Tabloid Phone-Hacking Scandal

Could it happen here?

How easy is it to hack a cell phone?

Rupert Murdoch’s son James announced Thursday that News of the World, Britain’s  top-selling Sunday newspaper, will close as a result of an ongoing phone-hacking scandal. As the Guardian revealed Monday, the paper’s reporters  illegitimately accessed and deleted messages  from a missing girl’s voice mail in 2002, one of an  estimated 4,000 targets. Could phone-hacking happen here, too?

Yes, though perhaps not quite so easily. “Hacking” is a bit of a misnomer, given how low-tech the infiltrators’ methods were: It seems they broke into victims’ voice mail inboxes  using the carrier’s default passcode, such as 1111, taking advantage of the fact that many customers hadn’t opted to change it. To do so all they needed to know was the victim’s phone number, which if not handy could be obtained by bribing or deceiving customer support representatives. But after phone-hacking incidents surfaced, most if not all U.K. carriers stopped allowing new users to retain default passcodes. And while American wireless carriers are reluctant to talk about specific security protocols, they generally require customers to change their voice mail passcodes from the default immediately or within 30 days of activating the service.

That’s not to say we’re invulnerable—far from it. At least one of the four largest U.S. wireless carriers, Sprint, says it gives users the option (paired with a stern warning) to skip their password when accessing voice mail from their own phones, a setting that’s potentially vulnerable to caller-ID spoofing. (The others—Verizon, AT&T, and T-Mobile USA—declined to comment or did not respond to the Explainer’s inquiries.) In fact, Paris Hilton was accused in 2006 of doing precisely that to Lindsay Lohan.

Of course, it’s also possible for a wily and unethical reporter to guess a non-default passcode. Because they are restricted to the 10 digits on a phone and typically limited to a certain length, voice mail passcodes are generally easier to crack than website passwords, which may contain letters, numbers, and symbols. Customers tend to choose similar passcodes, and crooks might be able to guess a numerical sequence from the victim’s birth date or home address. After a certain number of incorrect guesses, most voice mail systems will hang up or redirect the caller to customer service. It’s unclear, however, just how many incorrect guesses these systems tolerate before freezing an account. The Explainer tried 12 incorrect codes on his Verizon voice mail over the span of four calls to no detriment before giving up.

Can you tell if your voice mail has been hacked? Unlikely. Voice mail systems typically allow an infiltrator to re-mark a message as new or delete it without you even knowing. There are, however, potential solutions to the hacking issue. Wireless carriers could, with little technological effort, send you a text message each time someone accesses your voice mail remotely. Or they could use fraud-detection software similar to the systems credit card companies use to stop illegitimate purchases.

Got a question about today’s news?  Ask the Explainer.

Explainer thanks Graham Cluley of Sophos, Jason Gertzen of Sprint, David Rogers of blog.mobilephonesecurity.org, and John Walls of CTIA-The Wireless Association.