First, I hacked my own voice mail. Then, when colleagues came around to see, several volunteered their phones, too.
With a few clicks of a mouse, we accessed our mobile phone voice mails from a desktop computer. No password needed. No cellphone needed.
It was surprisingly easy.
The alleged phone hacking at the heart of the scandal at the now-defunct News of the World tabloid can be performed here in the U.S. — and easily.
It works because some voice mail systems allow you to hear your messages without a password when you're calling from your own phone. They system knows you're calling from your own phone based on your caller ID number.
But there are several online services which, for a small fee, allow you to "spoof" — or fake — a caller ID number. Just $10 gets you access to this trickery, and to clear access to voice mail messages.
I first heard about the technique this morning, in a tweet by Chirstopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity Research at Indiana University. Within an hour, I'd hacked my own phone.
Our WNYC experiment was not a scientific study — and, again, we accessed only our own cell phone accounts — but we tried two AT&T accounts, two Sprint accounts, two T-Mobile accounts and two Verizon accounts. Once we figured out the technique, we had easy access to voice mail messages in both AT&T accounts and one of the Sprint ones. We couldn't get into those of the T-Mobile and Verizon phones.
The Password Issue
You probably have a password for your voice mail account, which you use to access your messages remotely.
But AT&T spokesman Mark Siegel said that for convenience, AT&T customers "also have the option of not entering your password when accessing your voice mail from your mobile phone."
That's certainly true for my AT&T iPhone. Siegel said for the best security, AT&T recommends customers change their settings to require a password even when checking voicemail from their own phone, which people can do by logging into their account on the AT&T website.
Having that functionality definitely blocked our "spoofing" access to several accounts — though together, one of our newsroom staffers and I were able to access her AT&T account even though her phone requires a password every time she checks her voice mail.
A spokeswoman for Verizon Wireless said their customers must enter a password every time they check voice mail, from any phone. That seemed to be why we couldn't access those phones. As of this writing, we're awaiting a response from Sprint.
Is This Legal?
Spoofing caller IDs does not, in itself, appear to be illegal. There are actually several services that use this technique to legitimately offer people an alternative telephone number.
But, under the Truth in Caller ID Act of 2009 it's clearly not legal if you're faking a caller ID "with the intent to defraud, cause harm, or wrongfully obtain anything of value."
Steps You Can Take
First, you can set up your phone to require a password every time, even when checking from your own phone.
But quick access to your messages is pretty convenient. Our in-office experiments suggest another way to help protect yourself is to delete (not just skip) messages you've already heard. That way there's nothing to listen to.
And here's a big red flag: A missed call that looks like it's from your own phone number. That was a byproduct of the trick we used — and a clear sign of our "hacking."
John Keefe is the Senior Editor for Data News & Journalism Technology. He's part of WNYC's Data News Team, which helps our journalists use and analyze data, and also builds interactive maps, charts and database projects. He tweets at @jkeefe.
Conservative Bloggers Vindicated, Advice for Leakers, and More
An 11-year-old and his 3D printer
Who’s gonna pay for this stuff?
A New Incentive for Cord Cutters
A Journalistic Civil War Odyssey
A Source for Sources
The Totally Legal Subpoena
Angelina Jolie's Secret Test Results
With IRS Scandal, Conservative Bloggers Feel Vindicated
On The Media is funded, in part, by the John D. and Catherine T. MacArthur Foundation, the Overbrook Foundation and the Jane Marcher Foundation.
Comments [8]
I recently got a Cricket ZTE and i used a usb cable for a car to charge my phone because it was compleetly dead well now my phone will not turn on completly, it turn on the front screen but wont completly turn on.. any advice or anything i can do? or anyway i can acesse my voicemail sice i forgot my password? any response helps thank you..:)
It seems that in America is common to exist websites that teach you how to steal (because hacking is stealing, after all).
Sadly, only in America a movie glorifies the bank robbery, and the thieves are proud to kick the bank and take the money, as if the money were just standing on a rock, and not actually being owned by some people instead.
A country of thieves, with the biggest percent of its population in jails. Is that freedom ? Not, it's jungle, at its best !
http://www.trustid.com/blog/ is a good reference for this issue
I would prefer tougher measures than current because I do appreciate my privacy. I agree with having secure PINs. If you really feel that a PIN is inconvenient just set it "0000".
I also think that systems world wide should be set up so that you can only access it from the phone that is registered to the account (e.g. checking IMEI and sim card numbers). Whatever checks are done to establish the identity of the phone the transmission needs to be encrypted so that people can't get that information by listening in.
why spend $10? when any fax machine that calls out calls with the caller ID of the header even when different then the real number i'ts calling from. This means you could put any cell phone number in the header and call that number. i never tried it, but it should work.
I entirely agree with Spoko. I have no desire to enter in a password to listen to my voice mail. In fact I have very little desire to listen to my voice mail so I use google voice which transcribes my voice mail and sends me a text with the message. (And a link to listen if I want)
My voice mails are incredibly boring and generally entirely useless to anyone else. I really don't care if someone else reads/listens to them!
I've always considered it a pain that I have to type in my passcode even from my own phone. After reading this, I still do. I don't care who can access my incredibly boring vm inbox--I want the convenience of not having to enter that passcode!
Brilliant! And outrageous!
At the risk of stating the obvious... the phone companies need to improve their systems to not be fooled by a Caller ID spoof for phones that are in their _own_network_.
Leave a Comment
Register for your own account so you can vote on comments, save your favorites, and more. Learn more.
Please stay on topic, be civil, and be brief.
Email addresses are never displayed, but they are required to confirm your comments. Names are displayed with all comments. We reserve the right to edit any comments posted on this site. Please read the Comment Guidelines before posting. By leaving a comment, you agree to New York Public Radio's Privacy Policy and Terms Of Use.