Remember Voice Mail? It's Still Remotely Hackable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile
Commentary
7/18/2011
02:28 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Remember Voice Mail? It's Still Remotely Hackable

As the News of the World scandal highlights, there's often plenty of sensitive information on our cloud-based answering machines. Now is a good time to review phone security 101.

Unless you've been on a wilderness excursion the last couple of weeks, you're aware that there's a scandal of newspaper-shuttering, business-deal-busting, prison-time-threatening proportions across the pond -- one that stems from that most ordinary of phone features, voice mail. You remember, that remotely accessible digital answering machine? The thing we used to exchange messages in the days before texting and Twitter?

Despite being repeatedly described as a "phone hacking" scam, the British tabloid News of the World didn't engage in anything nearly as sophisticated as intercepting live cell phone conversations using techniques such as those described at last summer's Def Con conference or the recent Vodafone exploit. No, this involved simply breaking a voice mail PIN and nosing around.

In this age of data-laden smartphones and targeted spear phishing attacks, it's easy to forget about plain old voice mail. However, as Tiger Woods found out and this latest scandal reiterates, there's often plenty of sensitive information on our cloud-based answering machines. For businesspeople who aren't routinely stalked by the paparazzi, those info nuggets certainly aren't juicy enough for tabloid fodder, but they could be just as damaging to your company. Whether it's tidbits about a new product scooped up by a competitor or hints of a takeover offer leaked to a hedge fund manager, voice mail can contain information valuable to an outsider. Sometimes, even the records of whom you called, and when, are enough to tip off a potential foe, as dramatically illustrated by HP's pretexting scandal. Hence, this recent "news of the world" makes it a good time to review phone security 101.

First, and most obviously, pick a random PIN. Most carriers force you to change the default PIN the first time you enter voice mail, but unfortunately, a common suggestion for choosing a memorable one, using your birth month and year, is a bad idea in this age of social networks, where such information is often publicly (albeit, sometimes unwittingly) shared. So don't use any number that's publicly associated with you (i.e., your house address) or an easily guessed string (1234), and, if your carrier gives the option, don't use just four digits (the more, better).

Second, check your voice mail regularly, even when you don't have any messages. Why? As this latest scandal demonstrates, a favorite trick of voice mail voyeurs is changing the victim's PIN in order to prolong their access and keep competitive spies out. If you can't log in to your own account, it's a good bet someone else is. Even if you've chosen a completely random seven-digit PIN, a determined attacker can often get it changed either by pretexting (impersonating you to the carrier and, knowing just enough personal information to be convincing, getting the support person to reset it to a default) or hacking into your account at the carrier's website (you are using a strong password there, aren't you?).

This incident raises a larger question about the wisdom of carriers allowing unfettered remote access to voice mail in the first place. Sure, this policy made sense in the days when wireless phones weren't our primary voice lines, but now, with more people cutting the cord and carrying their phones everywhere, and with forwarding services like Google Voice, the downsides of remote voice mail access seem to outweigh the benefits. Just allowing customers to whitelist a set of allowable numbers would be an improvement, but until carriers enable stronger voice mail security features, password hygiene and vigilant account monitoring will have to suffice.

InformationWeek Analytics is conducting a survey on mobile device management and security. Respond to the survey and be eligible to win an iPod Touch. Take the survey now. Survey ends July 22.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll