Amid reports of the News of the World cell phone hacking scandal, many mobile users might be wondering if their own phones are vulnerable. How easy is it to hack someone’s phone? Despite the recent hubbub, the news is pretty heartening: with advances in mobile technology have come advances in mobile security. But not all cell devices are free from invasion.
“No system is 100 percent foolproof,” said John Walls, vice president of public affairs with CTIA, a non-profit advocacy organization that represents the interests of the wireless communications industry. “Then again, the systems that are in place are very good and provide high levels of protection for consumers. You have to protect the customer to the best of your abilities — the customer and the integrity of the service is all they have.”
But why would anybody hack someone else’s phone? News of the World reporters performed these tasks to get the story — no matter what. The hacking procedure went like this, according to The New York Times Magazine: Reporters used a technique called “double screwing,” which involved calling the same number at the same time. The first caller would make the line busy, leading the second caller directly to a voice mail prompt. After entering the voice mail password, the second caller gained access to the person’s messages. According to the Times, simple codes like “1111” would crack it.
But this is not the only way to hack voice mail. Previously, Walls said, hackers could access people’s voice mail by calling their cell phone service providers to ask to set a new voice mail password. If simple codes didn’t work, News of the World private investigators relied on this method to access passwords, wrote the Times. That was before the advent of multiple passwords and security questions. Now, only the customer who has set these codes has the ability to make changes to the voice mail settings, even to the person’s general cell account. Wireless carriers also keep a limited pool of personnel who can access customer information, so as to prevent the information from getting into the wrong hands.
But there are other ways to hack voice mail. Kevin Mahaffey, chief technology officer at Lookout, a San Francisco-based company that develops smartphone security software, explained two behind-the-back techniques.
One involves accessing a person’s voice mail through another person’s voice mail. The two have to be contacts in the same network. By calling one person’s voice mail, the hacker can use a code to bounce to another voice mailbox. The advantage here, said Mahaffey, is that the owner of the phone is not made aware of the hack — just like in double screwing. With a crack at the password, the hacker gets in.
The second involves caller ID “spoofing,” which uses a trick to make a cell phone carrier think that an outside call to a phone’s voice mail is actually coming from the phone itself, as in dialing *86 on your own device to get your messages. The difference here is that these spoof attacks specifically target mobile users who have not set a voice mail password. Spoof calls provide straight access to voice mail, but if you have a password, this could never happen, said Mahaffey. Mahaffey also said that most mobile operators have fixed this issue, but that nobody knows the extent of this problem today.
Beyond wireless providers, the responsibility to keep the networks clean also lies in the hands of wireless customers. Walls advises that cell carriers use a password-prompted screen lock, which requires that you enter a pass code to get to the phone’s home screen. Also, choose your passwords wisely: don’t pick a password that a hacker can find on your Facebook profile, like your birthday, said Mahaffey. Never store these passwords on your phone, and be sure not to open any SMS messages coming in from unknown numbers, which, Walls said, contain content that, when opened, can install malware and spyware onto your cell.
This adds a new dimension to the hacking problem. Marc Fossi, manager of research and development for Symantec Security Response, said that the recent development of cellphone technology has made mobile devices into small computers. “They’re susceptible to the same attacks that many computers are,” said Fossi.
Mahaffey defines malware, which can affect computers, as software that works with malicious intent. If it’s installed onto your smartphone through a dodgy e-mail or text message, the bug plays a nasty fly-on-the-wall role. It can gather any information that passes through your phone as it flies from app to app. Not only can this include information about your call history and messages, but also financial information if any mobile apps are linked to a credit or debit account, said Mahaffey.
Spyware, on the other hand, falls into a murkier territory. Not all spyware is malware, said Mahaffey, but some of it can be. Spyware works through apps that take any data from your phone, such as contacts, browsing habits, text history and location, without consent. Your information could get uploaded onto an app’s contact list without your approval, for example.
Luckily, there are solutions to prevent this from happening. Be sure to keep your apps up to date. New software that fixes old security flaws can keep hackers at bay. Stay away from e-mails, texts and apps from unknown, untrusted sources. Stay safe on public wifi networks that are not secure by avoiding online shopping or banking. Finally, you can install security software onto your phone that protects you from harm.
“It’s important that we don’t end up in the same position on our phones as we did on the PC,” said Mahaffey. “There’s an opportunity for mobiles to be much better.”