The London press is in an uproar. And rightfully so. Employees of the now shuttered Rupert Murdoch-owned tabloid News of the World apparently hacked into the voicemail (VM) of many hundreds of targets, ranging from leading politicians (two former prime ministers say their VM was hacked), royals (possibly including Prince William and Kate Middleton), and many tragic victims (a murdered teenage girl, for instance).
The story is gory but get this: It definitely is not limited to wayward reporters, nor is it limited to the United Kingdom.
It may mean that your phones could be compromised just as easily. That is the bold, frightening headline. But it also is very true, said Todd Morris, CEO of New York-based BrickHouseSecurity.com, a supplier of security tools and technologies. “Most phones, both corporate and cellphones, can easily be hacked into."
“Easily” is the operative word. The core vulnerability is that, for ease of use, most VM systems bypass password entry when the user is calling to check his/her own VM.
And this is an open door for those who want to eavesdrop on your messages. That is because, by using commonly available phone number spoofing tools (do a quick search on the Internet to find your favorite) it is simple to trick the VM system into believing that the authorized user is calling in.
Once in, said Morris, the perpetrator can listen to all your VMs (resetting them as new to cover the trail). In some systems, they can forward especially juicy VMs to an email address they enter. He or she may even be able to put in a setting where all VMs are by default copied and sent to their own phone. All it takes is just a few seconds for a skilled operator to set this up.
Worse, said Morris, is that the security built into most VM system is a charade. Generally, the password is limited to four numbers. Frequently the system default password has not been changed (often it is 1234 or 0000). If the defaults fail, it still wouldn’t take a skilled hacker with password generation tools more than a handful of minutes to identify the password and break in.
It gets still worse. “Add to this the manuals for most voicemail systems are online and you have a ripe environment, "said Phil Lieberman, CEO of security specialist Lieberman Software in Los Angeles.
What if the password can’t be guessed? Often the VM provider will give it to anybody who asks.
Sam Alapati, senior technical director at IT consultancy Miro Consulting, explained: “It’s easy for a hacker to gain access to someone’s voicemail by simply impersonating that person and contacting the voicemail provider. Corporate voicemail -- for that matter, any voicemail -- faces this inherent security problem: If you lose your password and need to reset it, the provider will in most cases do so, even if you don’t have your PIN number and password, by letting you provide some basic information such as address or birthday. If you tighten this procedure, you can enhance security, but customers want their credentials to be reset immediately, because they can’t wait to access their voicemail.”
Getting the picture exactly how easy this is?
Security experts -- who insist VM hacking is epidemic in the U.S., too by the way -- offer nightmare scenarios where, for instance, every VM received by the CEO of a take-over target is overheard by the acquiring firm (or perhaps by crooked Wall Street operatives). The depth of insider info potentially gathered by competitors and others quickly becomes frightening. According to these experts, celebrity VM is routinely hacked by gossip reporters, and rumors are intensifying that political parties are trolling for dirt on opponents by analyzing VMs.
“Voicemail hacking is, I believe, incredibly common,” said Lieberman. “If they use a pre-paid, throwaway phone there isn’t even any way to trace them."
Paranoia, or reality? Hard to say. But what can be said is that quite possibly anybody who genuinely wants to overhear your VM can, and that is a creepy reality.
So what can you do to safeguard VM? The building blocks for maintaining privacy for the individual are much the same as any corporate policy, suggested Morris.
The experts ticked off these four steps to heightened VM security:
- Set up your VM so that you have to type in a password every time you access it. Disable "password bypass" settings on your phone, urged Morris
- Delete VMs when you listen to them, and don't leave sensitive info in VM. "Don't use VM to file key info," said Lieberman. "There is no way to find out it's been accessed." He also advises making it a practice to retrieve VMs frequently and often. The longer they sit on the server, the more likely they will be hacked.
- Check your VM settings, urged Morris, and do this periodically. Are copies automatically forwarded to numbers you don't recognize? The settings control how VM is handled but most users never check them.
- Lastly: "Create the most complicated password your system allows. Change it frequently." Morris also counsels: "Make sure no one gets their hand on your cellphone." This is because it is easy enough to figure out a password by studying smudges on a touch screen, he said.
Will these steps safeguard your phone? Probably, suggest the experts but the truly concerned are disabling VM all together leaving a message: “Sorry, I no longer accept VM. Please email me your message at xyz@xyz." And that, definitely, works ... at least for now.
Robert McGarvey - As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications―from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.