Awareness : Security Awareness Tips

A Short History of Cell Phone Hacking

Phone hacking has been in the news lately, but just what happened and how I can protect myself?

The recent news scandal actually involved hacking into the voicemail of various individuals.  Cell phones or cellular signals were not directly compromised; rather it was the voicemail associated with the cell phone number that was breached.

Voicemail was introduced during the mid-1980s when users would dial a number to retrieve their messages.  Since cell phones had limited network coverage and short battery life, providers offered customers the ability to access messages remotely from another phone.  To do this, a customer would call the cell phone number or a generic remote access number and when connected to the voicemail service, press a key such as * or # and enter a personal identification number (PIN).

For many years these voicemail accounts were configured with a default four-digit PIN such as 1234, 0000 or 3333.  Customers were expected to change their PIN, but in practice very few really did. This presented unscrupulous individuals with the opportunity to simply call the number of the targeted individual and, if the target did not answer, the caller would enter the default PIN and “hack” into the target’s messages.Today, voicemail hacking should not be quite that simple, but you may still be exposed.  Although many providers require changing the default password (which is often the cell phone, account, or other identifying number) as part of the initial voicemail activation process, they may also give you the option of not using a voicemail PIN, either when calling from your cell phone, or even at all.  This is simply not a good practice and can expose your voicemail to attackers.

If your cell phone allows you to access your voicemail without a password, one easy method of attack is to “spoof” the cell phone number.  Caller ID spoofing is the act of making a call appear to come from a phone number other than the actual number.  Since voicemail relies on the Caller ID system to verify the incoming number, spoofing can allow ready access by tricking the voicemail system.

Additionally, when setting a PIN, many people will use some portion of their date of birth (e.g., the year, month and day, etc.).  Anybody who somehow obtains this information or other pieces of demographic data such as address, perhaps through a social networking site, can then easily guess your voicemail PIN.

How to protect yourself from voicemail attacks

If you have never used it, find out what the remote access number is to your voicemail. Call the number – you should be asked for a PIN.  If you don’t know what your PIN is, search the internet to see if you can locate a default PIN for your cell phone provider or contact them to reset it.  If you enter the default, what happens?  You should also try entering a wrong PIN; some providers may send a text to your phone informing you of the attempted access.  You should also try this exercise by calling your cell phone from another number.  When you are asked to leave a voicemail press the * or # key and see what happens.  You may be brought to the voicemail menu of your cell phone and asked for a PIN.  Repeat the process of trying the default PIN, wrong PIN, etc.

To block these attacks, you need to ensure that a PIN is required to access your voicemail.  By doing this you prevent automatic access to your voicemail (as if you were ringing from your own cell phone).  Try not to pick a PIN as obvious as something involving your date of birth or that of a family member.  The customer service websites of cell phone operators should also be able to give you additional details on PIN security and their voicemail service.

Other tips for cell phone security

Additional best practices, for smartphones in particular, include using a password-prompted screen lock, which requires that you enter a pass code to get to the phone’s home screen.  Never store these passwords on your phone.

Be wary of text messages coming in from unknown numbers which can install malware and spyware onto your cell.  Examples of what such malware can do include gathering information that is transmitted through your phone as it goes from app to app.  Not only can this include information about your call history and messages, but also financial information if any mobile apps are linked to a credit or debit account.

Keep your apps and smartphone operating system up to date.  Do not “jailbreak” or “root” your phone as this removes protections against unauthorized apps.

Avoid using public Wi-Fi networks for online shopping, banking or accessing other sensitive information.  Likewise, avoid using public charging stations.  It can be nearly impossible to tell if a charging station is also accessing your phone’s data.  If unavoidable, one precaution is to power off your phone completely before connecting it to the charging station.

These practices, along with placing a PIN on your voicemail will help in keeping you and your information safe and secure.

For more information

Posted: August 22, 2011