ADVERTISEMENT
  About the SA Blog Network













Observations

Observations


Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

How Do You Hack Into Someone’s Voice Mail?

The views expressed are those of the author and are not necessarily those of Scientific American.


Email   PrintPrint



phone hack, mobil, wireless, security, privacyThe scandal that helped shutter Rupert Murdoch’s News of the World tabloid and left at least nine News International journalists facing possible criminal charges has brought phone hacking into the spotlight as a means of subversively gathering information for news articles. As investigators study the scope of the problem, including the role phone hacking played in News of the World‘s coverage of the disappearance and death of teen Milly Dowler in 2002, it’s become clear that breaking into someone else’s voice mail isn’t very difficult.

This, of course, doesn’t make phone hacking legal. In England, where the alleged offenses took place, it is a crime to intercept phone calls unless you’re a police officer or intelligence agent with an official warrant, which can be granted only to protect national security. News International may also face legal problems in the U.S. under the Foreign Corrupt Practices Act (FCPA) based on allegations that News of the World reporters offered to pay a New York police officer to retrieve the private phone records of victims of the September 11 attacks.

The key to breaking into someone’s voice mail is to access that person’s voice mail prompt and/or management systems, says Jim Broome, practice manager for enterprise consulting with Accuvant LABS, the security assessment and research division of Denver-based Accuvant, Inc. This can be done in several basic ways particularly if a person’s voice mail account has no password or PIN, uses the default password that came with his account (typically 0000 or 1234, or something along those lines), or uses a simple password that’s easy to guess, Broome says.

Voice mail prompts can also be accessed via caller ID spoofing. With the advent of caller ID, many voice mail systems have been created that simply check the number calling in and base authentication on that match, Broome says. Caller ID spoofing services like Spoofcard.com allow people to make it appear that their phone number is the same as the digits they are dialing. When the receiving phone recognizes its own phone number, it will often dump the caller directly into voice mail.

Apple apparently isn’t amused by SpoofCard and has removed the app from its App Store, although it’s still available through Spoofcard.com.

Obviously, setting a strong password (one that is not obvious, such as a birthday) is the primary measure for securing a voice mail account. It’s also a good idea to change your PIN every few months. Of course, good luck remembering it.

Image courtesy of Slavoljub Pantelic, via iStockphoto.com





Rights & Permissions

Comments 6 Comments

Add Comment
  1. 1. hemo_jr 12:10 pm 07/12/2011

    When a typical PIN has only 10,000 possible solutions, brute force hacking is a real possibility.

    Link to this
  2. 2. cccampbell38 1:20 pm 07/12/2011

    Why am I not surprised that this alleged illegal activity is reported to have occurred in a Rupert Murdock owned publication? I wonder how widespread it and other questionable practices might be in other news outlets that he owns. I hope that the powers that be in every nation potentially effected do a thorough investigation of journalistic practices in all the companies in which he has an interest.
    Technology should serve us, not be used against us. It’s up to us and our governments to see that this happens.

    Link to this
  3. 3. J'Carlin 5:57 pm 07/12/2011

    Upload anything you need to keep to a secure site and delete the rest. They can hack my voicemail at home or cell and get "You have no messages." If they can break the secure password on one of my non-public emails they are welcome to whatever they find there. But I bet they won’t. The mnemonic is First and third letters of a few friends names interspersed not randomly with numbers & special characters and the abbreviated app name. A number is the month minus x for passwords that have to be changed. As an example SGo4Am^Mr—– would be close except that George isn’t one of my friends. Neither is Mary.

    Link to this
  4. 4. jgrosay 12:25 pm 07/13/2011

    You can build a system with two or three backup emergency systems,with redundant logic or whatever you can imagine to withstand a failure or catastrophe. Nobody can build something that resists a deliberate human attempt to destroy or harm it, as thieves are more or less equally smart than policemen. We just expect that the police has better devices or facilities. Good luck!

    Link to this
  5. 5. gmperkins 6:30 pm 07/22/2011

    I gave a few talks and listened to even more talks by security experts, over 8+ years ago now, that outlined how weak the security of all these new devices were.

    The reason, as always, is cost. You tell some company that their security is bad. You tell them how to fix it, they say they will do it… but come costs/deadlines and it never gets done properly.

    Plus, if you make the security too good then certain governments will complain/ban the device.

    Bottom line, security is weak and will remain weak for the foreseeable future. Governments want easy access to your private data and businesses want to make a product as cheap as possible.

    Basically, don’t do anything online that you wouldn’t want strangers (or the government) to know about. And don’t think your PC is safe, even with all the security programs out there. They just stop the simple attacks.

    Fortunately, it does take time to scan through reams of data which is the biggest deterrent. We basically have security through obscurity.

    Link to this
  6. 6. gmperkins 7:15 pm 07/22/2011

    Oh, I should add that it is a bit more difficult to cover your tracks than it is to gain access. At least if you use your own equipment. This is where a group of hackers come in because they can setup a chain of proxy servers to hide the point of origin.

    The guy in Britain got caught because the trail lead right back to his stuff.

    Link to this

Add a Comment
You must sign in or register as a ScientificAmerican.com member to submit a comment.

More from Scientific American

Scientific American Holiday Sale

Give a Gift &
Get a Gift - Free!

Give a 1 year subscription as low as $14.99

Subscribe Now! >

X

Email this Article

X