UK

Voicemail-Gate Recap from a Security Perspective

I don't know about you, but the revival of the voicemail hacking issues going on in the UK has been sort of interesting to me. For one, because there are many different dynamics and players involved, another because this sort of thing seems to keep going on - for years, and then finally, because we are finally getting some body count for some accountability of actions and inactions of the players. Now if we could only address the underlying technology issues enabling this stupidly easy form of attack! The activities of News of the World of recent have come to seem both systemic and pervasive. This seems the case at least in the News International wing of News Corp, which owned the now shuttered News of the World, if not the broader News Corp as a whole. Too much of this was going on for too long for senior leadership not to know, or at least to not know to inquire internally further. And tone from the top drives the lower layers. If it doesn't, then there is gross negligence at hand at the very least. And from what I have heard of how News Corp senior leadership always had its hands in the pie of operations, there is absolutely no way they could be that unaware. These are not new activities for this company! Either way there is blood in the water for Murdoch's News Corp empire, and it will be interesting to see to what extent it is impacted long term. But enough of that. Lets get to the security portion of all of this. First, lets be clear that there is no hacking of the mobile phone here technically speaking. These are server-side voicemail system issues, social engineering issues, criminal insider issues, a little user naivet thrown in here and there, and just maybe some GSM call interception issues. But not a compromise of the handset. This is an issue of voicemail system hacking and illegal use of privileged access and information by those in authority and power. These private investigators, working on behalf of News of the World and maybe greater News Corp were not breaking into phones to acquire this information. Now, yes, I know this "mobile hacking" label is just a simplistic, layman's way of describing the activity in a clear and tantalizing way, but I think it deserves a mention for clarification given the proper context and known facts. I think the distinctions are an important thing to be clear about if we are to have hope for properly addressing and fixing the underlying problems. As News Corp has contained the trauma and kept the larger patient alive by lopping off the infected body parts, and with the infection potentially spreading to its limbs in the US, I think it is also even more important to look at what was going on - known and potential - and what should or could be done to stop it. It is only through identifying the problems and being real about the current state that will allow us to have any real hope of something better. So, let's dive into what is known about the news of the world malicious activities thus far first. Then we can get into some root causes. And then wrap with some possible

solutions. Firs though, how about a generic architecture diagram of how a carrier class voicemail system fits into the larger ecosystem to give some perspective:

So, what do we know so far? Here are the activities known or suspected as having been conducted in the name of News of the World: 1. Private investigators, on behalf of reporters, and possibly the reporters themselves were calling voicemail boxes of targeted individuals and were able to get direct access to them through various means. 2. Law enforcement was being bribed to provide privileged information to those private investigators or directly to the reports about the mobile calls of targets. This could be anything from the targets mobile number, to the current location of the target's mobile phone, to actual mobile call monitoring. It is not yet clear the extent of these activities, but this type of access would have been feasible. And given the talk of bribery already, I would not be surprised if all were being done to varying extents. Active or passive cellular call monitoring and tracking aside, in order to even think about starting to listen to voicemails you need to know one thing first - the phone number of the target's mobile handset. Given the guarded privacy of certain celebrities and VIPs this may not be as easy as it sounds. There are ways though. And this may be becoming easier as more and more people dump their landlines for mobile numbers solely. When

you do this you start to need to list your mobile as your primary contact on all sorts of things that might not necessarily be all that private. Given this, you need to protect your voicemail if you have a concern for the privacy of messages. In general, here are some of the approaches nefarious people might use to obtain your mobile number: Use online "finder" services that have access to filed documents in which the target has listed their cell phone number as a contact number Search online for social networking sources that list known or suspected numbers Conduct pre-text calling of service providers known or suspected to be used by the target, and get them to identify registered numbers - including, but not limited to the mobile carrier Pay an insider at a service provider to provide the phone number of the target Use [sophisticated] GSM monitoring equipment to identify their IMSI during a known call via visual surveillance and use an HLR lookup service to validate IMSI to MSISDN (phone number) Bribe law enforcement to provide the phone number by querying their systems, which have access to this data

This should not be considered a comprehensive list. And no matter what, the first course of action would be to start compiling a social profile of the target. Combing social networks and searches for associated email addresses, try to determine a birth date, full name, purchase background and public records checks from companies like Intellius. In this fast evolving digital age the harnessing of ones personal information grows increasingly more difficult. Insurance records, rental agreements, student loan documentation, and all of the subsequent statements and billings associated. These resources could be fertile ground for collecting pieces to later connect the dots for a full picture. And think of how companies validate who you are: where you have lived, where you were born, the last four of your SSN, account/policy numbers, birth date, etc. These are the pieces that are used to validate you either via phone or online when you have forgotten your password. There are people that are very skilled in the art of eliciting information in seemingly innocuous ways from people. Loose control over these personal identifier marks and you loose control of your documented life if someone has strong intent to do so. Keep in mind that these actions may not be taken to break into the average Joe's voicemail, but to profile someone to this extent because they are the CxO of a major company, or government/military official, etc. would be trivial, and in this day and age, standard operating procedure for determined adversaries! Does Mr CxO have WIFI in their house using, heaven forbid WEP, or even WPA2? Think it too much to try and get them to associate with a false access point, or to crack the encryption key with a pre- generated list of SSID-derived key values and monitor useful data traffic of the family? If

