Mobile Phone Hacking Is Never Far from the News; One Report Hints That the Former Prime Minister Has Had His Mobile Phone 'Hacked'

KJB Computer Forensics Consultancy Tel: 01368 860473 Mobile: 07748736481 Email: [email protected]

Mobile Telephone hacking

Introduction

In today’s modern world we have seen a dramatic rise in popularity of mobile telephones, escalating at a phenomenal rate; more than anyone could ever imagine. You only have to take a walk along your local High Street to notice the increased marketing of mobile telephones and our constant use of SMS texting. I personally carry my phone everywhere and feel 'naked' without it.

Whilst modern telephones are great they are still susceptible to any number of security flaws, one in particular being mobile telephone hacking. Mobile phone hacking is never far from the news; one report hints that the former prime minister has had his mobile phone 'hacked'. The aim of this paper is to give you an overview of Mobile Phone hacking and some basic tips to avoid becoming a victim of this crime.

News just in...

Royal phones hacked, the former British prime minister demands a police investigation of possible snooping on his mobile messages, the current prime minister's director of communications resigns, Rupert Murdoch flies in to London for a crisis meeting, and that is just the start….

Deep into the age of computer hacking, one or more journalists at Murdoch owned British newspaper, the News of the World, have been accused of carrying out a remarkably old- fashioned hack, that of accessing or 'phreaking' voicemail systems used by celebrities and politicians.

Dozens or even hundreds of public figures could in theory be affected and it hasn't taken long for it to dawn on people that the practice is likely to be more widespread than a single newspaper in a single country, and could also affect a greater range of people.

KJB Computer Forensics Consultancy Tel: 07748736481 Email:[email protected] Website: www.kjcomputerforensics.com

©KJB Computer Forensics Consultancy 2011 How can this be?

Voicemail systems have been under attack since the dawn of the answer-machine and business voicemail box, but it was with the arrival of mobile networks that it started to take off. These offer a standardized interface and set of access numbers and come with default security PINs that even non-technical journalists can look up on the Internet.

The first security flaw of public voicemail systems - the PIN!

When you take delivery of your brand new mobile telephone a default PIN is usually set on voicemail when the service is enabled, which many users won't remember or probably would not even consider changing. Even if you are savvy enough to change the PIN, hackers can attempt to gain access your mailbox by getting the number reset by phoning up the provider. How hard is this? Nobody knows.

A second security flaw…!

Hackers can get away with such simple access thanks to a second flaw - public voicemail systems don't record the numbers from which the service is being accessed, only the time of access. If providers recorded such details this alone would make simple voicemail hacks harder to execute, there would be a nice trail of evidence of access.

Normally, there are only two further demands on the attacker – firstly, they must know or guess the network being used. When you consider there are only a small number of top providers in the UK, guessing the network would not be difficult. Secondly the hacker must be prepared to risk the wrath of the law. Accessing voicemail on any system without permission is clearly against UK and US laws.

A Sinister thought…!

Hackers might have paid informants inside mobile phone network call centers, though it is worth pointing out that there is no evidence of this in current cases.

Corporate Voicemail Systems

As to corporate voicemail systems, the same principles apply although these will be more secure due to in-depth authentication designs and longer PINs. PINs and other security measures will also be set up by a security admin and administered according to defined policies. Beyond walking in the front door, the possibilities get more complex and slightly less likely.

Spoofing systems have appeared, that exploit the fact that when a person calls their voicemail from their own phone (identified by the individual International Mobile Subscriber Identity or IMSI) on some networks they are often able to access the system without entering a PIN at all. All the attacker would need to have - other than the knowhow to use spoofing - is the target mobile number.

KJB Computer Forensics Consultancy Tel: 07748736481 Email:[email protected] Website: www.kjcomputerforensics.com

©KJB Computer Forensics Consultancy 2011 Can it be stopped?

Perhaps a bit extreme but the easiest way to avoid having one of these systems hacked is not to use them at all. You can quite easily turn voicemail off, which although inconvenient would encourage callers, to use a more secure system such as SMS and email.

A second measure could be adopted - reset the default PIN code. Assuming this a four digit code, allows up to 10,000 possible combinations for a hacker to guess, not completely secure but a reasonable start. If this is the chosen method of protection then you must also ensure the PIN is changed frequently.

A third security measure which could be considered is to use more than one telephone and network. This makes it harder for an attacker to guess and gain access to the voicemail.

Dangers associated with Smartphone’s

Smartphone’s, whilst they offer a better user experience, more functionality, they also open up new vulnerabilities. If a hacker successfully infects a Smartphone with spyware, then there is the possibility that they could gain access to SMS and email. This is probably the biggest threat in the medium term and would offer attackers a way of getting at anything on the phone from contacts to call logs and to private documents.

The single barrier to getting spyware onto Smartphone’s is that the hacker has to take account of the platform of the target's Smartphone and get around any approval systems that might exist. The Apple IPhone is a good example of approval systems – only approved apps can be loaded onto an IPhone, thereby reducing the risk of infection by spyware.

Summary

Mobile telephones are fantastic devices and in many cases fall into the category “can’t function without it”. Regardless of your position in society you should take steps to protect yourself from vulnerabilities such as hacking voicemail. If you are in a position where the threat of becoming a victim of phone hacking is high, then you should seriously consider adopting some of the suggestions noted above for securing your voicemail.

If you require any further information on anything mentioned in this document, please feel free to contact us.

KJB Computer Forensics Consultancy can also advise on further security precautions that you could adopt to secure the data held on your mobile telephone, thereby offering you peace of mind, and preventing your private information becoming public .

KJB Computer Forensics Consultancy Tel: 07748736481 Email:[email protected] Website: www.kjcomputerforensics.com