How Do You Hack Into Someone’s Voicemail?

BY Larry Greenemeier and Scientific American  July 12, 2011 at 4:29 PM EDT

Phone hack; Creative Commons photo courtesy flickr.com/dinomite

Creative Commons photo courtesy flickr.com/dinomite

The scandal that helped shutter Rupert Murdoch’s News of the World tabloid and left at least nine News International journalists facing possible criminal charges has brought phone hacking into the spotlight as a means of subversively gathering information for news articles. As investigators study the scope of the problem, including the role phone hacking played in News of the World’s coverage of the disappearance and death of teen Milly Dowler in 2002, it’s become clear that breaking into someone else’s voicemail isn’t very difficult.

This, of course, doesn’t make phone hacking legal. In England, where the alleged offenses took place, it is a crime to intercept phone calls unless you’re a police officer or intelligence agent with an official warrant, which can be granted only to protect national security. News International may also face legal problems in the U.S. under the Foreign Corrupt Practices Act (FCPA) based on allegations that News of the World reporters offered to pay a New York police officer to retrieve the private phone records of victims of the September 11 attacks.

The key to breaking into someone’s voicemail is to access that person’s voicemail prompt and/or management systems, says Jim Broome, practice manager for enterprise consulting with Accuvant LABS, the security assessment and research division of Denver-based Accuvant, Inc. This can be done in several basic ways particularly if a person’s voicemail account has no password or PIN, uses the default password that came with his account (typically 0000 or 1234, or something along those lines), or uses a simple password that’s easy to guess, Broome says.

Voicemail prompts can also be accessed via caller ID spoofing. With the advent of caller ID, many voicemail systems have been created that simply check the number calling in and base authentication on that match, Broome says. Caller ID spoofing services like Spoofcard.com allow people to make it appear that their phone number is the same as the digits they are dialing. When the receiving phone recognizes its own phone number, it will often dump the caller directly into voice mail.

Apple apparently isn’t amused by SpoofCard and has removed the app from its App Store , although it’s still available through Spoofcard.com.

Obviously, setting a strong password (one that is not obvious, such as a birthday) is the primary measure for securing a voicemail account. It’s also a good idea to change your PIN every few months. Of course, good luck remembering it.

This article is reproduced with permission from Scientific American. It was first published on July 11.