Lawmaker urges Sprint, T-Moble to bolster voicemail security

Share this article:
Sen. Barbara Boxer is urging that telecommunications companies Sprint Nextel and T-Mobile improve voicemail security in light of the ongoing U.K. scandal accusing Rupert Murdoch's media empire of phone hacking.

Boxer, D-Calif., on Thursday sent letters to the CEOs of Sprint and T-Mobile asking that immediate action be taken to fix what she called a “serious” vulnerability that could be leveraged by an attacker to gain access to users' voicemail accounts.

In the U.K., reporters at Murdoch's now-defunct News of the World stand accused of employing people to break into the voicemails of thousands of people. Citing security experts, Boxer said that both Sprint and T-Mobile users are vulnerable to similar attacks because the companies do not require customers to enter a personal identification number (PIN) when accessing voicemail from their own phone.

By spoofing the caller ID information using freely available tools, an attacker can make it appear as if they are calling from a victim's phone, allowing them to access voicemail without being prompted for a PIN, Boxer said.

“Right now, the voicemail accounts of Sprint customers are at risk of being hacked because of your company's security policies,” Boxer wrote in her letter to Sprint CEO Dan Hesse.

When Sprint users first establish service, they are required to select whether they wish to enable a PIN bypass option, Boxer said.

Sprint, in a statement sent to SCMagazineUS.com on Thursday, said its default voicemail setting does require customers to use a passcode for accessing voicemail messages.

“We strongly encourage the customer to continue using the passcode,” Sprint said in its statement.  “If the customer chooses to skip the passcode, they are warned with strong language that the voicemail account will be vulnerable to unauthorized access.”

In her letter, Boxer acknowledged that the company recommends against bypassing the PIN, but said customers are not warned about voicemail-hacking techniques.

In contrast, Boxer said, Verizon Wireless always requires subscribers to enter a PIN to access their voicemail. Too, AT&T recently announced that it would change its default settings for new subscribers, requiring them to enter a PIN.  

A representative from T-Mobile did not immediately have a comment when contacted by SCMagazineUS.com on Thursday.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.