planned out for determined purposes, using available tools and techniques, this would probably border on trivial. So, now the attacker has the phone number of their target. Now what can they do to get to the targets voicemail? Voicemail systems have been implemented by carriers in a number of different ways - and when I say implemented I mean there are different types of voicemail systems that have varying levels of security oriented features available, and then, also are all of those available controls being utilized in the implementation. Once the number is identified, then the menu of activities is as follows. Remember that the objective is voicemail messages, and to use the easiest methods with lowest risks of detection first. I've listed them in that order, but first the attacker will base their approach off of what security controls that carrier uses based on voicemail system, etc. If that carrier is known to be using default PINs for initial setup of voicemail accounts, then call the external voicemail system to check for the default still being valid Call the external voicemail system of the carrier and try the top 50 most common PIN combinations Call the target number during off hours from a random unknown # while simultaneously calling the target with their own phone number using a spoofing service or private PBX. This way the target does not see their own number calling into them, because while the random number is ringing in, the spoofed number gets sent directly to voicemail. If the voicemail system only uses caller ID to authorize entry, then the attacker is in the voicemail. Call the carrier support line to try and get the voicemail PIN reset to a known value. This is where the more personal information known, the easier. Modify an attacker cell phone to impersonate the registered handset hardware of the target and call voicemail. The main point of this method would be to try and get past IMEI based security controls.

Another interesting aspect to keep in mind is that the majority of individuals now use their phones to automatically check their voicemail without a need for entering in their PIN at all. This is because the mobile phone is a recognized entity for accessing their voicemail. So if the attacker is able to change/reset the voicemail PIN initially with spoofing or other means, then they can access the voicemail without spoofing at all and the target would likely never even realize the PIN had been changed unless the system happens to implement secondary detection measures notifying users of the changes. Lets discuss PIN/Pass code security a bit now also. Because after all, even when the right controls are in place on the voicemail system, if the user chooses a painfully easy pass code, then it does not matter much. But, that said, a voicemail system shouldn't let

someone repeatedly enter in invalid entries unchecked. There are also common number patterns that should always be avoided being used as the pass code. What would be great is if the voicemail system checked against a short list of these common patterns when the user sets up their mailbox pass code, and recommends they not use it once flagged. Remember all that profiling info the attacker gathered initially? Well, it can often come in handy here too because people are creatures of not only habit, but ease as well. Here are some common easy PIN/Pass code combinations utilized: Last four digits of phone number Birth year or month and date combo of target. According to a study conducted by Daniel Amitay through his app Big Brother Camera Security, years between 1980 and 1989 were all in the top 100 pass codes used, while the years 1990 to 2000 were in the top 50 used Year graduated high school, collage, married, etc. First name spelled out, first name of spouse, child's name Common words spelled out: love, hate, pass, password, @!*& type words, etc. House number or zip code Common number keypad patterns: 1111 and the rest of the keypad numbers in secession for 4 and 6 character PIN, 1000 and the rest of the keypad numbers with successive 0s for 4 and 6 character PIN, 1234, 123456, 2525, 2580, 0852, 9876, 1436, 147369, 1425, 1436, 1230, 123321, 1515, 1535, 3456, 6789, etc. You get the idea.

You can now see where a top 50 or a top 75 list of common pass codes would try the most probable for very possible success. And with no lockout or notification time is on the attackers side. The point with these is that people love patterns, correlation, and simplification (AKA re-use) - because remembering all of our PINs and passwords is a horrendous pain in the ass! Unfortunately, this can work against us. Now that we have identified the methods of attack on your voicemail box, lets outline some voicemail system security controls that should and could be in place to protect from this sort of activity. This will not be an exhaustive list necessarily, but fairly comprehensive. And ideally, several of these measures would be used in combination to provide thorough protection. 1. No standard default PINs set 2. PIN required at setup 3. PIN required for all access: from handset or remotely (the PIN could still be configurable in the handset still for convenience too)

4. Randomly generated PIN sent to the user; initial and subsequent 5. PIN required for remote access only 6. Voicemail lockout for escalating time periods based on continued consecutive bad login attempts 7. Voicemail lockout until manual unlock through support rep after a number of consecutive bad attempts 8. User notified of failed PIN attempts greater than 7 9. SMS notification to user of voicemail access remotely 10. Verification of handset IMEI allowed to access voicemail combined with email pre-authorization of new hardware access 11. Check PIN code created by user against known easy/Poor PIN code list and warn against use 12. Reset PINs to random values only and only SMS new PIN to handset and send to user's email 13. User notified of PIN deactivated initially and thereafter at random intervals via SMS 14. Require minimum six character PIN Yes, you are right. These are standard sorts of security measures. These are similar measures that should be in place for anti-social engineering processes as well. It does not take rocket science to address voicemail security, but it does require voicemail system vendors to build this functionality into their multi-million dollar systems so that they can be utilized for end users. Keep in mind also that fixing the voicemail spoofing and pass code hacking issues does not negate the possibility of GSM call monitoring of the target either. Law enforcement has ready access to this sort of tech, but now it is well within reach of private eye types even. This space has evolved in recent years and is much more practically in reach for people intent on establishing a monitoring program with only moderate resources available. For this to be better controlled we really just need to retire GSM in favor of UMTS and LTE only. This will not happen anytime soon of course, so the only other alternative is to get creative with some detections and controls in the handset for false base stations and encryption level changes. Again, not rocket science. Just needs some elbow grease intent and good UI implementation. Many of News Corp's businesses strike me as the WWF of media/news, so I will not shed many tears on any reckoning coming their way in light of the activities they have shown a track record for. I hope it keeps sticking, and I hope things are ultimately improved because of it. In these days of financial meltdowns, bailouts, governance impotence, it is refreshing to see some level of accountability finally. Even if it is for only a brief

moment. And maybe, just maybe, voicemail product teams will be properly incentivized to implement better security feature offerings for consumers to make use of - or stuck with for their own safety - depending on your view.