Article
Hacking Horror of the Month - Mobile Phones
The recent story of the imprisonment of a leading London journalist and his “security consultant” accomplice for “hacking” into the mobile phones and message banks of various members of the royal family highlights a potential source of leakage of highly confidential information that is often overlooked.
For those that missed the story, the bare bones were that a senior journalist (the “royal editor”) at the News of the World was struggling to get juicy stories about the royals, so he hired a “security consultant” to hack into the voicemails of close advisers and personal assistants of Prince Charles, Prince William and Prince Harry.. This went on for around six months until the victims began to notice that messages they knew were “new” were in fact showing as “old” (i.e. indicating that they had already been accessed and listened to). At the same time, Prince William became suspicious when details about the state of his knee (it could have been worse) were published in a gossip column when only his surgeon and one other highly trusted personal assistant knew of his dodgy ligaments.
The ensuing investigation also revealed that the “security consultant” (who was universally known by his nickname “Trigger” – remember Only Fools and Horses…?) had also been hacking into the message banks of various politicians, footballers and (curiously) Elle Macpherson, and making a fortune from trading in the sale of confidential information.
The “hacking” was very low tech, and appears to have been based on three very basic techhniques. Nonetheless, it was highly effective. The hacking was achieved by
So what is the message here for readers of the Safecoms Newsletter? Well, particularly in organisations that are routinely involved in commercially sensitive transactions (law firms, accounting firms, corporate finance firms etc.), it is likely that a fair amount of highly confidential information could be located in the message banks of employees’ mobiles. Whilst such organisations often go to great lengths to protect their IT infrastructure and paper based records against security incidents, do they apply anything like a similar level of diligence regarding their employees’ mobiles?
How many sets of security policies and procedures have detailed provisions about storage of confidential data on computers and transmission via encrypted email, but are silent about the protection of equally confidential information when received and stored in a mobile phone voicemail system?
Virtually all policy sets require users to have “strong passwords” for their computer user accounts, and also require that those passwords be changed on a regular basis. But how many staff get issued with a mobile phone and are then allowed to continue to use universally known default PIN codes for their message banks? And of those that do move away from the default PIN, how many ever bother to change their PIN on a regular basis?
Confidential information is confidential information irrespective of whether it is stored on a laptop’s hard drive, on a server, or in a voice message on a mobile. Confidential information needs to be protected whatever the environment where it happens to reside, and whatever the format.
Whilst the kind of mobile phone “hack” reported in this article is probably about as low tech as you could imagine, it nonetheless has the potential to cause significant embarrassment and potential legal liability if it transpires that loss is suffered as a result of a failure to take reasonable care to secure confidential information held in a message system. Indeed, the fact that it is so low tech is, ironically, a part of the problem: information security professionals focused on dealing with the fight against “master” hackers over the Internet tend to forget about the guys like “Trigger” rummaging quietly around in the voicemail message banks of the world…
It is recommended that those responsible for security policies and procedures in organisations check to see whether they extend to cover information held on mobile phones – and if not, to ensure (as a minimum) that the basic protections of a non-default PIN for voicemail access and a regularly changing PIN are required of all users. And if you train your users in security awareness, alerting them to keep an eye open for any strange occurrences of “new” messages showing as “old” would also be a good idea.
Additionally, many mobile phones have a PIN phone lock feature (protecting the phone in the event that an unauthorised person gains physical access to it): particularly in corporate environments where executives are routinely exchanging confidential information by SMS and/or voice mail, it is becoming increasingly common for there to be a policy requiring that all mobile phones used on company business have this feature.
For those that missed the story, the bare bones were that a senior journalist (the “royal editor”) at the News of the World was struggling to get juicy stories about the royals, so he hired a “security consultant” to hack into the voicemails of close advisers and personal assistants of Prince Charles, Prince William and Prince Harry.. This went on for around six months until the victims began to notice that messages they knew were “new” were in fact showing as “old” (i.e. indicating that they had already been accessed and listened to). At the same time, Prince William became suspicious when details about the state of his knee (it could have been worse) were published in a gossip column when only his surgeon and one other highly trusted personal assistant knew of his dodgy ligaments.
The ensuing investigation also revealed that the “security consultant” (who was universally known by his nickname “Trigger” – remember Only Fools and Horses…?) had also been hacking into the message banks of various politicians, footballers and (curiously) Elle Macpherson, and making a fortune from trading in the sale of confidential information.
The “hacking” was very low tech, and appears to have been based on three very basic techhniques. Nonetheless, it was highly effective. The hacking was achieved by
- calling the victim’s mobile number and keying in the default PIN code (it appears that a lot of “celebrities” do not set their own PIN but instead just use the default PIN that every mobile user in the UK knows to be 4444): this puts the hacker straight through to the message bank
- where the default PIN had been changed, social engineering of the relevant mobile phone companies by calling posing as a “credit controller” and getting the phone companies to switch the victims’ PIN codes back to the default
- (again where the default PIN had been changed) social engineering of the mobile phone companies by calling posing as an engineer working on the account of one of the victims and requesting the reset of a “forgotten” PIN code
So what is the message here for readers of the Safecoms Newsletter? Well, particularly in organisations that are routinely involved in commercially sensitive transactions (law firms, accounting firms, corporate finance firms etc.), it is likely that a fair amount of highly confidential information could be located in the message banks of employees’ mobiles. Whilst such organisations often go to great lengths to protect their IT infrastructure and paper based records against security incidents, do they apply anything like a similar level of diligence regarding their employees’ mobiles?
How many sets of security policies and procedures have detailed provisions about storage of confidential data on computers and transmission via encrypted email, but are silent about the protection of equally confidential information when received and stored in a mobile phone voicemail system?
Virtually all policy sets require users to have “strong passwords” for their computer user accounts, and also require that those passwords be changed on a regular basis. But how many staff get issued with a mobile phone and are then allowed to continue to use universally known default PIN codes for their message banks? And of those that do move away from the default PIN, how many ever bother to change their PIN on a regular basis?
Confidential information is confidential information irrespective of whether it is stored on a laptop’s hard drive, on a server, or in a voice message on a mobile. Confidential information needs to be protected whatever the environment where it happens to reside, and whatever the format.
Whilst the kind of mobile phone “hack” reported in this article is probably about as low tech as you could imagine, it nonetheless has the potential to cause significant embarrassment and potential legal liability if it transpires that loss is suffered as a result of a failure to take reasonable care to secure confidential information held in a message system. Indeed, the fact that it is so low tech is, ironically, a part of the problem: information security professionals focused on dealing with the fight against “master” hackers over the Internet tend to forget about the guys like “Trigger” rummaging quietly around in the voicemail message banks of the world…
It is recommended that those responsible for security policies and procedures in organisations check to see whether they extend to cover information held on mobile phones – and if not, to ensure (as a minimum) that the basic protections of a non-default PIN for voicemail access and a regularly changing PIN are required of all users. And if you train your users in security awareness, alerting them to keep an eye open for any strange occurrences of “new” messages showing as “old” would also be a good idea.
Additionally, many mobile phones have a PIN phone lock feature (protecting the phone in the event that an unauthorised person gains physical access to it): particularly in corporate environments where executives are routinely exchanging confidential information by SMS and/or voice mail, it is becoming increasingly common for there to be a policy requiring that all mobile phones used on company business have this feature.