Posted by Mike Evans in Feature on July 12, 2011

If you’ve been wondering how the News of the World hacked into people’s voicemail, and how you can prevent it from happening to you, then you’re in luck – I’m about to reveal all!

Better still, although you’re unlikely to know if your phone has been hacked in the past, you can certainly prevent it from being hacked in the future. I’ll show you some of the steps you need to take to make your smartphone more secure in this dark Orwellian future we seem to be living in.

How the News of the World hacked into voicemail
How you can protect yourself
Phone hacking

How the News of the World hacked into people’s voicemail

When somebody phones your mobile and you’re already talking on it, the new call is redirected to your phone’s voicemail, where the caller can leave a message. It’s these messages that were hacked into by News of the World journalists, who listened in to thousands of messages left by friends of each victim.

Scarily, the way they achieved this was simplicity itself.
News of the World logo

Spoofing Caller ID

Voicemail services are designed to be accessed remotely, but only by you, the official authenticated user. Your voicemail service is associated with your Caller ID, which your phone passes to the voicemail service, and which identifies you as the legitimate user of the service.

Back in the early 2000s, this was all you needed to access your voicemail. You simply phoned your voicemail service, which recognised your Caller ID and let you in. There were no passwords or other forms of identification needed – just your Caller ID.
Caller ID
Unfortunately, the Caller ID is ridiculously easy to spoof. There’s even a spoofing app that lets you type in the Caller ID you want to appear as!

So all a determined hacker needed was your phone number and some easy to use spoofing software, and they would be let in, almost with a red carpet!

Remote Voicemail access

Another way of accessing voicemail messages is to do it remotely – that is, via a different phone from the one normally associated with your voicemail service, and with a different Caller ID.

You do this by using a 4 digit password. Just call your phone number, let it ring, and when you’re put through to voicemail, hit the hash key and enter your password and all of your messages are once more made available.

The problem is, virtually nobody sets their password, with the result being literally millions of voicemail boxes all using the same, default – and widely known – password.

O2, for example, used 8705 while T-Mobile used 1210. If you never changed your PIN, this was the number that would be used to access all of your messages.

Just think about that for a minute. If you were on O2, anybody could call your number, wait to be put through to voicemail, then hit hash followed by 8705 and they could access all of your voicemail messages.

Scary stuff!

What if the user has set their password though? No problem. Just call up the operator pretending to be the victim and tell them you’ve forgotten the password and could they reset it!

Do the News of the World’s phone hacking techniques still work?

After the phone hacking allegations first came to light, the mobile operators tightened their security. If you’ve never set a password, for example, then you won’t be able to use remote voicemail. As such, you can only use voicemail from the phone with the correct Caller ID.

But didn’t I just say that it’s super-easy to spoof your Caller ID? Yes – and that’s still the case, as super-hacker Kevin Mitnick shows just how easy it still is.

The Caller ID is seen by the mobile network as being authentic, regardless of where it comes from. So if a phone dials into the voicemail system with the correct Caller ID, no further challenges will be made, and the phone is given full and complete access.

Pages: 1 2