Lawmaker urges Sprint, T-Moble to bolster voicemail security

Share this article:
Sen. Barbara Boxer is urging that telecommunications companies Sprint Nextel and T-Mobile improve voicemail security in light of the ongoing U.K. scandal accusing Rupert Murdoch's media empire of phone hacking.

Boxer, D-Calif., on Thursday sent letters to the CEOs of Sprint and T-Mobile asking that immediate action be taken to fix what she called a “serious” vulnerability that could be leveraged by an attacker to gain access to users' voicemail accounts.

In the U.K., reporters at Murdoch's now-defunct News of the World stand accused of employing people to break into the voicemails of thousands of people. Citing security experts, Boxer said that both Sprint and T-Mobile users are vulnerable to similar attacks because the companies do not require customers to enter a personal identification number (PIN) when accessing voicemail from their own phone.

By spoofing the caller ID information using freely available tools, an attacker can make it appear as if they are calling from a victim's phone, allowing them to access voicemail without being prompted for a PIN, Boxer said.

“Right now, the voicemail accounts of Sprint customers are at risk of being hacked because of your company's security policies,” Boxer wrote in her letter to Sprint CEO Dan Hesse.

When Sprint users first establish service, they are required to select whether they wish to enable a PIN bypass option, Boxer said.

Sprint, in a statement sent to SCMagazineUS.com on Thursday, said its default voicemail setting does require customers to use a passcode for accessing voicemail messages.

“We strongly encourage the customer to continue using the passcode,” Sprint said in its statement.  “If the customer chooses to skip the passcode, they are warned with strong language that the voicemail account will be vulnerable to unauthorized access.”

In her letter, Boxer acknowledged that the company recommends against bypassing the PIN, but said customers are not warned about voicemail-hacking techniques.

In contrast, Boxer said, Verizon Wireless always requires subscribers to enter a PIN to access their voicemail. Too, AT&T recently announced that it would change its default settings for new subscribers, requiring them to enter a PIN.  

A representative from T-Mobile did not immediately have a comment when contacted by SCMagazineUS.com on Thursday.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.