Newspaper hacks hacking? Not exactly

July 11, 2011
I'm not sure how much attention it is getting on the west side of the Atlantic, but here in the UK the allegations of illegal “hacking” of phones and other dubious “journalistic” practices by the soon-to-be-closed-down News of the World have had far-reaching consequences, not only on the victims and their families, but on the press in general and even the government.

The discovery that some of the snooping was aimed not just at politicians and celebrities (perhaps politicians are better described as notorieties than celebrities?), but at victims of murder and terrorism, expanding the range of potential snooping targets somewhat dramatically, may be the reason that people who aren't likely to be invited to any garden parties by the Queen or Rupert Murdoch are wondering how their phones can be hacked and what they can do to prevent it.

As David Rogers, who is much better acquainted with this particular area of (in)security than I am, has pointed out in several blog articles, this isn't really phone hacking at all: While there are ways of intercepting phone traffic and accessing individual models of phone, this particular scandal is largely focused on unauthorized access to voicemail.

Rogers has succinctly summarized it in one of his blog articles as involving a number of primary techniques:

·       Sidestepping a voicemail PIN (personal identification number) by directing a social engineering attack against the phone service provider's call center, to con an operative into changing the victim's PIN.

·       Calling a victim's voicemail and getting in with a default PIN or a PIN changed by the provider as described above.

·       Ringing the victim's actual phone and getting into the voicemail menu.

·       Other, more technically advanced attacks.

He goes into a lot more detail in another of his articles, and Sophos also persuaded him to blog on the subject for them, that article being more focused on the ways in which people can defend themselves against similar breaches. Which reminds me that my good friend Martin Overton pointed out that a pretty effective way of avoiding the problem is to disable voicemail/diverts: obviously, there are as many ways of doing this as there are providers.

In his longer article, Rogers includes a section on default PINs for voicemail access. As he points out, quite rightly, that's not much of a privacy measure since, in principle, it's shared between all customers. But I found the choices of PIN quite interesting for another reason: It so happens, I recently acquired some fairly extensive data on the most commonly used PINs in another context (Tip of the hat to Daniel Amitay). The PINs mentioned in the Rogers blog include codes ranked in Amitay's research as number 4 and number 19. Happily, two other codes he mentioned were ranked as number 134 and number 3,604. Of course, I'd hope that a provider wouldn't allow unlimited attempts to access voicemail, and in any case this part of the discussion is historical rather than current practice. Still, it doesn't inspire confidence.

PIN selection and memorization strategy is a topic I'm doing further research on at the moment. You will be hearing more from me on that...

prestitial ad