We now know that certain tabloids including the News of The World covertly gained access to the voicemails of all sorts of people, from celebrities, to the family of murdered schoolgirl Milly Dowler. It was, as Robert Jay Q.C. described in his opening submission to the Leveson Inquiry, a “fishing expedition”.
But while some have described the actions of the tabloids and the private investigators they hired as ‘hacking’, as far as we know thus far, it was nothing of the sort. What they did should really be described as communications interception, or if you want to use security parlance, default configuration attacks.
If the owner of a mobile phone does not set it up with a new voicemail password or PIN, it remains the default PIN set by the phone maker or telecoms operator. 1234, for example, or 0000. All that a private investigator then needs to listen to one’s voicemails is the mobile phone number itself, and for the owner not to have changed the PIN.
So what the private investigators did was ‘blag’ the mobile phone numbers of their intended victims, either through social engineering techniques where you persuade a helpful person to divulge a mobile number by pretending to be someone else, or simply by paying someone at the phone company to give it out.
That is not to say that what the tabloids and the private investigators they hired was not despicable, and the Notw‘s royal affairs editor Clive Goodman and private investigator Glenn Mulcaire may not be the only persons deemed by the courts to have also acted criminally.
There are techniques that can be used to hack into mobile phone conversations themselves and also to snoop on text messages sent via mobile phones. GSM interceptors can do exactly that, but these are not something someone with little more than ‘blagging’ skills would be able to deploy. Companies, more sophisticated hackers and even governments do use them, but we’re yet to hear evidence that these were used by the tabloids or private investigators under the Leveson Inquiry spotlight.
It’s scary enough that corporations and governments use sophisticated cybercrime techniques to bypass internet and communications security. It’s worth being that little bit more specific about the techniques that are being used in different situations, if we don’t want the general response to be, ‘there’s nothing I can do about my online security: if someone wants to hack my voicemails I am sure they could’.
When really the response in this instance, along with the outrage, might also be, ‘I should change my PIN’.
Jason Stamper is NS technology correspondent and editor of Computer Business Review.