Remember Voice Mail? It's Still Remotely Hackable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:28 PM
Kurt Marko
Kurt Marko
Connect Directly

Remember Voice Mail? It's Still Remotely Hackable

As the News of the World scandal highlights, there's often plenty of sensitive information on our cloud-based answering machines. Now is a good time to review phone security 101.

Unless you've been on a wilderness excursion the last couple of weeks, you're aware that there's a scandal of newspaper-shuttering, business-deal-busting, prison-time-threatening proportions across the pond -- one that stems from that most ordinary of phone features, voice mail. You remember, that remotely accessible digital answering machine? The thing we used to exchange messages in the days before texting and Twitter?

Despite being repeatedly described as a "phone hacking" scam, the British tabloid News of the World didn't engage in anything nearly as sophisticated as intercepting live cell phone conversations using techniques such as those described at last summer's Def Con conference or the recent Vodafone exploit. No, this involved simply breaking a voice mail PIN and nosing around.

In this age of data-laden smartphones and targeted spear phishing attacks, it's easy to forget about plain old voice mail. However, as Tiger Woods found out and this latest scandal reiterates, there's often plenty of sensitive information on our cloud-based answering machines. For businesspeople who aren't routinely stalked by the paparazzi, those info nuggets certainly aren't juicy enough for tabloid fodder, but they could be just as damaging to your company. Whether it's tidbits about a new product scooped up by a competitor or hints of a takeover offer leaked to a hedge fund manager, voice mail can contain information valuable to an outsider. Sometimes, even the records of whom you called, and when, are enough to tip off a potential foe, as dramatically illustrated by HP's pretexting scandal. Hence, this recent "news of the world" makes it a good time to review phone security 101.

First, and most obviously, pick a random PIN. Most carriers force you to change the default PIN the first time you enter voice mail, but unfortunately, a common suggestion for choosing a memorable one, using your birth month and year, is a bad idea in this age of social networks, where such information is often publicly (albeit, sometimes unwittingly) shared. So don't use any number that's publicly associated with you (i.e., your house address) or an easily guessed string (1234), and, if your carrier gives the option, don't use just four digits (the more, better).

Second, check your voice mail regularly, even when you don't have any messages. Why? As this latest scandal demonstrates, a favorite trick of voice mail voyeurs is changing the victim's PIN in order to prolong their access and keep competitive spies out. If you can't log in to your own account, it's a good bet someone else is. Even if you've chosen a completely random seven-digit PIN, a determined attacker can often get it changed either by pretexting (impersonating you to the carrier and, knowing just enough personal information to be convincing, getting the support person to reset it to a default) or hacking into your account at the carrier's website (you are using a strong password there, aren't you?).

This incident raises a larger question about the wisdom of carriers allowing unfettered remote access to voice mail in the first place. Sure, this policy made sense in the days when wireless phones weren't our primary voice lines, but now, with more people cutting the cord and carrying their phones everywhere, and with forwarding services like Google Voice, the downsides of remote voice mail access seem to outweigh the benefits. Just allowing customers to whitelist a set of allowable numbers would be an improvement, but until carriers enable stronger voice mail security features, password hygiene and vigilant account monitoring will have to suffice.

InformationWeek Analytics is conducting a survey on mobile device management and security. Respond to the survey and be eligible to win an iPod Touch. Take the survey now. Survey ends July 22.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll