Posted: Nov 20, 2011 10:00 PM by Dr. Anya Winslow
Updated: Nov 25, 2011 7:14 PM
That's exactly what happened to News 5 reporter Anya Winslow and executive producer Stefanie Boe. Granted, both gave their permission to two Denver-based security teams, Electric Alchemy and Lares Consulting, to hack their phones.
The operation took place in Denver at the Electric Alchemy headquarters and was part of an experiment to identify vulnerabilities with high-tech smart phones.
Earlier this year, thousands were victims of voice mail hacking in Britain, which ultimately led to the downfall of a British tabloid newspaper "News of the World."
That scandal raised the question: How easy is it to hack into voice mail?
By teaming up with security experts, News 5 got some answers.
What was extremely disturbing was how fast and easy it was for the experts to break into the cell phones and gain total accesses to personal information.
If you're not sure who's at risk, David Campbell of Electric Alchemy clarifies, "I think everyone carrying a smart phone is at risk."
Chris Nickerson from Lares Consulting demonstrated, with ease, the simplicity of voicemail hacking and says, "All you need to do is download an app [from the internet] and for a few cents a minute you can listen to anyone's voice mail."
Nickerson, using his phone, was able to hack my phone in less than a minute. With his phone on speaker, we listened to my personal voice mail messages one at a time.
Next, I wanted to see how easy it would be to hack into a News 5 company phone. This time, Stefanie Boe was the target. She was over one hundred miles away in Pueblo. So, again, Chris went to work, diligently punching numbers into his phone.
Again, in a matter of seconds, he was in and we listened to her voice mail... "Stefanie, it's Kirsten. I'm actually having car troubles right now, so, I won't be able to get into work for the next 20 - 30 minutes."
Campbell adds, "When we try and access a person's voice mail, their phone won't even ring. It'll go directly into their voice mail," which is another alarming fact. You don't even know if someone is listening to your messages even if your phone is right next to you.
Voice mail hacking is only one facet into information stored on a phone. Campbell brings up another fact that all smart phone users should be cognizant of -- smart phones are powerful machines.
Campbell seriously says, "The smart phone isn't a phone. It's a computer that happens to be small and happens to make phone calls." The little handheld devices mask the nature of the computing abilities of smart phones. Campbell adds, "Phones can get viruses. So, when people start treating the smart phones more like they do their computers at home, with the same level of security, that's when we'll see some improvement."
Continuing with the experiment, Campbell whips out his iPad and shows what could happen if a user open a malicious email on their phone and the consequences.
"If the attacker has done their homework," says Campbell, "'John Mallory' will be someone that I know and trust." After clicking "accept" to his "LinkedIn" invitation, the screen changes to show an image that your phone has been compromised. This clear indicator screen, however, doesn't always happen.
"If we [were] doing this for real, using a live payload, we would re-direct [the user] to a screen that says, ‘here's the invite,' [and everything would look normal] so, this can be done completely quietly, behind the scenes."
Both Nickerson and Campbell touch on an important point - users store an immense amount of private information on their phones. Especially, in this day and age, many of the devices and their applications, i.e., Facebook, email, calendar books, etc., are linked together, which means the amount of information that can be accessed by hackers is profound.
Once a hacker gains access into your digital world, they can see all kinds of information about you. "[They] can see everything like all the sms's that were just recently sent; all the call history; see all [your] contacts in the phone and who [you] talked with and where [you] talked to them; [your] appointment history; what webpages [you've] been surfing; your location; your location history," says Nickerson, and he adds, "Pretty much everything that you've done on the phone is now available."
Complete protection for smart phones is still a long way away, however.
"We're seeing already that the carriers are working more closely with the handset manufacturers to create security solutions comparable to what you have on your desktop for your phone," says Campbell, but he adds, "The most important thing that users can do, right now, is be aware of the threat. The tools are in their infancy. So, there isn't a lot of help out there."
Both experts recommend that you, as the user, try and implement levels of security that could help you better protect yourself. One of the easiest, but not foolproof ways to protect yourself is to add passwords or PINs wherever possible.
"A PIN number," as Campbell says, "is a very important security control. A determined attacker is going to work around whatever PIN number is on your voice mailbox, but a casual attacker is likely going to be thwarted."
Nickerson also adds," "Often times the users will trade security for ease of use. So, a lot of times when you'll see all of these people with no password on their voice mail, it's just because they don't feel like typing in a password," which makes you more vulnerable to an attacker.
In the end, the pain-in-the-butt passwords the cell phone companies tell us to implement, although not a guarantee that they will fully protect us, do add a layer of protection that can help keep personal data personal.
The teams recommended the following to better protect yourself on your smart phone include:
1. Make sure you have the most up-to-date operating system on your phone.
2. Install updates immediately.
3. Apply passwords and/or PINs on voicemail or any other applications (apps) that you are running on your phone.
4. Don't install apps that aren't necessary.
5. Be aware of apps that ask for permissions that seem to be greater than the function at which it needs to operate.
6. Don't select passwords like "1111" or a number or a number combination someone can look up, i.e., birthday.
Some dead giveaways that might indicate your phone has been compromised include:
1. Your battery life is depleting more quickly than usual.
2. You are receiving unusual text messages on your phone or if your phone is sending unusual text messages.
3. Check your phone bill. Check to make sure you phone isn't making spontaneous calls to strange countries/phone numbers and look out for sms messages gone out to "premium" numbers.
4. Any other kinds of erratic behaviors.
The teams also suggest that if you do think your phone has been compromised the best thing to do, as Nickerson says, "Completely wipe the phone. Make sure that the phone is operating on the most recent software version and has all the recently updates installed." He adds, "Once you ‘re-build' your phone from source, then, at that point load your contacts."
Major cell phone provider helpful links for PINs and passcodes:
2. Sprint has websites (1) and (2)
• Sprint also provided information to an article published by the Wireless Association titled "How to Protect Your Voice Mail from Being Hacked."
Click here for Electric Alchemy.
Click here for Lares Consulting.