Lawmaker urges Sprint, T-Moble to bolster voicemail security
Boxer, D-Calif., on Thursday sent letters to the CEOs of Sprint and T-Mobile asking that immediate action be taken to fix what she called a “serious” vulnerability that could be leveraged by an attacker to gain access to users' voicemail accounts.
In the U.K., reporters at Murdoch's now-defunct News of the World stand accused of employing people to break into the voicemails of thousands of people. Citing security experts, Boxer said that both Sprint and T-Mobile users are vulnerable to similar attacks because the companies do not require customers to enter a personal identification number (PIN) when accessing voicemail from their own phone.
By spoofing the caller ID information using freely available tools, an attacker can make it appear as if they are calling from a victim's phone, allowing them to access voicemail without being prompted for a PIN, Boxer said.
“Right now, the voicemail accounts of Sprint customers are at risk of being hacked because of your company's security policies,” Boxer wrote in her letter to Sprint CEO Dan Hesse.
When Sprint users first establish service, they are required to select whether they wish to enable a PIN bypass option, Boxer said.
Sprint, in a statement sent to SCMagazineUS.com on Thursday, said its default voicemail setting does require customers to use a passcode for accessing voicemail messages.
“We strongly encourage the customer to continue using the passcode,” Sprint said in its statement. “If the customer chooses to skip the passcode, they are warned with strong language that the voicemail account will be vulnerable to unauthorized access.”
In her letter, Boxer acknowledged that the company recommends against bypassing the PIN, but said customers are not warned about voicemail-hacking techniques.
In contrast, Boxer said, Verizon Wireless always requires subscribers to enter a PIN to access their voicemail. Too, AT&T recently announced that it would change its default settings for new subscribers, requiring them to enter a PIN.
A representative from T-Mobile did not immediately have a comment when contacted by SCMagazineUS.com on Thursday.