Cell phone voicemail easily hacked

Millions of cell phone users are at risk of having someone listen to their voicemail or steal their contact phone numbers and other private information, according to a report issued this weekend by an industry consulting firm. 

Representatives from Sprint, Cingular, and T-Mobile confirmed the basic premise of the attack, which is possible because those services enable consumers to turn off the password-checking function.

Cell phone hacking gained prominence last month when reports surfaced that pop star Paris Hilton's T-mobile voicemail and phone book had been hacked.

The attack is simple, according to Bob Egan of MobileCompetency.com,  who wrote the report. Most cell phone providers offer a service called "skip passcode," which allows mobile subscribers to enter their cell phone voicemail and select other administrative options without entering a numeric password. Callers are sometimes told the service is safe, because cell phone providers ensure the call is initiated from the handset owned by the consumer -- making the password unnecessary.

But Eagan discovered that services use caller ID to authenticate the cell phone, and months ago, hackers learned how to spoof, or "trick" the caller ID system.  Using such a service, a hacker can dial the mobile account holder's telephone system and immediately access their voice mail and other services.

Essentially, knowing someone's cell phone number is enough to gain access to their voice mail and all their administrative tools.

Mobile companies warned in August
Spoofing caller ID is easy -- a California company even began offering a commercial service to do so last September.

And last August, a company named Secure Science Corp. issued a warning predicting that the combination of password skipping and caller ID would lead to cell phone hacking. The report specifically named T-Mobile's service as vulnerable. 

Lance James, chief technology officer of Secure Science Corp. was critical of T-Mobile for not insisting after his report came out that its consumers use a password.

"I've never heard a complaint from people who have to enter a four-digit number to get their voicemail," he said. 

T-Mobile spokesman Jackson Jeyanayagam said the company couldn't comment on the report.  The firm issued a statement saying it encouraged consumers to use passwords.

Eagan's reports says several other cell phone providers offer a skip passcode function, and they are all vulnerable to the same attack.

"We were shocked by mobile voicemail vulnerability," he said. "This is not about (cell phone) operator bashing. This is about generating attention. They knew this and haven't generated any action."

Eagan said the method was used to listen to Paris Hilton's voicemail and steal her address book, containing a host of celebrity phone numbers. T-Mobile's Jeyanayagam said he couldn't comment on Hilton's case, citing an ongoing investigation.

MORE FROM WIRELESS

Wireless Section Front

Review: Motorola's Droid a serious smartphone T-Mobile says phone service outage resolved Scared of flying? Press the fear iButton AT&T to Verizon: There’s a lawsuit for that iPhone comes to China without key feature NBA introduces live games on mobile devices Verizon's iPhone challenger goes on sale Nov. 6 5 ways wireless carriers gouge you Busy cell networks a bonanza for gear makers UN body approves universal cell phone charger Wireless Section Front   Add Wireless headlines to your news reader: