Your Voice Mail: Hugely Hackable

Mounting public anger over the News of the World (NOTW) newspaper’s alleged practice of hacking into voice mail boxes of people targeted as subjects for stories has led to the arrests of eight people by the British police.

Alleged victims of their hacking in the UK included the royal family, former British Prime Minister Gordon Brown, and a teen-aged girl who was kidnapped, raped and murdered.

The public outrage led British prime minister David Cameron to withdraw support from NOTW editor Andy Coulson, his former chief of communications.

It also forced Rupert Murdoch, whose News Corp. owns the now-defunct NOTW, to withdraw a bid for lucrative TV broadcaster British Sky Broadcasting.

Finally, in the United States, Senator Jay Rockefeller has called for an investigation into whether the hackings have led News Corp. to break U.S. laws.

Meanwhile, reports that other News Corp. publications also hacked into the voice mail and computer systems of their targets are beginning to emerge.

How easy is it to hack into voice mail boxes? Why is it that News Corp. reporters could apparently sail into victims’ voice mail boxes with ease?

You Talking to Me?

Getting into someone else’s voice mail box “can potentially be excruciatingly easy,” Randy Abrams, director of technical education at ESET, told TechNewsWorld.

Some carriers have static or easily guessed default passwords, and users often do not change the default, Abrams said. “‘1234’ is probably the most common password,” he added.

In fact, iOS app developer Daniel Amitay found that the 1-2-3-4 numbering sequence constituted nearly 9,000 out of more than 204,000 passwords on iPhones that he checked using an app. That was close to 1.7 times as frequent as the next most common password, which was “0000.”

The typical voice mail system uses end user specified passwords, or EUSPs, Abrams said.

This “makes hacking voice mail quite easy in many cases” because many users stick to a small number of common numerical combinations, Abrams stated.

How the Bad Guys Do It

It’s easy to find out how to hack into voice mail systems — a quick search of the Internet turned up a few sites teaching readers how to do this.

The problem is apparently rampant enough for the FCC to issue guidelines on how to avoid falling victim to voice mail fraud.

The general process is to identify the most common voice mail passwords and try them, ESET’s Abrams said. If that fails, social engineering a phone company employee “probably has a good chance of working,” he added.

One of the more prominent examples of the misuse of social engineering this way occurred when investigators for HP used fraudulent methods, known as “pretexting,” to obtain the phone records of journalists the company asked them to spy on back in 2006.

Pretexting is the act of creating and using an invented scenario to engage a target in order to extract information from the target.

Getting to Know You

Shouldn’t people have a reasonable expectation of privacy when it comes to their voice mail systems?

They should, says Jennifer Granick, an attorney with ZwillGenetski PLLC, a boutique law firm in San Francisco specializing in legal issues around doing business on the Internet.

“Reasonable expectation of privacy is a term of art which defines whether you have a constitutional right against warrantless government access to your person, home or property,” Granick explained.

That protection is provided under the Fourth Amendment to the Constitution of the United States, which guards against unreasonable searches and seizures and requires warrants to be judicially sanctioned and supported by probable cause.

However, the United States Department of Justice doesn’t always adhere to these guidelines and is testing them in the courts.

“The few federal courts that have ruled on [reasonable expectation of privacy] have held, contrary to the DoJ position, that individuals do have such an expectation of privacy in the contents of emails and voice mails stored with service providers,” Granick told TechNewsWorld.

Several state courts have also ruled similarly, although the question is still open to debate because not all states or federal circuit courts have the authority for their rulings to set precedents on the issue, Granick said.

A Question of Wrongs and Rights

Hacking into voice mail systems to eavesdrop on messages is “both totally unethical and illegal,” Peter Sussman, who helped write the Society of Professional Journalists‘ guidelines on journalistic ethics, told TechNewsWorld.

If the situation were “of such overwhelming importance and hacking was the only way to get the information and there was no alternative way of doing so,” there might be an ethical case for hacking, but the hacker would still be liable for having broken the law, Sussman said.

The situations in which NOTW journalists allegedly hacked into people’s voice mail systems do not meet these requirements, Sussman pointed out. “This is beyond the pale for any journalist,” he added.

Voice Mail Crime and Punishment

Voice mail hacking is against the law in the U.S., but the offense is generally considered a misdemeanor, ZwillGenetski’s Granick said.

Further, “some of the interpretations the government has adopted in favor of allowing it broader access to private data as part of investigating crimes would interfere with those same prosecutors taking a strong stance in protecting victims of voice mail hacking,” Granick added.

For example, the Department of Justice has said that it doesn’t consider listened-to voice mails to be “in electronic storage,” Granick pointed out.

This would leave such voice mails both accessible to investigators without a search warrant and also unprotected from hackers by the Stored Communications Act, Granick warned.

The Stored Communications Act regulates how the government can get stored account information from ISPs.

However, the Computer Fraud and Abuse Act, which governs illegal access to computers, would still apply, Granick said. Prosecutors could choose to indict voice mail hacking as a criminal conspiracy to violate that law, and conspiracy is a felony, Granick remarked.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels