Streams

How I (Easily) Hacked Into Voice Mail

Monday, July 18, 2011

First, I hacked my own voice mail. Then, when colleagues came around to see, several volunteered their phones, too.

With a few clicks of a mouse, we accessed our mobile phone voice mails from a desktop computer. No password needed. No cellphone needed.

It was surprisingly easy.

The alleged phone hacking at the heart of the scandal at the now-defunct News of the World tabloid can be performed here in the U.S. — and easily. 

It works because some voice mail systems allow you to hear your messages without a password when you're calling from your own phone. They system knows you're calling from your own phone based on your caller ID number.

But there are several online services which, for a small fee, allow you to "spoof" — or fake — a caller ID number. Just $10 gets you access to this trickery, and to clear access to voice mail messages.

I first heard about the technique this morning, in a tweet by Chirstopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Within an hour, I'd hacked my own phone.

Our WNYC experiment was not a scientific study — and, again, we accessed only our own cell phone accounts — but we tried two AT&T accounts, two Sprint accounts, two T-Mobile accounts and two Verizon accounts. Once we figured out the technique, we had easy access to voice mail messages in both AT&T accounts and one of the Sprint ones. We couldn't get into those of the T-Mobile and Verizon phones.

The Password Issue

You probably have a password for your voice mail account, which you use to access your messages remotely.

But AT&T spokesman Mark Siegel said that for convenience, AT&T customers "also have the option of not entering your password when accessing your voice mail from your mobile phone."

That's certainly true for my AT&T iPhone. Siegel said for the best security, AT&T recommends customers change their settings to require a password even when checking voicemail from their own phone, which people can do by logging into their account on the AT&T website.

Having that functionality definitely blocked our "spoofing" access to several accounts — though together, one of our newsroom staffers and I were able to access her AT&T account even though her phone requires a password every time she checks her voice mail.

A spokeswoman for Verizon Wireless said the company's customers must enter a password every time they check voice mail, from any phone. That seemed to be why we couldn't access those phones. A spokesman for Sprint said it offers customers the option of disabling their access password, and warns them that doing so can make their account vulnerable.

Is This Legal?

Spoofing caller IDs does not, in itself, appear to be illegal. There are actually several services that use this technique to legitimately offer people an alternative telephone number.

But, under the Truth in Caller ID Act of 2009 it's clearly not legal if you're faking a caller ID "with the intent to defraud, cause harm, or wrongfully obtain anything of value."

Steps You Can Take

First, you can set up your phone to require a password every time, even when checking from your own phone.

But quick access to your messages is pretty convenient. Our in-office experiments suggest another way to help protect yourself is to delete (not just skip) messages you've already heard. That way there's nothing to listen to.

And here's a big red flag: A missed call that looks like it's from your own phone number. That was a byproduct of the trick we used — and a clear sign of our "hacking."

Tags:

More in:

News, weather, Radiolab, Brian Lehrer and more.
Get the best of WNYC in your inbox, every morning.

Comments [11]

JDD from Nashville, TN

is there a possibility that there could have been a voice-mail left on a phone which says its from one number but there is no possible way it could have been from that number. My boyfriend got a voice mail that says its from my phone number, but it is a males voice and I have no clue who it is and I know for a fact my phone was in my hand at that moment. I know it may sound crazy but I'm looking for some sort of explanation.

Sep. 07 2013 11:00 AM
DMaybach from Santa Monica, CA

@ Lady DEE from boston: Sorry to hear about your loss. Here http://deciphertools.com

Jun. 27 2013 07:27 PM
Lady DEE from boston

my phone is broken (screen all black) and full (150 mssgs) from my recently deceased boyfriend. I need those v/m"s. So how exactly can this be done from a computer.
PLEASE HELP!!!!

Mar. 24 2013 11:23 AM
JOHN SMITH

someone keeps accessing my att cell phone accounts. HOW CAN I FIND OUT WHO IT IS

Mar. 20 2012 10:42 PM
kathy from Beachwood,n.j.

I recently had my home & cell phone hacked by someone I took to court, they deleted only their calls & messages as if they never exsisted. How do I retrieve those messages.I still had messages going back 9 months ago from other people that are still there. Please tell me how as I was threatened & can't prove it now.

Jan. 14 2012 02:20 PM
EF Slattery from New York

Much as I love all things WNYC, I find this story falls well short of both the station's and NPR's usual journalistic standards and levels of analysis. The News of the World hacking story is so huge that focusing on the mechanics of how to hack seems petty--something I'd expect Gawker or NY Magazine to run, not WNYC.

If the point is that it's incredibly easy to hack voicemail, that's not news. If the point was to find a local angle, surely the more newsworthy story was to what degree 9/11 victims' voicemails were hacked. Either way, it seems like a pointlessly hipster angle ("Hacking Is So Easy, Even I Did It") to take on a story that offers dozens of other, and arguably more valuable, opportunities for analysis.

Jul. 19 2011 09:04 AM
dcept905 from 192.168.0.1

To get your wireless provider's voicemail dial-in number simply go to your voicemail settings on your phone. For Android phones:
settings -> Call settings -> Voicemail settings
For a different phone OS either poke around in the menus or check your manual. The number that is listed should not be your personal cell #. Take note of this number (it will vary by provider and each provider will have different numbers for different areas, so you'll have to check at least 1 phone's settings from each provider to get the appropriate dial-in #s). If you now call the AT&T VM number while spoofing your personal AT&T phone number you should get the same access as before, but without ringing your phone.

Also, somebody asked if they were vulnereable to this because their provider sends VMs directly to their phone. I'm going to assume that you were talking about a vm-to-text type service where your VM is converted to text and sent to you via SMS. The fact is that this service can function regardless of whether you have your voicemail set to prompt you for a pwd from your phone or not. You still have the ability to actually call and listen to your messages (press and hold 1) despite getting them as a text message. As the two are unrelated, you still need to make sure you enable this feature to be protected. To find out if it is enabled call your voicemail # from your phone. If it asks you for a password, you're good. If it just starts playing messages, you need to enable the feature. Also, make sure your password isn't 0000, 1234 or the last 4 digits of your phone #. Those passwords are just as bad as not having one at all.

Cheers!

Jul. 18 2011 07:42 PM
dcept905 from 127.0.0.1

For what it's worth, there are direct dial-in numbers to wireless voicemail services. If you have these numbers and spoof your caller ID you can not only get access to the messages, BUT the victim's phone will also not ring, and not show a missed call. Do not rely strictly on this to indicate that you've been hacked!

Jul. 18 2011 07:07 PM
will from ct

this has been around for years
I even wrote about it 6 years after I found about it

http://www.whatsmypass.com/bypass-iphone-voicemail-password

Jul. 18 2011 07:05 PM
PeaceLove from Bay Area, CA

On my Verizon Droid, I don't have to enter a password when I use the Visual Voice Mail. It just downloads the messages automatically to the phone. Is that still relatively hackproof?

Jul. 18 2011 07:01 PM
Susanna Speier

Wow!

Jul. 18 2011 06:23 PM

Leave a Comment

Register for your own account so you can vote on comments, save your favorites, and more. Learn more.
Please stay on topic, be civil, and be brief.
Email addresses are never displayed, but they are required to confirm your comments. Names are displayed with all comments. We reserve the right to edit any comments posted on this site. Please read the Comment Guidelines before posting. By leaving a comment, you agree to New York Public Radio's Privacy Policy and Terms Of Use.

Sponsored

Latest Newscast

 

 

Support

WNYC is supported by the Charles H. Revson Foundation: Because a great city needs an informed and engaged public

Feeds

Supported by