Cell Phone Spoof

Phone hacking: Are you safe?

Voicemail messages can be hacked in New Zealand with nothing more than a cellphone number, a $5 calling card and common software such as Skype.

Telecom says nothing can be done to stop "ID spoof" hacking on its network, other than urging customers choosing unique passwords to protect their messages.

But many cellphone owners do not use voicemail passwords at all, because of the inconvenience of entering a four-digit code every time they want to listen to messages.

In Britain, the News of the World tabloid newspaper was closed after revelations of a phone hacking scandal which has thrown Rupert Murdoch's media empire into turmoil.

The tabloid paid a private investigator to hack into voicemail messages, by using the default pin code or making an educated guess based on personal details like birth dates.

But Weekend Herald inquiries have found a more sophisticated - but simple - method called "ID spoofing".

It's the same method a teenager accidently stumbled on in 2005 and used to hack into the voicemails of prominent people, including former Auckland City Mayor Dick Hubbard.

Amateur hackers can buy credits on-line for as little as $5. By using Voice over internet Protocol software such as Skype, a hacker can fool a voicemail system into thinking they are calling from the phone they are trying to break into.

If the phone owner has not set up the voicemail to require a password when called from their own mobile, a hacker can get straight into the system and listen to messages at will.

The chief executive of the Telecommunications Users Association of New Zealand, Paul Brislen, said voicemail hacking was "ridiculously easy" to do.

Questioned about "ID spoofing", a Telecom spokeswoman said customers had two layers of protection.

"We strongly advise that customers take personal responsibility to ensure their phones are protected by locking their handsets and using protected pin numbers to access their voicemail boxes.

"We also advise customers to choose unique pin numbers that can not easily be guessed."

Telecom customers can choose to make voicemails password-protected, but Vodafone makes a pin code compulsory for checking messages from other phones.

A Vodafone spokesman also said Skype could not be used to "spoof" the network into thinking the caller was trying to access voicemail.

This was because the system looked for other qualifiers to verify the validity of the call.

One Per Cent: Spoofing services make mobile voicemail hacking easy

Easy access to voice mail is a common convenience on many phones. Opening a mobile displays an icon if someone has left a voice message. Click on the icon, and the phone automatically dials the voice mail box - some without even requiring a password. It's insecure, but a lot of users don't think about it. AT&T Wireless, for example, buries instructions for adding a password deep in its web site. Sprint and T-Mobile also don't require passwords; only Verizon does. The internet offers many web-based spoofing services, easy to locate by searching for "caller ID spoof". Users enter the number they are calling from, the number they are calling, and the number being spoofed, then place calls through the Internet or a toll-free number operated by the service. One web service boasts spoofing makes calling "truly private, fun, and inexpensive!"  That sounds like just the thing for fraudsters, stalkers, or, ahem, tabloid journalists .

Sorry, I didn't really follow this, what are you saying? Putting a pin on one's phone still doesn't prevent hacking?

Also you had an article about mobile base stations that can pluck communications (etc.) out of the air. Although it is illegal, it gets used. I thought the networks were digitally encrypted.

So are you saying? Even with protective measures they can: access voice mail, dialled numbers and your location by triangulation.

To clarify the blog, AT&T Wireless and some other carriers do not require passwords/PINs. The default when you set up your phone is not to require a PIN; the voice mail tells who is calling by looking at the caller ID, but does not require a PIN for validation. That means caller ID spoofing is enough to hack voice mail, if the user has not gone to the extra trouble to set up a PIN. So if you're concerned about being hacked, you need to go through the extra steps of setting up a PIN.

The trouble with mobile base stations comes from transmitting signals without encryption, so passwords are transmitted in plain text and can be detected by 'sniffers'. To be sure passwords are encrypted, log in to sites at https addresses, not just http.

Thanks Jeff and thanks for the NS mission of keeping the populous briefed about developments in science and technology.

I am still a little freaked out about mobile base stations... OK text is probably pure ASCII but can they tap voice calls as well and triangulate location.

I don't mind the police and security services doing these things with some ultra secure administrator password (provided we have people in these services we can trust...) but the idea that some kid or nosey neighbour could snoop is disturbing. I thought it was all encrypted unlike the old analogue mobile phones.

Is My Cell Phone Bugged?, Everything You Need to Know to Keep Your Mobile Conversations Private

Byting back, regaining information superiority against 21st-century insurgents

The Complete Idiot's Guide to Private Investigating

Syngress Force Emerging Threat Analysis, From Mischief to Malicious

Hack the stack, using snort and ethereal to master the 8 layers of an insecure network