Speaking Engagements & Private Workshops - Get Dean Bubley to present or chair your event

Need an experienced, provocative & influential telecoms keynote speaker, moderator/chair or workshop facilitator?
To see recent presentations, and discuss Dean Bubley's appearance at a specific event, click here

Thursday, July 07, 2011

UK phone-hacking scandal - does this go beyond an issue about journalism?

Like everyone in the UK, I've been listening in horror to the recent reports that the News of the World's journalists have listened to the private voicemails not just of celebrities and politicians, but those of victims of crime and terrorism.

I certainly think that those responsible must face the force of both the law and public opprobrium.

But it's also made me think about the process they used. While dastardly, it doesn't sound that difficult - basically either guessing users' default voicemail PIN codes (0000 etc) or - allegedly - bribing somebody to divulge them.

This leads me to three conclusions:

  • I can't believe that the NoTW journalists were the only ones who invented and used this technique. Firstly, other journalists are probably equally implicated, as there's a lot of job mobility in that industry. But secondly, this technique has most probably also been used in other countries, and in other contexts. I've got to believe that this goes beyond news, and probably extends to industrial espionage, financial insider-dealing and assorted other forms of snooping and spying.
  • The mobile operators (and by implication their vendors/integrators) appear to have been seriously remiss about defining good practice and standards for voicemail security. This does not just extend to allowing default passwords to remain in use indefinitely, it also involves the accessibility of PINs to customer service or other staff. It seems that these PINs are much more weakly locked-down that banks' ATM codes. I also find it hard to believe that UK operators are uniquely lax about this - presumably it's an equal issue around the world. 
  • Lastly, this is another example of the "cloud" failing in its security. Just because this involved some "social engineering" does not make voicemail hacking any less scary than Sony's loss of customer details or other recent failures. Maybe there should be questions about whether the network is the right default place to store voicemails, rather than downloading them to handsets when connectivity is available.
To my mind, the UK Information Commissioner needs to do a full review into how voicemail privacy and security is run in the telecoms industry. And other countries' authorities ought to be following suit. I think the unique intensity of the UK journalism / political sphere has broken the dam on this issue, but I'll be very surprised if one newspaper is the sole culprit when the rest of the story floods out.

EDIT: this blog post (found easily on Google) discussed voicemail snooping and vulnerabilities, specifically as related to US mobile operators. Apparently many voicemail services just use Caller ID to identify when the inbound call is coming from a handset - so easily spoofed. Doesn't even use SIM-based authentication when calling from the phone itself. 

3 comments:

Anonymous said...

The Guardian says some reporters gained access to sensitive information by bribing policemen. As an American I have no idea what your laws are regarding the police/users/mobile phone operators. Does law enforcement in the UK generally have access to detailed call records, voice mail, etc? How is LI implemented?

I agree that this probably happens in the business sector. Shame as it is, that's much less galling than hacking victims of crime.

Mark Grayson said...

The issue was known about as far back as 2004, e.g, see http://www.rootsecure.net/?p=reports/callerid_spoofing.

"Most mobile / cellular phone providers offer an answer phone service which can be set to not require a pin when calling from the phone itsself. Some of these services verify using ANI and can therefore be accessed by anyone spoofing the phones own number when calling the message"

Dean Bubley said...

There seems to be quite a bit of confusion about whether the bribery bit relates to phone-hacking specifically, or more general journalistic malfeasance.

One thing I've read suggested that the police side of things was more about discussing private details of investigations.

I've also just heard an allegation on the radio, that a specific mobile operator may have been involved - possibly an employee selling PINs.

I suspect there were probably multiple methods involved - after all, even legitimate investigative journalism uses a plethora of different avenues to dig up info.

I'm also sure that similarly-invasive exploits are used today.