This week, Rupert Murdoch testified before a British judicial inquiry on media ethics that he was unaware that his employees at the now-defunct British tabloid News of the World allegedly hacked into an estimated 4,000 victims’ voicemail systems. The hacking occurred between 2003 and 2007, and as the investigation widens to other news-gathering organizations, that number may continue to rise.
Murdoch has admitted that he didn't dig deeper into the problem when evidence of the hacking began to surface in 2006. It wasn't until the scandal exploded last summer with proof that journalists had tapped into the cellphone of a kidnapped girl, who had been murdered, that he finally shut down the paper, which had been in business for 168 years.
So, just how did these reporters-turned-hackers break into the cellphones and voice mail boxes of celebrities, politicians and ordinary citizens?
They likely used the low-tech approach of merely guessing someone’s four-digit voice mail PIN number or password. To access that PIN, some reporters may have employed pretexting (or blagging in British parlance), which involves contacting mobile operators and impersonating victims to obtain their information.
The invention of caller ID more than 20 years ago also opened up another common avenue for phone hacking: caller ID spoofing.
First discovered in the ‘90s, caller ID spoofing allows an unscrupulous sort to choose whatever number he would like for his caller ID. For instance, pioneer caller ID spoofer Lucky255 used it to switch his caller ID to 867-5309/Jenny from the bygone pop band Tommy Tutone.
If you call your own cellphone number from your cellphone, the mobile service provider will typically route you straight to your voice mail. By using caller ID SpoofCard apps and programs, voice mail thiefs can switch their caller ID display numbers to a victim's display number, dial up the victim’s phone number and gain access to the voice mail. All they have to do next is decipher the four-digit PIN.
“Send an enticing link via SMS, email, Twitter; if the target follows from their phone, you've got a chance at using one of many remote exploits for iPhone and Android to install a rootkit,” which is software designed to grant internal access to a device, Kitchen explained.
“From there, you can have phone book data, voice mail, text message logs, browser history or anything covertly sent to you.”
Which smartphone you have does make a difference, since some operating systems are more vulnerable to hacks than others.
“Older versions of Android are easiest to hack,” Kitchen said. “Recent versions of iOS [are easy to hack] too, though both Apple and Google have been quick to release patches.”
If a rogue reporter were to hack into someone’s voice mail, is there any way to detect the intrusion?
“Unfortunately, voice mail systems from the major carriers in the U.S. leave a lot to be desired,” Kitchen said. “None that I've encountered offer any sort of access log. The best you can determine is whether or not a message has been listened to. Even then, if a hacker were to listen to and then delete a message, you'd have little way of knowing.”
For that reason, Duke University new media expert Mark Olson thinks it’s time for the public to demand improved security measures.
“Ubiquitous computing, of which our smartphones and tablets are but just the beginning, is going to require that we shift our paradigms of privacy and security in profound ways,” said Olson, an assistant professor of visual and media studies. “This isn't just the responsibility of the average Joe user, however. We need to be demanding that our mobile service providers aggressively protect our privacy and keep the bar high for device security."
And in the meantime, to avoid becoming phone hacking victims, users should take extra precautions to regularly reset their PIN numbers to protect their data — just as we’re engrained to do with our computers and online accounts.
“It’s not unreasonable to project that [phone hacking] will become more common,” Olson said. “As more of our important data finds its way into the cloud, those seeking to exploit that data will seek the weakest point of entry.”