Preventing voicemail hacking

August 2011

Woman using mobile phoneVoicemail hacking is not new. The two main methods are guessing PINs or using spoofing to bypass caller ID-based access control.

For convenient remote access to voicemail, e.g. where caller ID is not available or when the user is calling from a different phone, service providers allow users to authenticate through the use of PINs. Invariably these are short, usually four digits, and often they are preset to a known default - making hacking a simple guessing game.

Where caller ID is available, service providers use it to automatically identify users and allow direct access into their voicemail boxes. Unfortunately, caller ID spoofing has been around, for legitimate reasons, as long as caller ID. This facility can be misused to falsely represent the Calling Party and bypass such access control.

Historically, unlike other forms of login, service providers have not put much effort into the prevention and detection of brute force PIN guessing or caller ID spoofing attacks. Some limit the number of attempts per call, say to three, but attackers can set up automated brute force attack systems to break even a four digit PIN over a weekend.

In the US it is not illegal, at the federal level, to offer a public caller ID spoofing service. In the UK, regulator Ofcom has wisely chosen to try and restrict such public services offerings. Unfortunately, access to the right switchboard software or network signalling can enable a caller to set whatever Caller ID they wish.

Caller ID spoofing services can help reduce this type of fraud by not allowing the spoofing of a calling ID where it is the same as the called party number, so that someone cannot masquerade as a mobile phone and be automatically admitted by the mobile operator’s filtering mechanism. Some already have this restriction.

Mobile operators could improve things by:

  1. requiring robust PIN numbers are set for all accounts with voicemail;
  2. notifying users of (repeated) failed attempts to login to accounts - not just with a voicemail (as one operator does), which a successful attacker would delete;
  3. only trusting calls, presenting caller IDs of their own customers, originating from their own and roaming partner networks;
  4. relying less on presentation ID (easily spoofed) than network ID (less easily spoofed) when automatically connecting a caller to voicemail.

Users could improve things by:

  1. regularly changing voicemail PIN to a non-predicable numbers, so that if you were compromised you lock out your attached until they can break in again
  2. listening out for old message they don’t recall hearing before
  3. noticing when told of a voicemail being left that they did not receive
  4. disabling voicemail where not required or concerned about intrusion

Awareness is the name of the game and reporting suspected breaches to your service provider, police and the Information Commissioner’s Office will maintain focus on this continued area of weakness in personal communications.

Gareth Niblett is the chair of BCS ISSG and previously a CISO at a telecommunications group.

Comments (2)

Leave Comment
  • 1
    David Holdsworth wrote on 10th Aug 2011

    Would it be possible to upgrade SIM card software to use a challenge-response protocol without needing to modify the internal protocols between the SIM card the the phone? If so a company could offer this without needing an industry-wide agreement.

    Report Comment

  • 2
    Jonathan Gray wrote on 22nd Nov 2011

    I dont think there is any reason for voicemail to be accessed the way it usually is via the pin system which was so open to abuse. There is no reason why it cant be pushed to the device and stored there with modern phones much the way O2 currently do with the iPhone.

    Voicemail need not be the externally managed/maintained bolt on which is causing the problem at present. I recall in university days having my phone hacked as the ever helpful telco sold handsets with the voicemail "on" as standard and the default pin as "0000" allowing full access to voicemail.

    Yes you may have the normal clone/duplication issues but if this is done voicemail is the least of your concerns on a modern phone. This can be then the focus of security for the phone i.e handset to the network.

    Things need to be taken up a notch as photos/emails/music and voicemails are all up for grabs as handsets advance storing them on a single source for you to access.

    Report Comment

Post a comment

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.