Could British Voicemail Hacking Happen in US?
Britain was rocked this week by the latest developments in a massive cellphone-hacking scandal that's been unraveling for several years. One of the nation's largest newspapers is shutting down as a result, and friends of the prime minister face the loss of their jobs, or even possibly jail time.
The entire affair stems from a series of "hacks" — really just illegal accessing — of the mobile-phone voicemail boxes of public and private citizens. The journalists and private investigators who carried it out on behalf of the Sunday tabloid the News of the World had no special technical skills and found it easy to get into other people's voicemail.
So could the same thing happen here in the United States? It almost certainly could. American cellular carriers' voicemail security is no better, and in some cases worse, than that of their British counterparts.
According to the New York Times and other sources, many of the account holders (who included celebrities, sports stars, members of the royal family and private citizens) whose voicemails were illegally accessed had never changed their voicemail accounts' default passcodes.
In the cases of two of the biggest British wireless carriers, those passcodes were "1111" and "4444." Once the journalists and investigators learned the target's mobile-phone number, the battle was half over.
The major British carriers said they've now changed their policies so that every customer has to set up a unique passcode, but that's not entirely the case in the U.S.
Sprint and T-Mobile still employ default passcodes on at least some of their voicemail accounts. T-Mobile uses the last four digits of the cellular number, while Sprint makes it the last seven digits.
Verizon Wireless's website doesn't mention a default passcode, but one website says it's "9999." AT&T Wireless does not seem to have a default passcode.
To access customer voicemail accounts, the News of the World personnel sometimes called the special numbers set up by each carrier to allow customers to check voicemail from landlines.
American carriers have those numbers as well — perfect if you're at your grandmother's house in the country and can't get cellular coverage.
In the British cases, the journalists and investigators used what was called a "double screw." One of a two-man team would call the target on his cellphone and engage him in a mundane conversation, while the other would call the cellphone a split-second later and be shunted directly to voicemail while the target phone was still ringing.
Once redirected, the second person would press "*" or "#" to engage the checking of voicemail messages. There's no reason that tactic wouldn't work in the U.S. as well.
If the targeted person had been smart and had changed his passcode to something other than the default, the News of the World journalists would do a little social engineering.
They would call the wireless carrier company and pretend to be the account holder, or a regional administrator for the same company – anything to learn the passcode or be given a chance to reset it.
That's hardly unique to Britain. American pranksters have gotten into celebrity voicemail accounts using such methods.
And since many carriers require only a four-digit PIN as a passcode, it's often easy to guess it. A recent paper showed that even iPhone users were inordinately fond of "1234," "1111," "2580" (straight down a phone keypad), "0852" (straight up it), and so on.
In fact, there's another method to get into someone else's voicemail that the News of the World personnel may not have tried, and which may not be possible in Britain.
No passcodes at all
Three of the four major U.S. carriers give customers the option of setting no passcode at all on their voicemail accounts.
As AT&T Wireless puts it: "The voicemail system does not initially require a password to check messages from your wireless device. You must enable the Password feature on your voicemail box to secure your voicemail calls. "
Sprint and T-Mobile also offer what Sprint calls the "Skip Passcode" option, although Sprint does note that "the best way to protect your voicemail from unauthorized access is to use a passcode."
This option lets users check voicemail directly from their cellphones without the inconvenience of a passcode.
But since the voicemail servers merely check to make certain you're calling from your own number, it means that anyone using phone-number-spoofing software can get right into your voicemail as well, as was revealed in 2005 when pranksters got into Paris Hilton's voicemail using that method.
Verizon Wireless is the exception here. By default, it forces all customers to have a voicemail passcode.
Its website does offer workarounds to set phones to automatically enter passcodes, but spoofing software can't hijack that – an intruder would need the actual phone itself to get into the voicemail account.