Yet again the newspaper headlines are being hit with accusations of mobile phones being hacked. A prominent advisor to the government is forced to resign, although bearing in mind said person’s past life as editor of one of the country’s most rumour-peddling Sunday newspapers, maybe this is no real loss. All of this furore will most likely ignite public concern about mobile phone calls being tapped into, that privacy will be invaded, that nothing they say will be safe from prying ears.
Mobile phone hacking (like computer hacking) conjures up an image of an unkempt nerd with an inability to engage in traditional social behaviour using a pile of special purpose kit cobbled together to crack some seemingly impregnable security codes in order to gain access to the prized information. If you want to try cracking the encryption codes in the GSM system that most of us use when making mobile phone calls, you’re not far from the truth. The encryption codes were designed in the early 1990′s to be as secure as the technology then could manage, and so far have proven to be uncrackable except by some of the most ardent government organisations.
But the mobile phone so-called hacking that has hit the press needs none of this. Indeed
it’s not the mobile phone network or the conversations that are carried that are being hacked, it’s the voicemail systems. And the key vulnerability here is the four digit access code (PIN) used to gain access to the voice mail store. Gaining access to this needs no high tech equipment, just a phone with a touch-tone keypad (just about any phone) or another mobile phone.
When voicemail systems were first invented they were sold as an extra service to the mobile phone service – indeed they were a revenue stream in their own right and regarded as a supplementary service for regulatory reasons (but that’s another topic altogether). Mailboxes were built to order for each customer requiring one, and each customer was given a dedicated randomly-assigned PIN to access the mailbox.
Then in the late 1980′s we hit upon the idea of giving away a voice mailbox to every customer as a standard part of the mobile service. The number of mailboxes now increased by one or two orders of magnitude, and could only be done economically if a cheaper way could be found of offering voicemail. Part of this challenge was technology and engineering, but the other big part was customer service. There was no easy way of generating and distributing a vast number of randomly-assigned PIN codes to the customer base, so an easy and cheap alternative was found. The easy and cheap alternative was to make all the PIN codes the same, and to tell users to change them or their mailboxes could be compromised. Brilliant idea, but of course not everybody remembered to change their PIN. And no matter how many times you remind people, they will always “forget”, especially if it takes a little time and patience to change it.
And my guess is that the busier and “more important” a person is, the less likely they are to “find the time” to change their PIN. So if you want to access someone’s mailbox, just call their phone, wait for the call to go to voicemail (after all these people are too busy to answer the call), enter the default PIN and see what you get. Simple, eh? And it’s not hacking as we know it, either.