Earlier this year, a series of scandals confirmed that phone hacking – long suspected of being a privacy threat – was widespread in certain UK media organizations.
In July, UK police began investigating allegations that a leading tabloid newspaper was involved in one of the UK’s biggest phone hacking scandals. The newspaper was accused of hacking the phones of deceased servicemen and women, families of the victims of the 7/7 terrorist attack and the relatives of a murdered teenager, and was subsequently shut down.
The national headlines and outcry also made mobile subscribers at large question the vulnerability of their voicemail messages and mailboxes, and what protection was available from mobile network operators (MNOs) and service providers against hacking.
The problem is voicemail services are so ubiquitous that for many years, we've simply taken them for granted. For subscribers, they ensure they keep up with messages from partners, colleagues, friends and family. For networks, they drive vital revenue by enabling more calls to be completed and billed. That means that the issue of security has been overlooked, so that voice mailboxes continue to offer a potentially rich, easily-accessible source of information for potential hackers.
MNO’s assurances in the wake of the phone-hacking revelations - that voicemail systems are now ‘highly secure’ - are somewhat misleading. The techniques used by the tabloid press in the UK were mainly based on the fact that all default mailbox access PINs were the same for any given operator and that access from phones other than the subscriber’s mobile handset was enabled by default.
It’s worth noting that this vulnerability is not just a UK or USA issue. Voicemail systems have been fairly universal in function across mobile operators globally.
In the last couple of years, the majority of voicemail systems have simply moved from being insecure to having basic security, which is at least a step in the right direction.
However, this basic level of security can still be compromised because of the emergence of new techniques, such as calling line identity (CLI) spoofing, which is still a viable attack vector for accessing many voicemail accounts. It works by allowing the caller to specify the CLI they wish to be presented on the target phone, before the call is placed. Several online apps and services are available which make this type of spoofing easy.
These apps route the call through a third-party network, exploiting the fact that when a call enters a telephony network in this way, it is typically billed ‘wholesale’. As information such as the actual originating number of the caller can only be reliably determined if the caller is directly connected, the spoofing app is able to overlay a false number chosen by the caller. The apps can also divert a call directly to a user’s voicemail box without the target phone ringing, giving the potential hacker an easier opportunity to try and hack into an individual’s messages.
Preventing these types of hacking attempts needs a combination of subscriber involvement and action by MNOs. For subscribers, those who value their privacy should always insist on a PIN challenge for all calls to their voicemail account from both their own handset and other numbers, and corporate users should certainly question the security standards of their telephony providers. Most corporations wouldn’t dream of outsourcing email servers to third parties, however little consideration is given to voicemail and SMS messages that may have equal, or greater, value to that of email in terms of protecting intellectual property.
At operator or service provider level, it is possible for network voicemail systems to perform extra verification checks on incoming calls. For example, the voicemail system can interrogate the HLR/VLR in the local mobile network (which acts as the location registrar for mobile handsets) and determine if the mobile handset to which the calling number belongs is roaming.
If a call comes in off-net from a mobile number that is shown by the HLR to be currently on-net, the caller is spoofing the indicated CLI and the call should be rejected. The approach is one of a number of simpler fraud-protection techniques that can be deployed.
Further measures could include blocking direct-to-mailbox access by triggering a secure call-back, or an SMS prompt to the real subscriber’s number. Multiple attempts at PIN access could also trigger an SMS to the subscriber, which would alert them to attempted unauthorized access.
Savvy network operators should already be implementing these security measures before their customers begin to demand it, proving that they are committed to and conscientious about their subscribers’ privacy.
As Benjamin Franklin observed, an ounce of prevention is better than a pound of cure. And preventing security breaches happening in the first place is always easier – and less costly – than handling the fall-out after they’ve occurred.
Einar Lindquist is chief executive of Teligent Telecom