The week of August 2, 2015

The frightening ease of voicemail hacking

By Dell Cameron

“Hi, Dell. This is Andrew at EFF. We got disconnected. Oh, I think you might be calling me.”

I was playing phone tag with Andrew Crocker, a law fellow at the Electronic Frontier Foundation, during an ongoing conversation about national security letters. It was a week-old voicemail message just sitting in my inbox. But I wasn’t listening to his message on my phone. I was reading it on my laptop in a chatroom with a hacker aptly named “Phr3ak.”

“End of call,” Phr3ak replied, as if he were handing my inbox back—something I’ll never rely on again.

“It works for all carriers and has been tested in multiple countries,” he added. “With permission of course.”

In reality, Phr3ak is Jamie Woodruff, a 21-year-old security researcher from Rishton, England, who had permission to break into my voicemail. Had he not, his demonstration would have constituted a serious crime under Britain’s Data Protection Act (DPA). Journalists and private eyes charged in the now-infamous News International phone hacking scandal are facing years behind bars. In America, well, computer fraud can earn you decades.

Despite the crackdown on voicemail hacking following the controversy at Murdoch’s News of the World, unfortunately, the act itself is easier than ever.

“Basically, the outbound call from my cellphone … gets relayed to my VoIP [Voice over IP] server,” Woodruff explained. “I then spoof the outgoing call; I trick your phone into thinking it’s you calling locally and thus bypass the voicemail server.”

That may not sound simple to the rest of us, but it’s not a new technique. In fact, as far as hacking goes, this exploit is elementary. For years, people have been phone “spoofing,” tricking telephone systems into believing that they’re calling from a different number. More often than not, it’s employed as a harmless prank, but there are far more diabolical applications. Appearing to be a law office, police station, or phone company to a stranger, for example, is a useful tool for social engineers who seek information their marks might otherwise not disclose.

A rudimentary tool currently available to the public is called SpoofCard. For a price, users can dial an 800 number, enter their unique PIN, and have any outgoing number they wish. To conceal their identity from law enforcement, the attacker can easily make the call using Skype while routing it through a virtual private network (VPN). But Woodruff doesn’t use SpoofCard.

“SpoofCard sucks,” Woodruff remarked after staging the infiltration of my inbox. “Mine is free, faster, and doesn’t require calling an external number.” The steps to remain anonymous are the same, however: employing a VPN and ensuring that VoIP protocols are routed through standard Web encryption (SSL).

Tricking the phone company into thinking he was me was essential to Woodruff’s demonstration. From any other number, the system will always require my unique PIN code. Masquerading as me (or, rather, my phone), he could listen to all of my messages, delete them, and change my greeting, even my password.

Thankfully, I can patch this hole by simply requiring a PIN at all times. I soon learned that many of my friends, however, do not have this option enabled. (Several of my colleagues scurried to adjust their own voicemail settings as we discussed this story.)

A self-described ethical hacker, Woodruff was firm that he would never use his method to attack anyone—at least, not without their permission.  “I always have written and verbal authorization,” he said.

At a Southampton University hackathon last April, Woodruff identified a vulnerability in Facebook and was recognized as a penetration testing engineer by I.T. Security Experts (ITSE), a certification acknowledged by the National Security Agency (NSA). At Innotech Summit 2014, he shared a stage with former Lulzsec hacker Mustafa Al-Bassam and London Mayor Boris Johnson to talk privacy, data, and online legislation.

• • •

Though I was capable of defending myself against Woodruff’s attack by changing a few settings, there’s another major security flaw that I’ll never be rid of: the phone company. Customer service agents have way too much power. If someone were convincing enough, or perhaps had the right piece of information about me, they would gladly reset my password.

“I can cry and pretend I have dementia,” Woodruff wrote assuredly. “They will give in. Trust me. When people are out of the comfort zone, it’s easy.”

Hackers are relying more than ever on predictable human laziness to get them the access they need, especially now that so many companies are taking steps to enhance privacy safeguards. It might take days or weeks for a computer to guess my password, if such an attack were even permitted. It doesn’t take a mastermind to extract a few tiny bits of information: obvious answers to obvious security questions, my mother’s maiden name, or a nine-digit Social Security number (SSN) I’ve used since birth.

And if the phone company can’t be swindled so easily, there’s always you.

Imagine receiving an urgent call at a less than opportune moment. It’s from the bank—your caller ID says. Someone is trying to drain your account. A vigilant fraud department employee says he flagged the suspicious activity. “Would you like to authorize this withdrawal, sir?” Of course not. “Can you please verify the last four digits of your social security number?”

Yes, my coveted, super-secret SSN—that’s all my phone company asked for when I called to reset my precious PIN. And what is a SSN? A number that I can’t change, which is what I’m told to do with passwords regularly. Who has access to it? Every U.S. government agency and almost every company I’ve ever had a contract with, ever. Could we make stealing something any easier?

“Is there anything phone companies can do to stop this?” a broken me finally asks Woodruff.

“There is nothing they can do,” he replies. “Even two-factor authentication would just mess up the call or piss people off.”

“So, we should probably all just stop using our voicemail then?”



A version of this story was originally published on the Daily Dot on Oct. 23, 2014.

Photo by salimfadhley/Flickr (CC BY SA 2.0) | Remix by Fernando Alfonso III