I’m sure everyone in the UK is aware of the News of the World phone hacking stories, but hardly any of the coverage has been on the actual “hacking” and how they did it. It is in fact very trivial, and is not really hacking at all. The word “hacking” has many meanings, with Wikipedia even having an article on all the different definitions, but I doubt this particular hacking comes close to any of those. It isn’t even “phone” hacking either; the reports managed to get hold of voicemails.
The BBC has a nice and short explanation of what the reporters did. Basically, you phone up the persons number, and when they don’t answer you get their voicemail. Next, you press the key to access the admin part of the voicemail. For O2, the company I am with, that is a *. O2 will then ask you to enter a 4 digit PIN before allowing you to proceed. This information is widely available on the O2 website, and other mobile companies have similar systems. The problem lies in the PIN – there are default PINs just like there are default passwords to routers. The default for O2 is 8705, also widely available. And there you go, I have told you how to “hack” a phone.
I thought I’d test this out by “hacking” into my own phone. However, I must have paid attention to my Computer Security class when purchasing my phone, as I had set my PIN to something different. What this exercise shows is that the majority of those who got hacked had their default PIN number. Most people, myself included, probably didn’t realise before this event (or still don’t realise as it’s not being well publicized) that there even is a PIN number associated with your mobile account. I have only ever accessed my voicemail from my own phone be dialling 901, which does not require any authentication as you are using the mobile to call the voicemail. I must have changed my PIN on receiving the phone and forgotten about it since then. If people don’t know this PIN exists, then of course they aren’t going to change it!
I find it incredible that none of the mobile phone companies are being lambasted for such poor security. According to 02, they have over 16 million customers in the UK. That’s potentially up to 16 million voicemails that can be hacked if the default password is not changed!! Of course there are going to be celebrities and other important people with juicy news stories amongst the 16 million! Why is this not as bigger news as the actual hacking itself? Why is News of the World getting all the bad rep when the mobile phone companies are not being reprimanded? In the extreme case I doubt it would cost them a lot to change everyone’s PIN (if it is the default) to something random and text it to the person. What is mildly amusing is that O2, Orange, Vodafone and T-Mobile decided to boycott News of the World as advertisers.
If you’d like to read a real phone hacking story, go here – International Phone Hacking Ring Busted; Stole $55 Million Worth of Calls
Please let me remind you that “hacking” into any “phone” that is not your own is illegal and I do not endorse it!