I expect that many of our readers have heard about the cell phone hacking in the UK. Political implications and alleged corruption aside, this story has me more than a little frustrated. Granted, the details of this this specific story are awful in their own right, but what really gets me is that people seem to be surprised by the fact that it is possible to break in to someone’s voicemail. It should not be “news” to anyone that voicemail security is terrible.
One of the most common mechanisms for authenticating users to their voicemail is caller ID. This means that when you call your voicemail from your own phone, the system recognizes the number and simply lets you in. No passphrase or PIN required. The problem with this is that it’s trivial to spoof caller ID, allowing literally anyone access with minimal effort.
The situation isn’t much better for those using a passphrase or PIN for authentication either. The default numbers are usually 0000, 1234, or the last four digits of your cell phone number. A surprising number of people neglect to change that, but just in case it is changed, here is a list of the most commonly used lockscreen PINs for an iPhone application. I’m guessing the most common voicemail passphrases is a very similar list.
At this point, it may be tempting to think “If I use a passphrase or PIN that is not on the list then I’m secure, right?” Wrong. If there is anything that we should have learned about security by now, it’s that there is very little that will stop a determined and skilled attacker. Especially if they are given unlimited number of guesses to figure out a four digit number. When all else fails, an attacker can brute force the passcode in 10,000 guesses (probably a lot less though, considering that there are common patterns people like to use that aren’t on the list above). That’s a lot of guesses and would take quite a while to do manually, but it wouldn’t be too difficult to automate the process.
Voicemail isn’t, never has been, and probably never will be, secure. Phreaking has been around for a long time and continues today. Most of us are not nearly interesting enough for an attacker to care about our voicemails, but if you would like to remain as secure as possible, your best bet is to not leave sensitive information in your voicemail.