I certainly think that those responsible must face the force of both the law and public opprobrium.
But it's also made me think about the process they used. While dastardly, it doesn't sound that difficult - basically either guessing users' default voicemail PIN codes (0000 etc) or - allegedly - bribing somebody to divulge them.
This leads me to three conclusions:
- I can't believe that the NoTW journalists were the only ones who invented and used this technique. Firstly, other journalists are probably equally implicated, as there's a lot of job mobility in that industry. But secondly, this technique has most probably also been used in other countries, and in other contexts. I've got to believe that this goes beyond news, and probably extends to industrial espionage, financial insider-dealing and assorted other forms of snooping and spying.
- The mobile operators (and by implication their vendors/integrators) appear to have been seriously remiss about defining good practice and standards for voicemail security. This does not just extend to allowing default passwords to remain in use indefinitely, it also involves the accessibility of PINs to customer service or other staff. It seems that these PINs are much more weakly locked-down that banks' ATM codes. I also find it hard to believe that UK operators are uniquely lax about this - presumably it's an equal issue around the world.
- Lastly, this is another example of the "cloud" failing in its security. Just because this involved some "social engineering" does not make voicemail hacking any less scary than Sony's loss of customer details or other recent failures. Maybe there should be questions about whether the network is the right default place to store voicemails, rather than downloading them to handsets when connectivity is available.
EDIT: this blog post (found easily on Google) discussed voicemail snooping and vulnerabilities, specifically as related to US mobile operators. Apparently many voicemail services just use Caller ID to identify when the inbound call is coming from a handset - so easily spoofed. Doesn't even use SIM-based authentication when calling from the phone itself.
The Guardian says some reporters gained access to sensitive information by bribing policemen. As an American I have no idea what your laws are regarding the police/users/mobile phone operators. Does law enforcement in the UK generally have access to detailed call records, voice mail, etc? How is LI implemented?
ReplyDeleteI agree that this probably happens in the business sector. Shame as it is, that's much less galling than hacking victims of crime.
The issue was known about as far back as 2004, e.g, see http://www.rootsecure.net/?p=reports/callerid_spoofing.
ReplyDelete"Most mobile / cellular phone providers offer an answer phone service which can be set to not require a pin when calling from the phone itsself. Some of these services verify using ANI and can therefore be accessed by anyone spoofing the phones own number when calling the message"
There seems to be quite a bit of confusion about whether the bribery bit relates to phone-hacking specifically, or more general journalistic malfeasance.
ReplyDeleteOne thing I've read suggested that the police side of things was more about discussing private details of investigations.
I've also just heard an allegation on the radio, that a specific mobile operator may have been involved - possibly an employee selling PINs.
I suspect there were probably multiple methods involved - after all, even legitimate investigative journalism uses a plethora of different avenues to dig up info.
I'm also sure that similarly-invasive exploits are used today.