Peter Imes: An explanation of phone hacking

July 21, 2011 12:57:00 PM

Peter Imes - [email protected]


The recent phone hacking scandal in the U.K. has so far resulted in multiple resignations, arrests and the closure of a 168-year-old newspaper. News reports this week suggest that Rupert Murdoch''s own job as CEO of News Corp. may be in jeopardy as a result of at least one of his newspapers accessing the voice mail of celebrities, royalty and even a murdered teenager.


"Phone hacking" as used by the media in this story is deceptive. The method allegedly used by English newspaper reporters and private investigators is much more boring, and you don''t have to be a hacker to pull it off.




Basic phone hacking


Most cellphone companies make it easy for you to check your voice mail from phones other than your own. AT&T offers a voice mail access phone number you can call from any phone. Once you call this number, you are prompted for your 10 digit phone number and password. Once you enter this information, you have complete access to your own voice mail.


Verizon customers can access their voice mail by calling their own number and pressing the # key once their message starts playing. Cellular South customers can do the same by pressing the * key. Both carriers require a password to access voice mail.


Many cell phone users select easy to guess passwords for their voice mail like 1234, 0000 or the digits from their birth date. Some cellphone companies use default passwords that are also simple, and many people never bother to change those default passwords.


Through trial and error, a "hacker" could potentially access your voice mail if you have a simple password. This appears to be the method used by News of the World journalists.


Not very exciting, huh?





A more interesting technique is called "caller ID spoofing." If you dial your own number from your own phone, most cell phone carriers assume you are the caller and do not even prompt you for a password. Spoofing involves tricking the phone company into thinking you are actually calling from your mark''s cellphone.


With fewer than 50 lines of programming code and freely available software, caller ID spoofing is possible for even a novice programmer.


As a side note, the act of manipulating the phone system is called "phreaking" and not "hacking."


A word of caution to aspiring phreakers: Caller ID spoofing with the intent to defraud or cause harm was outlawed by the Truth in Caller ID Act of 2009 and carries a penalty of up to $10,000 for each violation.





Even before this latest scandal, phone companies started cracking down on voice mail vulnerabilities. Requiring users to change default passwords, requiring complicated passwords and sending text-message alerts to target phones are all methods various cell companies are using to help prevent phone hacking.


Each cellphone provider handles voice mail security differently. Spend some time on your cellphone provider''s website to determine how to set your voicemail password. Once you know how to change your password, set it to a random number.


Peter Imes is publisher of The Dispatch. You can email him at [email protected]