Alan Brill, Kroll Ontrack
Alan Brill, Kroll Ontrack

In the past few weeks, there has been a tremendous amount of news coverage of alleged voicemail hacking in both England and the United States by reporters and associates purportedly helping them gather information for stories.

Make no mistake about it, the accusations are quite serious. The alleged hackers caused great harm to their victims and what they did should be investigated by the authorities.

But one important element that appears to have fallen through the cracks is how they did it. How could it be so easy to access so many people's voicemail systems? Don't these systems provide strong security to prevent people from gaining inappropriate access to someone else's messages?

While there are variations between voicemail systems, the overall consensus is that security is very limited.

In virtually every case, the only thing preventing unwanted access to your personal messages is a simple passcode entered from a telephone keypad. You call your number, enter a code that indicates you want to access your mailbox (often as simple as a push of the “#” or “*” key) and hear a voice ask you to enter your password.

While some systems may prevent you from choosing passwords that are easy to guess (the most vulnerable being codes like 0000, 1111, 2222, 1234, or codes based on information that is publicly available, e.g., a person's birthday or year), many people sacrifice safety for convenience anyway by electing to use simple passwords that make their mailboxes extremely easy to hack.

“But,” you say, “shouldn't you be able to tell that someone is listening to your voicemail?” After all, wouldn't you eventually figure out that something is amiss when you discover old messages in your mailbox about which you were never notified? Or surely you would raise a red flag after your colleague asks why you never replied to a voicemail.

Of course, these are all fair questions. But the reality is that most systems allow you to listen to your messages without requiring that you select any commands (like “save” or “erase”), maintaining the original message as if it was unheard.  The red light indicating you have a message returns, leaving the real mailbox owner none the wiser.

Using the “skip” command often accomplishes the same thing. Add new messages to the dozens of saved ones that remain for weeks and months in your mailbox and hackers have hit the jackpot. 

While every system is different, hackers are quite savvy individuals who are up to the challenge. With a little bit of research, they will have all the information they need about you.

So what can be done? Certainly systems could be programmed to require more complex passwords, but that's just the first line of defense.  A couple of additional steps might be very effective.

  • Time Stamp: What if your system informed you upon logging in that “the last time you checked your voicemail was this morning at 2:21 AM.” If a suspicious time was reported (a time when you knew you weren't checking voicemails), you would immediately know there was a problem and could quickly notify the voicemail provider to report the incident. Better yet, if the provider maintained the numbers from which all mailbox accesses were made (assuming that is technically possible), it could provide police with valuable leads in the investigation of voicemail hacking incidents. While sophisticated  hackers can manipulate computer-based voice-over-internet systems to provide false called-from numbers, such a precaution could certainly help in many cases.
  • Text/E-mail Alerts: Another way of providing the same information might be to have the voicemail system send an email or text message alert that “Your voicemail was just accessed (time and date). If you did not access your mailbox, call our fraud center at (number listed).”
  • Longer Passcodes: Many systems require that access codes be four digits in length. That's not enough. The longer the passcode, the harder it is to crack, so why not allow people to use longer codes? After all, they don't have to remember them as numbers. They can think of them as words. A password like “5388437867446346” is hard to guess and nearly impossible to remember. But, fortunately, those numbers translate to “LetTheSunShineIn” on a telephone keypad.  

The tragic victimization that we read about in these voicemail hacking cases should be a wake-up call to voicemail providers.  History has shown us that more should be done to better protect user privacy, give users a chance to know they've been hacked and help catch those responsible.


Alan Brill, CISSP, CFE, CIPP, is senior managing director for the Computer Forensics and Secure Information Services Practice of Kroll.