Phone hacking

Last updated

Phone hacking is the practice of exploring a mobile device, often using computer exploits to analyze everything from the lowest memory and CPU levels up to the highest file system and process levels. Modern open source tooling has become fairly sophisticated to be able to "hook" into individual functions within any running app on an unlocked device and allow deep inspection and modification of its functions.

Contents

Phone hacking is a large branch of computer security that includes studying various situations exactly how attackers use security exploits to gain some level of access to a mobile device in a variety of situations and presumed access levels.

The term came to prominence during the News International phone hacking scandal, in which it was alleged (and in some cases proved in court) that the British tabloid newspaper the News of the World had been involved in the interception of voicemail messages of the British royal family, other public figures, and murdered schoolgirl Milly Dowler. [1]

Victims of phone hacking

Although mobile phone users may be targeted, "for those who are famous, rich or powerful or whose prize is important enough (for whatever reason) to devote time and resources to make a concerted attack, it is usually more common, there are real risks to face." [2]

Techniques

Voicemail hacking

Phone hacking often involves unauthorized access to the voicemail of a mobile phone Motorola L71 on the China Mobile network 20100521.jpg
Phone hacking often involves unauthorized access to the voicemail of a mobile phone

The unauthorized remote access to voicemail systems, such as exposed by the News International phone hacking scandal, is possible because of weaknesses in the implementations of these systems by telephone companies. [3]

Mobile phone voicemail messages may be accessed on a landline telephone with the entry of a personal identification number (PIN). [4] Reporters for News International would call the number of an individual's mobile phone, wait to be moved to voicemail, and then guess the PIN, which was often set at a simple default such as 0000 or 1234. [5]

Even where the default PIN is not known, social engineering can be used to reset the voicemail PIN code to the default by impersonating the owner of the phone with a call to a call centre. [6] [7] During the mid-2000s, calls originating from the handset registered to a voicemail account would be put straight through to voicemail without the need of a PIN. A hacker could use caller ID spoofing to impersonate a target's handset caller ID and thereby gain access to the associated voicemail without a PIN. [8] [9] [10]

Following controversies over phone hacking and criticism of mobile service providers who allowed access to voicemail without a PIN, many mobile phone companies have strengthened the default security of their systems so that remote access to voicemail messages and other phone settings can no longer be achieved even via a default PIN. [4] For example, AT&T announced in August 2011 that all new wireless subscribers would be required to enter a PIN when checking their voicemail, even when checking it from their phones. [11] To encourage password strength, some companies now disallow the use of consecutive or repeat digits in voicemail PINs. [12]

Handsets

An analysis of user-selected PIN codes suggested that ten numbers represent 15% of all iPhone passcodes, with "1234" and "0000" being the most common, with years of birth and graduation also being common choices. [13] Even if a four-digit PIN is randomly selected, the key space is very small ( or 10,000 possibilities), making PINs significantly easier to brute force than most passwords; someone with physical access to a handset secured with a PIN can therefore feasibly determine the PIN in a short time. [14]

Mobile phone microphones can be activated remotely by security agencies or telephone companies without physical access as long as the battery has not been removed. [15] [16] [17] [18] [19] [20] This "roving bug" feature has been used by law enforcement agencies and intelligence services to listen in on nearby conversations. [21]

Other techniques for phone hacking include tricking a mobile phone user into downloading malware that monitors activity on the phone. Bluesnarfing is an unauthorized access to a phone via Bluetooth. [7] [22]

Other

There are flaws in the implementation of the GSM encryption algorithm that allow passive interception. [23] The equipment needed is available to government agencies or can be built from freely available parts. [24]

In December 2011, German researcher Karsten Nohl revealed that it was possible to hack into mobile phone voice and text messages on many networks with free decryption software available on the Internet. He blamed the mobile phone companies for relying on outdated encryption techniques in the 2G system, and said that the problem could be fixed very easily. [25]

Legality

Phone hacking, being a form of surveillance, is illegal in many countries unless it is carried out as lawful interception by a government agency. In the News International phone hacking scandal, private investigator Glenn Mulcaire was found to have violated the Regulation of Investigatory Powers Act 2000. He was sentenced to six months in prison in January 2007. [26] Renewed controversy over the phone-hacking claims led to the closure of the News of the World in July 2011. [27]

In December 2010, the Truth in Caller ID Act was signed into United States law, making it illegal "to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value." [28] [29]

See also

Related Research Articles

Enhanced 911 is a system used in North America to automatically provide the caller's location to 911 dispatchers. 911 is the universal emergency telephone number in the region. In the European Union, a similar system exists known as E112 and known as eCall when called by a vehicle.

