Lawmaker urges Sprint, T-Moble to bolster voicemail security

Share this article:
Sen. Barbara Boxer is urging that telecommunications companies Sprint Nextel and T-Mobile improve voicemail security in light of the ongoing U.K. scandal accusing Rupert Murdoch's media empire of phone hacking.

Boxer, D-Calif., on Thursday sent letters to the CEOs of Sprint and T-Mobile asking that immediate action be taken to fix what she called a “serious” vulnerability that could be leveraged by an attacker to gain access to users' voicemail accounts.

In the U.K., reporters at Murdoch's now-defunct News of the World stand accused of employing people to break into the voicemails of thousands of people. Citing security experts, Boxer said that both Sprint and T-Mobile users are vulnerable to similar attacks because the companies do not require customers to enter a personal identification number (PIN) when accessing voicemail from their own phone.

By spoofing the caller ID information using freely available tools, an attacker can make it appear as if they are calling from a victim's phone, allowing them to access voicemail without being prompted for a PIN, Boxer said.

“Right now, the voicemail accounts of Sprint customers are at risk of being hacked because of your company's security policies,” Boxer wrote in her letter to Sprint CEO Dan Hesse.

When Sprint users first establish service, they are required to select whether they wish to enable a PIN bypass option, Boxer said.

Sprint, in a statement sent to SCMagazineUS.com on Thursday, said its default voicemail setting does require customers to use a passcode for accessing voicemail messages.

“We strongly encourage the customer to continue using the passcode,” Sprint said in its statement.  “If the customer chooses to skip the passcode, they are warned with strong language that the voicemail account will be vulnerable to unauthorized access.”

In her letter, Boxer acknowledged that the company recommends against bypassing the PIN, but said customers are not warned about voicemail-hacking techniques.

In contrast, Boxer said, Verizon Wireless always requires subscribers to enter a PIN to access their voicemail. Too, AT&T recently announced that it would change its default settings for new subscribers, requiring them to enter a PIN.  

A representative from T-Mobile did not immediately have a comment when contacted by SCMagazineUS.com on Thursday.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.