Here's how easy it is to hack a phone
British tabloid News of the World
News of the World to shut down amid allegations that the cell phones of a murder victim and others were hacked.
it is closing down over a phone hacking scandal in which workers for the Rupert Murdoch-owned newspaper allegedly snooped on voice mail messages left on the mobile phones of murder victims, as well as celebrities, politicians, and the British royal family. British tabloid to shutter in wake of phone hacking scandal
If unethical journalists can do it chances are anyone can, right?
To test my theory I called up
The world's most famous hacker talks about how his teenage quest to hack his cell phone led him to break into corporate networks, spend three years as a fugitive, and ultimately landed him in jail.
, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, "Ghost in the Wires," and who serves as a security consultant, helping clients prevent against privacy breaches such as this. Q&A: Kevin Mitnick, from ham operator to fugitive to consultant
Phone hacking, also known as "phreaking," is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.
He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I'm listening to a voice message a friend of mine left me last night that I hadn't erased.
"See how easy it is?!" Mitnick says as my jaw drops.
He was able to get into my voice mail by tricking my mobile operator's equipment into registering the call as coming from the handset--basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I'm keeping some of the details sketchy to avoid providing a how-to for phreaking.)
"Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes," Mitnick said. "If you're not adept at programming, you could use a spoofing service and pay for it."
This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.
The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims' voicemail accounts, assuming correctly that many people wouldn't bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.
If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn't address the fact that mobile operators don't authenticate caller ID. "The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it," Mitnick said. "Caller ID is automatically trusted."
Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.
Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won't put an end to the practice.
Popular in SciTech
- Chinese supercomputer named world's fastest
- Valentina Tereshkova: First woman in space 13 Photos
- Airborne laser reveals hidden city in Cambodia
- NASA picks 8 new astronauts, 4 of them women
- "Tweet" added to Oxford English Dictionary
- Russian tycoon seeks human immortality by 2045
- Apple unveils overhaul of iOS 7, new iTunes Radio
- Solar plane lands at Dulles Airport Play Video
It passed the House, but I don't believe it was ever even voted on in the Senate.
http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.1258:
It isn't really true that there is nothing that cannot be hacked. You cannot hack a Windows 2000 system if it is setup properly. (I chose Windows 2000 because it's full of known security holes) All you have to do to set it up properly is not plug it in to a network, and put it in a locked room. Ha ha, gotcha!!
Seriously, the fact is that hacking works like theft, theft only happens when the value of the item to be stolen is higher than the difficulty of stealing it. In the windows 2000 example, not plugging it into the network raises the difficulty of being hacked an incredible amount. Thus the value of what is on there is likely to be low enough that nobody will try hacking the system. Of course - if nuclear secrets are on the Win 2K system then your raising the value of it - and likely someone will try hacking it even though it's not on a network.
That is why for example that you can put a plastic bag of dog poop that you picked up after your dog right in plain sight on the sidewalk and walk away from it and nobody is going to steal it. It's not worth anything so nobody is going to bother stealing it.
If you have a stack of quarters and you put them in plain sight in a locked car they likely will be stolen - but if you put them in a safe that is welded to the car frame they likely won't be. In the first instance, value is high, difficulty of theft is low. In the second instance, value is high, but difficuly of theft is higher.
To apply this to cell phones, well here is how it's done. If your a nobody and your poor and have no credit cards or anything worth stealing, then don't bother with a password on your cell phone voicemail. If your a typical middle class person then put a password on your cell voicemail. If your a celebrity or some high-value target, then put a really, really, long and random password on your cell phone.
The same principle applies to any electronic data. If the data value is low - your personal MP3 music track library for example - then likely you need little security on it because nobody is going to bother trying to hack into your collection of Hank Williams dreck. But if data value is higher then you need more security on it - and you need to UNDERSTAND the security on it. In the case of the cell phone example, anyone who accesses any data and isn't asked for a password should automatically see this as a red flag. The cell phone company failed at providing it's customers with information on how to secure their voice messages - but the cell company probably correctly assumed most of their customers were nobodies and no hacker would bother trying to listen to their voice messages. If your a celebrity then your not a nobody and the rules don't apply - and arguably, you should have a personal secretary who's job it is to know about things like this and set the password on your phone for you.
Name dropper. :-)