THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

Most cellphone voice mail is vulnerable to hackers

Online services guide the way

By Hiawatha Bray
Globe Staff / July 13, 2011

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

Breaking into someone’s voice mailbox - in the style of the hackers at the British tabloid News of the World - can be as easy in the United States as it is on the other side of the Atlantic.

It is done using a readily available online service known as “caller ID spoofing,’’ which can make a call appear to be coming from any phone number. Hackers can use it to access someone else’s voice mail messages by fooling the system into thinking the call is coming from the owner’s cellphone.

If the mailbox is not protected by a password, as is often the case, the attacker can hear and even delete messages in the target’s voice mailbox.

There are numerous spoofing services in the United States; all you need to do is Google them. Although these services are used by hackers to commit crimes, they’re also used legitimately by, for example, battered women who do not want their calls traced, or law enforcement agents operating undercover.

Three of the four major US cellphone carriers - AT&T, T- Mobile, and Sprint - do not require customers who call voice mail on their own phones to use a password to listen to messages, making them vulnerable to malicious spoofers. That is a serious shortcoming, said Meir Cohen, president of Teltech Systems Inc., a caller ID spoofing company in Toms River, N.J., who is aware of how easily the service he provides can be misused.

“They should require a password every time a customer calls in to check their voice mail,’’ Cohen said, adding that unless every cellphone company makes voice mail passwords mandatory at all times, they’re giving customers “a false sense of security.’’

Verizon Wireless is the only major carrier to require all customers to use passwords to check voice mail messages. A password “must be entered every time by the customer, from any phone, to check voice mail,’’ said company spokesman Michael Murphy in an e-mail.

As a result, a spoofer wouldn’t be able to access the voice mail of any Verizon Wireless customer unless he managed to steal or guess the user’s password.

Congress considered a ban on caller ID spoofing in 2006, but last year President Obama signed a less-stringent measure that bars the practice only when it’s done “with the intent to defraud, cause harm, or wrongfully obtain anything of value.’’

Officials from both AT&T and T-Mobile say they are aware that their voice mail systems are vulnerable to malicious spoofers. They encourage customers, even when calling from their own phones, to protect their voice mailboxes with passwords. (AT&T has proposed a $39 billion acquisition of T-Mobile that is awaiting regulatory approval.)

Asked whether the British phone hacking scandal might prompt his company to upgrade voice mail security, AT&T spokesman Mark Siegel replied, “We feel good about the measures we have.’’

By default, AT&T and T-Mobile customers can access voice mail from their own phones without using a password. On Sprint, customers have the option of turning off password protection when calling from their own phones.

A Globe reporter successfully used caller ID spoofing to get into his own voice mail messages and those of two colleagues, one with an AT&T phone and another who subscribes to Sprint. The Sprint subscriber had turned off the password protection. Both colleagues gave advance permission for the test.

To make a spoof call, you go to one of the Web-based spoof services, type in your actual phone number, the number you want to call, and the number you want to appear on the target’s caller ID. Hit enter, and the website calls your phone. On the other end of the line, the number you chose shows up on the caller ID.

Spoofing services generally charge by the minute; for example, one service charges $9 for 90 minutes of talk time.

The News of the World, the 168-year-old British newspaper owned by media mogul Rupert Murdoch’s News Corp., has been accused of rampant hacking into the voice mail services of celebrities, relatives of dead soldiers, and a 13-year-old murder victim. Two staffers were sentenced to jail terms in 2007 over hacking charges. More recently, it’s been estimated that the newspaper may have hacked into the voice mail messages of 4,000 people, including police officials.

Those accusations, along with charges that reporters paid police sources for information, led to a decision to shut down the newspaper last weekend. The scandal may have also scuttled Murdoch’s $12 billion bid to take over the satellite broadcaster British Sky Broadcasting.

It’s unsure how many methods News of the World reporters used to hack voice mail, but one possibility is spoofing, which has been used to commit crimes both petty and serious.

In 2009, police in Queens, N.Y., broke up a fraud ring that reportedly used caller ID spoofing to deceive workers at several banks. The criminals stole $15 million by making their calls appear to come from real customers of the bank, and persuading employees to send them new credit cards. And spoofing can be used for other kinds of mischief; for example, the celebrity Paris Hilton supposedly used it to break into starlet Lindsay Lohan’s voice mail in 2006, according to various media reports.

At least one spoofing service has a feature meant to block hackers from breaking into voice mailboxes. The service will not place any call that appears to be a cellphone user calling from their own phone.

John Walls, vice president of public affairs at CTIA, the cellular industry’s trade association, said other spoofing services should do more to block hackers.

Kevin Mitnick, who spent time in prison for hacking phones and computers, and now runs a security consulting business, said some cellphone companies don’t require passwords because it makes using voice mail more difficult. “Mobile operators focus on customer convenience,’’ said Mitnick. “They now have to focus on security,’’ he said.

Hiawatha Bray can be reached at bray@globe.com.

Related

Get Adobe Flash player