Monday, May 16, 2005


Various stories this morning in Computerworld and on TVNZ about Dick Hubbard's phone getting hacked.

How did this happen? Well, the default on mobile phone voicemail (Telecom & Vodafone) is that if you fetch voicemail from your own phone, you can access the service with no PIN. If you use another line (like a landline) you need to enter a PIN.

It makes the decision on whether it is "your" phone based on Caller ID. It would be reasonable to assume that this is a "telecoms grade" secure service - i.e. that without hacking a telephone exchange you can't fake a Caller ID.

Unfortunately this isn't the case - there are various dodgy companies in the US, such as the amusingly1 named Telespoof that will let you call out (for a small fee) with your choice of Caller ID. You can also apparently hack various mobiles to do this. The telcos have clearly allowed the generation/validation of caller ID to go rather too far down the food chain!

I guess what Telecom (and Vodafone) should now do is to get some software upgrades that either strip/reject caller ID from outside their network that claims to be from inside, and/or validate voicemail logins using the actual calling number. Having to enter a PIN every time I check voicemail is a real pain.

(Actually, I'd like my voicemail messages sent to me as an MMS, so I don't need to log in at all!)

1. "Spoof" is Kiwi slang for semen.

No comments: