How News of the World Hacked Everybody's Phones

For a while, leaving your cell unattended seemed like the biggest threat to phone security. But this recent business is a reminder that there are savvier ways someone can violate your phone—without even touching it.

Details are still emerging as to how, exactly, News of the World reporters got into everybody's giblets. But here are the common—and shockingly simple—phone hacking techniques they likely used.

Voicemail hacking, according to security experts, is not the worst of the things that could happen to you and your secret-spilling cell. These days, it is the least intrusive because voicemail as a message-delivering tool is fading out behind simple caller id, texting, and emailing. But it's still a massive invasion of privacy—even if the only one that still leaves messages is your dad.

To access these messages, cell providers typically offer an external number you can call to get into your mailbox. The service recognizes the phone number calling, which is convenient for everyone—including people trying to get into your voicemail. Phone numbers—that unique identity that we assume belongs only to the object in our pocket—can be spoofed using Voice Over IP and some open source software. "The caller ID is a burst of data before the signal that tells the phone to ring," explains Chester Wisniewski, a Senior Security Advisor at Sophos. "If you're not using a commercial service provider, you can set your caller ID to anything." This means that that external number that you call to check your voicemail may interpret the falsified number as yours and act accordingly.


PROTECT YOURSELF

It would be nice to keep the things in your private life private. Here are a few easy things you can do to guard yourself against unwanted interlopers.

• Your voicemail should be password protected—even if you're dialing from your phone.

• Make your passwords stronger. 15-percent of iPhone owners unlock their phones with one of the 10 most common passcodes. Do not use them. Ever. Turns out 5683 may look tricky, but the sixth most common number sequence spells out love on a keypad—and the feeling is not unique.

• Add an intermediate step between the threat and your cell phone. Services like Google Voice and Skype will give you a number that forwards to your phone, so you don't have to betray your service provider-tied digits.

• Block your outgoing caller id. Your number can give up information about you, so don't let anyone on the other end of a conversation have it.

• Set up notifications for remote access to voice mail, an invalid PIN attempt, or a change of a voicemail pin so you'll at least be able to know about the intrusion before it hits the papers.

Typically the service provider's external number still requires a password, even if you haven't set one. Bonus! But to get yourself equipped with something unique, each company has a well-known default (like the last 4 digits of your phone number, for instance) that gives users first time access. And how many of us actually change that pin? Uh oh. Spoof a number, enter the last 4 digits of that number, and presto: 10 identical voice mail messages from my dad on 10 consecutive Sundays.

Spoofed numbers also allow another access point. Ever called your own phone number? "It automatically dumps you into voicemail and plays your messages," says Wisniewski. By now you see where I'm going with this: Would be evesdroppers can get there, too, using your number. To get forwarded to voicemail, someone might be tasked with intentionally occupying your line, while another with the forged number—your forged number—calls you as well. Bam: Voicemail. If not given direct access right then, pushing * during the outgoing message is a reliable way to gain entry.

Passwords would be helpful here, but even strong passwords guarding voicemail are not 100-percent safe from determined snoopers, who have been known to call phone companies to ask for a password reset on a target's account. Security experts expect that some amount of this type of social engineering took place in the News of the World scandal. What this boils down to is someone tricking an employee at a cell carrier into giving up access. They'd need a few key details of the person's life to go from, of course, but security experts seem to treat this as a foregone conclusion.

The thing about most voicemail intrusions is that there's no real way to know they've happened. If you've already listened to a message, someone playing it for a second time is not going to set off any alarm bells. Steven Rambam, an investigator and director of Pallorium, Inc. explains that that it can go even further. "I can save them as new after I've listened to each one so nobody will know." Alarming, to say the least.

More alarming is the gamut of violations Rambam says are possible. Transgressions range from wriggling into someone's web portal to accessing call history to legal cell phone tracking (not the paying-off-cops stuff that was going on in the UK) to sending an email that will embed something on your phone to grab passwords.

But 90 percent of the above voicemail-specific problems can be prevented if strong passwords are put into place, according to Rambam. That means no patterns on the keyboard (ahem, 2580) or digits repeated 4 times. "There's a balance between convenience and privacy," says Rambam, "and you have to decide if it's worth it for you." In other words: Put passwords on everything. Right now.


You can keep up with Rachel Swaby, the author of this post, on Twitter.

Giz Explains is where we break down whatever science or tech questions are scratching at the backs of our noggins. Got questions of your own? Email them to us at explains@gizmodo.com and we'll see about answering them.