How To Protect Your Voicemail
MICHELE NORRIS, Host:
We're going to spend the next few minutes now talking about the crime at the center of the News Corp. scandal, the phone-hacking itself; more specifically, how reporters at the News of the World newspaper were able to access the cell phone voicemail messages of celebrities and crime victims.
Believe it or not, it's not as hard as you might think. And I'm joined by Christopher Soghoian. He's a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. He's here with me in the studio.
First, explain to us how the reporters for the News of the World were able to access people's cell phone messages.
NORRIS: There were some private investigators retained by the News of the World who took advantage of some pretty basic security flaws in the British mobile phone carrier systems.
So essentially what was happening is that the major wireless carriers in the U.K. all had the same default PINs for all of their customers. So for example, T-Mobile in the U.K. might be 1-1-1-1, and every T-Mobile customer would have that PIN unless they chose to change it, and they were not required to change it.
And so the private investigators had a list of which PIN numbers existed for which carriers, and so when they had a particular target, they would just look up the target's carrier, call into the phone system, punch in the PIN number, and then they'd be able to listen to voicemail messages.
NORRIS: And a large number of people never changed their PIN number. So they were easy to figure out what they were.
NORRIS: Right. There's a surprisingly large body of social science research showing that consumers with stick the defaults, whether it's - you know - the default PIN number, whether it's the default privacy settings on Facebook, whether it's the 401(k) plan they're given by their employer. Consumers stick with the defaults.
And so the British phone companies, you know, were sort of responsible here for having such lax default settings. Thankfully, because of the backlash from this scandal, the carriers have instituted pretty significant security overhauls.
So for example, they now block common PIN numbers. They now no longer allow anyone other than the individual phone to check voicemail without calling in and authorizing those privileges. So they have fixed things, but it was too late for all the victims of, you know, the Murdoch papers.
NORRIS: Now, that's what happened in the U.K. There are listeners who probably are concerned about the vulnerability of their own phone. What can they do to protect themselves? I've heard about something called spoofing. How does that work?
NORRIS: So spoofing is a technical term. Essentially what it means, it's the art of changing the caller ID number that appears when the number is dialed. And the way that the security works for U.S. wireless carriers, they will usually let you skip entering the PIN if you're calling from your own number.
So what that means is that the way the carriers do it is they look at the number that's showing up on caller ID. If it's the same as your number, then they skip the PIN and let you straight into your voicemail.
And so there are several free or easy-to-use and cheap services that will let you spoof your caller ID. I'm not going to name them on the air here, but they're very easy to find. And so if you go to one of these websites, you enter the number that you want to break into, and you're basically in in a few seconds.
This is not rocket science. And in fact, Paris Hilton was caught a few years ago breaking into Lindsay Lohan's voicemail. So you know, this doesn't require a deep level of sophistication.
NORRIS: So how do you - what do you do to protect yourself from something like this?
NORRIS: So there are four main wireless carriers in the U.S. Two of them are vulnerable to this problem. Two of them are not. So Verizon and T-Mobile users are safe; AT and Sprint users are not. If you are a customer of those two latter networks, you should call up the companies and demand that they not allow the PIN to be bypassed when you're calling from your own phone. They should require that the PIN always be entered.
NORRIS: Christopher Soghoian is a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Thanks for coming in.
NORRIS: Thank you.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.