“Hi, Dell. This is Andrew at EFF. We got disconnected. Oh, I think you might be calling me.”
I was playing phone tag with Andrew Crocker, a law fellow at the Electronic Frontier Foundation, during an ongoing conversation aboutnational security letters. It was a week-old voicemail message just sitting in my inbox. But I wasn’t listening to his message on my phone. I was reading it on my laptop in a chatroom with a hacker aptly named “Phr3ak.”
“End of call,” Phr3ak replied, as if he were handing my inbox back — something I’ll never rely on again.
“It works for all carriers and has been tested in multiple countries,” he added. “With permission of course.”
In reality, Phr3ak is Jamie Woodruff, a 21-year-old security researcher from Rishton, England, who had permission to break into my voicemail. Had he not, his demonstration would have constituted a serious crime under Britain’s Data Protection Act (DPA). Journalists and private eyes charged in the now-infamous News International phone hacking scandalare facing years behind bars. In America, computer fraud can earn you decades.
Despite the crackdown on voicemail hacking following the controversy at Murdoch’s News of the World, unfortunately, the act itself is easier than ever.
“Basically, the outbound call from my cellphone … gets relayed to my VoIP [Voice over IP] server,” Woodruff explained. “I then spoof the outgoing call; I trick your phone into thinking it’s you calling locally and thus bypass the voicemail server.”
That may not sound simple to the rest of us, but it’s not a new technique. In fact, as far as hacking goes, this exploit is elementary. For years, people have been phone “spoofing,” tricking telephone systems into believing that they’re calling from a different number. More often than not, it’s employed as a harmless prank, but there are far more diabolical applications. Appearing to be a law office, police station, or phone company to a stranger, for example, is a useful tool for social engineers who seek information their marks might otherwise not disclose.
A rudimentary tool currently available to the public is called SpoofCard. For a price, users can dial an 800 number, enter their unique PIN, and have any outgoing number they wish. To conceal their identity from law enforcement, the attacker can easily make the call using Skype while routing it through a virtual private network (VPN). But Woodruff doesn’t use SpoofCard.
“SpoofCard sucks,” Woodruff remarked after staging the infiltration of my inbox. “Mine is free, faster, and doesn’t require calling an external number.” The steps to remain anonymous are the same, however: employing a VPN and ensuring that VoIP protocols are routed through standard Web encryption (SSL).
Tricking the phone company into thinking he was me was essential to Woodruff’s demonstration. From any other number, the system will always require my unique PIN code. Masquerading as me (or, rather, my phone), he could listen to all of my messages, delete them, and change my greeting, even my password.
Thankfully, I can patch this hole by simply requiring a PIN at all times. I soon learned that many of my friends, however, do not have this option enabled. (Several of my colleagues scurried to adjust their own voicemail settings as we discussed this story.)
A self-described ethical hacker, Woodruff was firm that he would never use his method to attack anyone — at least, not without their permission. “I always have written and verbal authorization,” he said.