System administrators generally know that an application’s default passwords need to be changed as a matter of priority whenever new software is installed. Stories of systems being hacked by attackers who merely logged on using the default credentials are nowhere near as commonplace as they once were. Unfortunately, the
News of the World phone hacking scandal that occurred in the summer of 2011 showed this basic security procedure isn’t necessarily enforced across all default passwords and PIN numbers.
The reason why
it was so easy
phones was that
the default PIN
required to access
It was so easy to hack so many phones because most people never change the default PIN required to access their mobile or landline voicemail. The alleged perpetrators likely just dialed each victim’s phone and entered a well-known sequence of numbers -- the default PIN -- to listen to and delete any stored messages. Most people probably never have used their PIN for accessing their voicemail; in most instances, the phone network recognises the phone calling in and this is the only authentication required, unless the voicemail box has been set to specifically require a PIN to access it.
Although the use of default PINs by telephone network operators is on the decline, they are still used in other countries. Also, some of the newer hacking methods involve faking a phone’s displayed number to forge access to an account’s voicemail. This technique has been used in the US and recently in the Netherlands to get access to politicians' voicemails.
To block these types of attacks and prevent unauthorised people from hacking voicemail messages, first ensure employees set up a unique PIN to access their voicemail. But it’s not just for mobile phones that you need to apply this password policy. Any device that has data storage or any form of personalisation is likely to provide PIN-controlled access and will probably come with a well-known default PIN.
An asset list check, both hardware and software, is a good place to start to identify items that are likely to have some form of default PIN or password. Once identified, all PINs need to be changed on a regular basis, as with any other password. Devices to look out for include answerphones, faxes, printers, copiers and access keypads. As devices such as an office or department fax are likely to be accessed by several people, the password or PIN should be changed whenever someone who is likely to know it leaves the company. Asset owners of these devices should be made responsible for ensuring all relevant passwords and PINs are regularly changed and the changes are recorded.
It may seem tedious, but unauthorised access to voicemail can leave you in breach of contracts and compliance requirements. It can also be embarrassing. For example, in May 1997, when MI5 was advertising for recruits, hackers managed to change the answerphone message on MI5's contact phone number: "Hello, my name is Colonel Blotch. I am calling on behalf of the KGB. We have taken over MI5 because they are not secret anymore and they are a very useless organisation."
So while voicemail may not seem like a cutting-edge technology in need of technical safeguards, proper voicemail security measures must be in place to minimise the risk of a similarly embarrassing and damaging incident.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in December 2011