Executives at Rupert Murdoch's News Corp.-owned papers allowed reporters to hack into phone conversations of celebrities, including Gwenyth Paltrow, and then paid hundreds of thousands of dollars to cover it up, according to a report in The Guardian. One of those executives is now the chief communications officer for the U.K.'s Conservative Party.
That's the political news. But what about the tech side of this? According to reports, the hacking involved thousands of people from sports and entertainment personalities to politicians, which begs the question of how could famously technologically-challenged reporters managed this without BT catching on?
According to British political blogger Guido Fawkes:
The hacking of mobile phones was a simple trick known to many a tabloid reporter. (Call the mobile number, when it went to voicemail tap in the network default pin code. If the phone owner hadn't set a pin code you were in and could listen to voicemails.)Wireless industry consultant Dean Bubley lets the operators off the hook, if this is indeed how the reporters hacked into the phones, explaining in a forum posting:
[It] wouldn't necessarily be too easy to detect, unless there was a clear pattern (eg unusually frequent dial-ins). Also wouldn't be easily detectable across a large diverse group of people on multiple operators' networks.* Not so fast letting the operators off the hook. Blake Cornell, security consultant with Net2S, chimed in with another approach the jornos might have taken: according to Cornell, the way to get your voice mail with certain carriers is to call your voice mail system from your own phone; thus, an easy way to get in would be to call the celebrity's number and trick the system into thinking the call was coming from the same phone number. In practical terms, this would mean using two phones, one of which would use caller ID spoofing software to trick the system into believing it was the celebrity's phone. One phone is used to tie up the line (going to voice mail) and the second phone, with the spoofing software, calls, goes straight into voice mail, and starts playing back messages. The beauty of this system, from the hacker's perspective, is that no password is required.
Cornell tells me that vulnerable operators have been aware of this flaw for "at least three years."
[Image Source: Wikimedia Commons]