Recently we have been flooded with media reports of the News of The World’s phone hacking or the Leveson enquiry. On my mobile phone my newsfeed is set to The Telegraph and it’s common for 10 to 15 stories to be related to phone hacking. When the majority of media reports focused heavily mobile voicemail hacking, not much attention was given towards the potential for this to happen to landlines – which leads us to ask question would this be possible?
Landline phones such as BT, Virgin, TalkTalk or Vonage use a similar authentication method to that of mobile phones. Access can be setup externally and accessed using a pin. All one has to do is dial the number, wait for voicemail message, press # or similar and then enter the pin.
As with other common day to day objects, the pin may also be a simple sequenced default. It is usually easier to get someone’s landline number than someone’s mobile number since it’s often listed on website such as BT Phonenet, if not is listed on business directories or even the companies own website.
Due to the ease of landline phone ‘hacking’, it is fair to assume that this has taken place but hasn’t been reported on as usually the juicy or incriminating messages are usually left on mobile voicemails.
When it comes to mobile phones, the instructions for ‘hacking’ the phone’s voicemail are even listed on some major UK mobile network providers. Of course they do not list the default pin but they take you 75% of the way. Once someone knows a network’s default pin and the victim’s phone number, the rest it is quite simple to do. This is all pretty straightforward and requires little skill.
The word ‘hacking’ makes the reports sound very complex and sexy but in reality it is very basic. The truth is very simple – so unsophisticated that a ten year old could have done the work of the private investigators. This leads us to ask, if it’s not really hacking, what is it?
Rather than just assuming it’s hacking, let’s look at the evidence. When we examine the enquiries on closer inspection we are faced with a rather different outlook – that of a default configuration attack.
So what is a default configuration attack? In layman’s terms a default configuration attack is one that targets a device with a default pin. For example a pin you would find typically when you use a hotel digital safe, a bike lock or even a household alarm. The default pin is one that often follows simple sequences such as 0000, 1111, 1234. It is common in day to day life for people to change the pin of such a device; however, this is often overlooked in the digital world. Therefore, if someone knows or guesses a default pin for a particular device it is quite easy to exploit.