A personal identification number (PIN), PIN code, or sometimes redundantly a PIN number, is a numeric passcode used in the process of authenticating a user accessing a system.

Phone fraud, or more generally communications fraud, is the use of telecommunications products or services with the intention of illegally acquiring money from, or failing to pay, a telecommunication company or its customers.

<span class="mw-page-title-main">Unstructured Supplementary Service Data</span> Communications protocol

Unstructured Supplementary Service Data (USSD), sometimes referred to as "quick codes" or "feature codes", is a communications protocol used by GSM cellular telephones to communicate with the mobile network operator's computers. USSD can be used for WAP browsing, prepaid callback service, mobile-money services, location-based content services, menu-based information services, and as part of configuring the phone on the network. The service does not require a messaging app, and does not incur charges.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

In Case of Emergency (ICE) is a programme designed to enable first responders, such as paramedics, firefighters, and police officers, as well as hospital personnel, to contact the next of kin of the owner of a mobile phone in order to obtain important medical or support information. The phone entry should supplement or complement written information or indicators. The programme was conceived in the mid-2000s and promoted by British paramedic Bob Brotchie in May 2005. It encourages people to enter emergency contacts in their mobile phone address book under the name 'ICE'. Alternatively, a person can list multiple emergency contacts as 'ICE1', 'ICE2', etc.

<span class="mw-page-title-main">Telephone numbers in the Republic of Ireland</span>

Numbers on the Irish telephone numbering plan are regulated and assigned to operators by ComReg.

7-Eleven SpeakOut Wireless is a Canadian mobile virtual network operator brand for prepaid wireless service. The brand was launched in April 2003 by the 7-Eleven convenience store chain in the United States, and expanded to Canada in November 2005. 7-Eleven SpeakOut ceased operating in the United States in 2010.

<span class="mw-page-title-main">Caller ID spoofing</span> Phone caller faking the phone number sent to the recipient of a phone call

Caller ID spoofing is a spoofing attack which causes the telephone network's Caller ID to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. This can lead to a display showing a phone number different from that of the telephone from which the call was placed.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

A robocall is a phone call that uses a computerized autodialer to deliver a pre-recorded message, as if from a robot. Robocalls are often associated with political and telemarketing phone campaigns, but can also be used for public service, emergency announcements, or scammers. Multiple businesses and telemarketing companies use auto-dialing software to deliver prerecorded messages to millions of users. Some robocalls use personalized audio messages to simulate an actual personal phone call. The service is also viewed as prone to association with scams.

1-5-7-1 is the name of a family of calling features in the United Kingdom, for residential and business telephone lines and for mobile telephones, that are provided by BT Group and several other telephone service providers. The family is named after the telephone number 1571, the special service number that is used to access it. Call Minder is the name of BT's highest level of 1571 service.

In many voice telephone networks, anonymous call rejection (ACR) is a calling feature implemented in software on the network that automatically screens out calls from callers who have blocked their caller ID information.

Ooma, Inc. is an American publicly traded telecommunications company based in the Silicon Valley, California area. Ooma offers communications services including Voice over IP (VoIP) calling for business, home and mobile users.

<span class="mw-page-title-main">Mobile phone</span> Portable device to make telephone calls using a radio link

A mobile phone or cell phone is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area, as opposed to a fixed-location phone. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture, and therefore mobile telephones are called cellphones in North America. In addition to telephony, digital mobile phones support a variety of other services, such as text messaging, multimedia messaging, email, Internet access, short-range wireless communications, satellite access, business applications, payments, multimedia playback and streaming, digital photography, and video games. Mobile phones offering only basic capabilities are known as feature phones ; mobile phones that offer greatly advanced computing capabilities are referred to as smartphones.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

The News of the World royal phone hacking scandal was a scandal which developed in 2005 to 2007 around the interception of voicemail relating to the British royal family by a private investigator working for a News of the World journalist. It formed a prelude to the wider News International phone hacking scandal which developed in 2009 and exploded in 2011, when it became clear that the phone hacking had taken place on a much wider scale. Early indications of this in the police investigation were not followed through, and the failures of the police investigation would go on to form part of the wider scandal in 2011.

The News of the World phone hacking scandal investigations followed the revelations in 2005 of voicemail interception on behalf of News of the World. Despite wider evidence of wrongdoing, the News of the World royal phone hacking scandal appeared resolved with the 2007 conviction of the News of the World royal editor Clive Goodman and the private investigator Glenn Mulcaire, and the resignation of editor Andy Coulson. However, a series of civil legal cases and investigations by newspapers, parliament and the police ultimately saw evidence of "industrial scale" phone hacking, leading to the closure of the News of the World on 10 July 2011. However, the affair did not end there, developing into the News Corporation ethics scandal as wrongdoing beyond the News of the World and beyond phone hacking came to light.

