. Neither will we identify which VOIP provider we used. It is illegal to specify a number as a Caller ID unless the number belongs to you. Most VOIP providers will insist that you provide some kind of verification that you are entitled to use a number as Caller ID.
We’re not revealing any new “zero day” exploit here either. Caller ID Spoofing as a means to hack voicemail has been documented for several years, and concerns have already been raised about it in an Irish context. There is no excuse for networks continuing to allowing unauthenticated access to voicemail from outside networks on the basis of Caller ID alone.
You can hear a discussion of this story in an interview I did with Today FM’s Conall Ó Móráin, on The Sunday Business Show this morning.