by Andy Gent

Despite six months of hearings, 184 witnesses, 42 written submissions and one Lord Justice Enquiry, voicemail services are still not as secure as you might expect.  You may recall that Lord Justice Leveson’s enquiry into the ‘culture, practices and ethics of the press’ focused heavily on journalists who had gained access to celebrities’ voicemail, in what came to be known as the Phone Hacking Scandal.  Surprisingly, the methods used by these journalists to remotely access people’s voicemail have not yet been rendered redundant by the mobile network operators that supply the services.  These are not new or advanced methods.  They involve basic knowledge and equipment and as The Register has now shown, can now be accomplished more easily than ever.

Following the scandal, most of us believed that the ability for these fraudsters to access the voicemail was down to default or easy-to-guess PIN numbers and that resetting our voicemail PIN would fix the security problem.  Unfortunately, that is not the case.  Caller ID is a service that most of us take for granted, especially as modern smartphones can store a variety of data for a single contact, such as their email or Facebook address along with multiple phone numbers.  Smartphones can link phone numbers to internet messaging services like Watsapp and Voice over IP (VoIP) services like Viber.  The basic feature of identifying who is calling you would not necessarily be the prime suspect in a hunt for a security leak, but it should be.

Calling Line Identification (CLI) is the caller ID system used by UK mobile phone networks and the majority of VoIP apps.  The service transmits a caller’s CLI to your phone when they ring you to establish their identity and display it on your handset.  This code can also be transmitted through a modem to a computer for the purposes of call logging, blocking or screening.  Most UK networks also use CLI to connect your phone automatically to your voicemail when you dial it from your handset.  Your voicemail recognises your CLI and lets you access your voicemail without having to enter your PIN number each time.  The setback is that someone with malicious intent can ‘spoof’ this CLI, making the receiving number, in this case your voicemail number, recognise the call as if it were from your phone and let the caller through without asking for a PIN.  This is not a new scam.  The first mainstream ‘Caller ID Spoofing Service’ was called ‘Star38.com’ and was set up in September 2004 as a prank calling service.  It was shut down shortly afterwards due to the owner receiving death threats.

The voicemail security system on your account should mean that if any phone number (more specifically CLI) other than yours dials your voicemail number then they would be required to enter your PIN number.  Remote access from another phone is enabled in this way to allow access to voicemail when abroad, as sometimes even if you are using your own phone, the roaming network will not transfer the CLI to the number you are calling.

Now the good news is, if you are on either the Vodafone or O2 network, you don’t have to worry, as they have additional security systems in place to counteract caller ID spoofing.  3 and EE however, do not.  Remote access to voicemail numbers on these networks via CLI spoofing is still possible, despite repeated warnings and exposure.  The most recent warnings came from the Leveson Enquiry, which investigated several methods of voicemail hacking, of which ID spoofing was one.  Mr Charles Brookson, of Zeata Security, who provided a briefing to the inquiry, said that he “felt that the phone companies could do more to educate and encourage their subscribers to take security seriously on their phones and voicemail.”  Mr Brookson offered reassurance that 3G networks are more secure than traditional GSM, although it is unclear whether 4G networks will offer additional security in the future.  He also explained how UK SIM cards can now not be cloned, but that SIM cards purchased abroad still pose a risk.  More worryingly, he specifically cited CLI spoofing; the security threat that almost 3 years later is still very much at issue.

Networks can and should do more to prevent this kind of mobile fraud.  They are in a unique position to have total control over the signalling pathway and have enormous amounts of data available to increase security.  Home Location Registers (HLRs), International Mobile Station Equipment Identities (IMEIs) and Cell Tower IDs can all be used simultaneously for secure identification.  With increasing use of the notoriously less-secure internet to make calls and send messages through services like Skype, Watsapp and other VoIPs, one would expect traditional networks to be the safest way to communicate.  Clearly though, there is still more to be done.