British journalism made headlines this week for all the wrong reasons, namely hacking. Tabloid paper News Of The World, which broke into dozens of voicemail accounts of prominent or newsworthy public figures in pursuit of scurrilous dirt, most recently crossed the line again by hacking into–and even deleting–voicemail messages of a murder victim. Its actions have resulted in a number of high-profile arrests, and owner Rupert Murdoch’s media empire is taking a big financial hit by shuttering the 168-year-old paper as a result of the scandal.
British tabloids and gossip rags are notoriously underhanded–it could never happen here, right? Guess again: The hacks were super low tech, and would be easy to pull off anywhere that journalists decide to jettison their code of ethics.
Among the sordid details of the News Of The World affair, there are few about how journalists and hired private investigators managed to unlock people’s voicemails. What we do know is that some early investigations by Scotland Yard detectives turned up multiple PIN codes and thousands of “target” phone numbers. And this gives us the clue: The “hacks” were likely no more than brute-force cracking of the access codes for voicemail systems on cellphones and desk phones–those handy little 4-digit numbers that you tap in to access your messages when you’re away.
You can tell how this works: A nefarious type rings the number, waits until it goes to voicemail and then activates the system that enables remote access to previously recorded messages rather than leaving a new message. This could be as simple as pressing “*” or another key combination, easily discovered if you know the details of the particular service a target is using. From here it’s a simple matter to guess the classic, stupid pass codes many people use: 1111, 0000, 1234, 3141 and so on. If these don’t work, then you’ve only got 9,000-plus more to try out–a huge task, but by no means an impossible or even all that time consuming.
This methodical technique would work almost anywhere similar systems are in use. And it’d be even easier to pull off with caller ID spoofing, which is generally intended for innocuous stunts or pranks like making your victim think they’re getting a call from the White House or the lusted-after girl next door. You sign up, hand over some dollars, tap in the number you’re calling from, the target number, and the ID you want to spoof, and bingo.
Spoofing services like these enable all sorts of illegal uses, says digital security expert Nick Percoco, SVP of the forensics and ethical hacking Trustwave’s SpiderLabs security team. For instance, if you knew a prominent executive’s phone number, you could spoof his cellphone ID and then call the company’s main number after hours. Assuming you could fool the helpdesk with a simple story (“Bob here, I have a problem with my office voicemail, can you reset the code for me?”) and they double check merely the number you’re calling from, then you’re in.
It gets worse. Using a free trial of an online ID spoofing service, Percoco spoofed his own AT&T cell phone number and then called it from a landline: “My mobile phone did ring (odd) and it displayed that it was calling itself, but when I got to the voicemail, I hit ‘*’ and I was connected into my voicemail without a PIN.”
“This is certainly possible for anyone who wants to try this (even for free) and target someone’s phone to listen to their voicemails,” says Percoco. There are, of course, more sophisticated techniques available for the truly persistent hacker, including clever GSM tricks like cloning a SIM card so you can make, in effect, a duplicate phone to your target’s. But this requires direct access to the phone, and that’s obviously more of a challenge. A U.S. journalist keen to emulate the News Of The World would likely try a brute-force hack attack, after having found the right phone number, or something like ID spoofing.
Spoof sites say use of their services is subject to obeying terms and conditions, which state you must not use them for illegal purposes, and in some states recording phone calls is illegal under wire-tapping regulations. But that’s not likely to stop a dogged private detective, who could easily hide his own online identity behind disposable email addresses and net-address anonymizing services.
Here’s hoping sleazy tabloid tactics don’t make it across the pond.