How I (Easily) Hacked Into Voice Mail
Monday, July 18, 2011
First, I hacked my own voice mail. Then, when colleagues came around to see, several volunteered their phones, too.
With a few clicks of a mouse, we accessed our mobile phone voice mails from a desktop computer. No password needed. No cellphone needed.
It was surprisingly easy.
The alleged phone hacking at the heart of the scandal at the now-defunct News of the World tabloid can be performed here in the U.S. — and easily.
It works because some voice mail systems allow you to hear your messages without a password when you're calling from your own phone. They system knows you're calling from your own phone based on your caller ID number.
But there are several online services which, for a small fee, allow you to "spoof" — or fake — a caller ID number. Just $10 gets you access to this trickery, and to clear access to voice mail messages.
I first heard about the technique this morning, in a tweet by Chirstopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Within an hour, I'd hacked my own phone.
Our WNYC experiment was not a scientific study — and, again, we accessed only our own cell phone accounts — but we tried two AT&T accounts, two Sprint accounts, two T-Mobile accounts and two Verizon accounts. Once we figured out the technique, we had easy access to voice mail messages in both AT&T accounts and one of the Sprint ones. We couldn't get into those of the T-Mobile and Verizon phones.
The Password Issue
You probably have a password for your voice mail account, which you use to access your messages remotely.
But AT&T spokesman Mark Siegel said that for convenience, AT&T customers "also have the option of not entering your password when accessing your voice mail from your mobile phone."
That's certainly true for my AT&T iPhone. Siegel said for the best security, AT&T recommends customers change their settings to require a password even when checking voicemail from their own phone, which people can do by logging into their account on the AT&T website.
Having that functionality definitely blocked our "spoofing" access to several accounts — though together, one of our newsroom staffers and I were able to access her AT&T account even though her phone requires a password every time she checks her voice mail.
A spokeswoman for Verizon Wireless said the company's customers must enter a password every time they check voice mail, from any phone. That seemed to be why we couldn't access those phones. A spokesman for Sprint said it offers customers the option of disabling their access password, and warns them that doing so can make their account vulnerable.
Is This Legal?
Spoofing caller IDs does not, in itself, appear to be illegal. There are actually several services that use this technique to legitimately offer people an alternative telephone number.
But, under the Truth in Caller ID Act of 2009 it's clearly not legal if you're faking a caller ID "with the intent to defraud, cause harm, or wrongfully obtain anything of value."
Steps You Can Take
First, you can set up your phone to require a password every time, even when checking from your own phone.
But quick access to your messages is pretty convenient. Our in-office experiments suggest another way to help protect yourself is to delete (not just skip) messages you've already heard. That way there's nothing to listen to.
And here's a big red flag: A missed call that looks like it's from your own phone number. That was a byproduct of the trick we used — and a clear sign of our "hacking."