I’ve been asked in recent weeks how the News of the World private investigators were able to hack into the voicemail of the alleged 4,000 victims of the phone hacking scandal. While the details of all that activity are something for the police to worry about, we can explain the basic methodology of a simple attack to do this. The one probably used in the majority of cases.
In the world of Infosec there is such a thing called a spoofing attack. A spoofing attack is where you have your device (whether that be a phone, pc or laptop) send out network packets with the identity of someone else. In the IP world, communications are broken down into thousands of small packets of data. Each packet has a destination address and a source address. When we’re trying to use a spoofing attack, we can use specialised software to send out packets, with someone else’s source address.
With the convergence of data and voice networks over the last 10 years, there’s been a proliferation of technologies that allow data networks to connect to older technologies traditionally used to provide voice services. This has come in the form of VoIP, technologies that provide Voice Over IP data network. This has brought voice communications into the realm of the computing community, and also into the hands of the bad guys in that community.. hackers. Hackers have produced software tools, that allow them to control the data sent out over VoIP data connections, where calls are made and received.
On your mobile network, you actually have two phone numbers. Your mobile number and also another number that connects to your voicemail. These might be, for example:
Your voicemail mailbox sits out in the mobile operator network. As your voicemail number is essentially just another mobile number, they can be difficult to remember and keep track of. So when you want to check your voicemail, you usually dial some kind of shortcut number, which routes you to our personal voicemail (e.g. O2 uses a shortcut of 901). When the voicemail service receives a call to the 901 number, it will check the incoming call for a CallerID (source address). It then maps this source address to the corresponding Voicemail number and puts you through to your messages.
To gain access to your voicemail, a bad guy simply needs to use the special software that allows him to set callerID. He sets his callerID (source address) to your mobile number and dials 901, hey presto he’s in your voicemail and listening to your messages.
There are measures in place to make this more difficult. For instance, a PIN number can be applied to the Voicemail. Unfortunately, unless forced to do otherwise, most people leave the PIN number as the default one (usually 0000 or 1234). Easily tested and overcome to get access to your messages.
Most network operators are on to these attacks now, so it’s not as easy as it was 4-5 years ago when most of the press hacking was allegedly occurring, but no doubt there are many vulnerabilities out there which can still be exploited.
Disclaimer: Phone hacking as with all other hacking is very, very illegal. This article in no way intends to encourage readers to go out and break the law. Don’t do it, they’ll lock you up and throw away the key.