Reg probe bombshell: How we HACKED mobile voicemail without a PIN

Months after Leveson inquiry, your messages are still not secure


Special report Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson's press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security.

Your humble correspondent has just listened to the private voicemail of a fellow Reg journalist's phone, accessed the voicemail inbox of a new SIM bought for testing purposes, and the inbox of someone with a SIM issued to police doing anti-terrorist work. I didn’t need to use nor guess the login PIN for any of them; I faced no challenge to authenticate myself.

There was a lot of brouhaha over some newspapers accessing people's voicemail without permission, but one of the strange things about it all is that at no stage have any fingers been pointed at the mobile phone networks for letting snoops in. And some doors are still open.

Photo by Keven Law

Charlotte Church ... tabloid tapped her inbox (source)

It's believed the infiltrated inboxes merely had default PINs, or passcodes that were far too easy to guess, allowing eavesdroppers to easily drop by. People were urged to change their number codes for their voicemail, but, as we shall see, that advice is useless – you simply don't need to know a PIN to listen to someone's messages.

Going down the rabbit hole

The login flaw was discovered during development work I was doing on a virtual mobile phone network that's aimed at folks who struggle with modern technology: it allows, for example, an elderly subscriber to ring up a call centre and ask to be put through to a friend or relative, rather than flick through a fiddly on-screen contacts book.

In this case, the operator makes the connection between the subscriber and the intended receiver, but the "calling line identification" (CLI) shown at the receiving end is that of the subscriber and not of the call centre. CLI is the basis of caller ID in the UK, but it's a bit of a misnomer because it can be changed as required.

I’d long suspected that miscreants were hacking voicemail by spoofing their CLIs to fool the phone system into thinking it was the handset collecting the messages – but surely that's too easy? It is trivial to set an arbitrary CLI when making a call. I had to find out if voicemail systems were vulnerable to spoofing.

I was emboldened by an email from Register reader Sebastian Arcus, who had set up some software for making voice calls over the internet (VoIP in other words) using his mobile phone number, and was surprised that he was able to collect his voicemail from his VoIP client without having to hand over an access PIN. I was further goaded in a chat in the pub with a Reg colleague, who bet me I couldn’t hack his voicemail. I should’ve asked for money to back that one up.

How it should work and how it falls apart

If you call your voicemail service from a handset linked to the account, you go through to your message inbox without the need to enter a PIN, presumably as a convenience. Use any other phone and you are asked for a PIN access code. If there is no PIN set, you don’t get to the voicemail. So far, so good.

The special sauce here is how does the mobile phone network know which phone you are calling from? The easy way is to look at the CLI sent when establishing a call.

Unfortunately, as our reader found out, this caller identification isn’t at all secure and can be spoofed, so we looked at Three, EE (and Orange), O2 and Vodafone.

Narrower topics


Other stories you might like

  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Stolen-data market RaidForums taken down in domain seizure
    Suspected admin who went by 'Omnipotent' awaits UK decision on extradition to US

    After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.

    Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.

    The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.

    Continue reading

Biting the hand that feeds IT © 1998–2022