<span class="mw-page-title-main">Cellphone surveillance</span> Interception of mobile phone activity

Cellphone surveillance may involve tracking, bugging, monitoring, eavesdropping, and recording conversations and text messages on mobile phones. It also encompasses the monitoring of people's movements, which can be tracked using mobile phone signals when phones are turned on.

References

  1. Davies, Nick; Hill, Amelia (4 July 2011). "Missing Milly Dowler's voicemail was hacked by News of the World". The Guardian . Retrieved 13 July 2011.
  2. Wolfe, Henry B (December 2018). "Secure Mobile From Hackers". mdigitalera.com. Vol. 1, no. 2. p. 3. Archived from the original on 2019-04-02. Retrieved 2018-12-12.
  3. Rogers, David (7 July 2011). "Voicemail Hacking and the 'Phone Hacking' Scandal - How it Worked, Questions to be Asked and Improvements to be Made". Copper Horse Solutions. Retrieved 25 Jul 2012.
  4. 1 2 "Who, What, Why: Can Phone Hackers Still Access Messages?". BBC News . 6 July 2011.
  5. Waterson, Jim (2021-07-10). "News of the World: 10 years since phone-hacking scandal brought down tabloid". The Guardian. ISSN   0261-3077 . Retrieved 2023-05-08.
  6. Voicemail hacking: How Easy Is It?, New Scientist , 6 July 2011
  7. 1 2 Milian, Mark (8 July 2011). "Phone Hacking Can Extend Beyond Voice Mail". CNN . Retrieved 9 July 2011.
  8. Robert McMillan (25 August 2006). "Paris Hilton accused of voice-mail hacking". InfoWorld. Retrieved 14 June 2015.
  9. Cell Phone Voicemail Easily Hacked, NBC News , 28 February 2005
  10. Kevin Mitnick Shows How Easy It Is to Hack a Phone, interview with Kevin Mitnick, CNET , 7 July 2011
  11. Soghoian, Christopher (9 August 2011). "Not an option: time for companies to embrace security by default". Ars Technica . Retrieved 25 July 2012.
  12. Grubb, Ben (8 July 2011). "Vulnerable voicemail: telco-issued PINs insecure". The Sydney Morning Herald . Retrieved 9 July 2011.
  13. Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal . Retrieved 8 July 2011.
  14. Greenberg, Andy (27 Mar 2012). "Here's How Law Enforcement Cracks Your iPhone's Security Code". Forbes.com. Retrieved 25 Jul 2012.
  15. Schneier, Bruce (December 5, 2006). "Remotely Eavesdropping on Cell Phone Microphones". Schneier On Security. Retrieved 13 December 2009.
  16. McCullagh, Declan; Anne Broache (December 1, 2006). "FBI taps cell phone mic as eavesdropping tool". CNet News. Archived from the original on November 10, 2013. Retrieved 2009-03-14.
  17. Odell, Mark (August 1, 2005). "Use of mobile helped police keep tabs on suspect". Financial Times. Retrieved 2009-03-14.
  18. "Telephones". Western Regional Security Office (NOAA official site). 2001. Retrieved 2009-03-22.
  19. "Can You Hear Me Now?". ABC News: The Blotter. Archived from the original on 25 August 2011. Retrieved 13 December 2009.
  20. Lewis Page (2007-06-26). "Cell hack geek stalks pretty blonde shocker". The Register. Archived from the original on 2013-11-03. Retrieved 2010-05-01.
  21. Brian Wheeler (2004-03-02). "This goes no further..." BBC News Online Magazine. Retrieved 2008-06-23.
  22. How easy is it to hack a mobile?, BBC News , 7 September 2010
  23. Jansen, Wayne; Scarfone, Karen (October 2008). "Guidelines on Cell Phone and PDA Security" (PDF). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-124 . Retrieved 25 Jul 2012.{{cite journal}}: Cite journal requires |journal= (help)
  24. McMillan, Robert. "Hackers Show It's Easy to Snoop on a GSM Call". IDG News Service. Archived from the original on 2012-01-20. Retrieved 2011-07-24.
  25. O'Brien, Kevin J. (25 December 2011). "Lax Security Exposes Voice Mail to Hacking, Study Says". The New York Times . Retrieved 28 December 2011.
  26. "Pair jailed over royal phone taps ", BBC News , 26 January 2007
  27. News of the World to close amid hacking scandal, BBC News , 7 July 2011
  28. Truth in Caller ID Act of 2010, December 22, 2010, accessed 7 July 2017
  29. Archived 2017-10-17 at the Wayback Machine , 29 September 2017