Cell phone voicemail easily hacked

Millions of cell phone users are at risk of having someone listen to their voicemail or steal their contact phone numbers and other private information, according to a report issued this weekend by an industry consulting firm. 

Representatives from Sprint, Cingular, and T-Mobile confirmed the basic premise of the attack, which is possible because those services enable consumers to turn off the password-checking function.

Cell phone hacking gained prominence last month when reports surfaced that pop star Paris Hilton's T-mobile voicemail and phone book had been hacked.

The attack is simple, according to Bob Egan of MobileCompetency.com,  who wrote the report. Most cell phone providers offer a service called "skip passcode," which allows mobile subscribers to enter their cell phone voicemail and select other administrative options without entering a numeric password. Callers are sometimes told the service is safe, because cell phone providers ensure the call is initiated from the handset owned by the consumer -- making the password unnecessary.

But Eagan discovered that services use caller ID to authenticate the cell phone, and months ago, hackers learned how to spoof, or "trick" the caller ID system.  Using such a service, a hacker can dial the mobile account holder's telephone system and immediately access their voice mail and other services.

Essentially, knowing someone's cell phone number is enough to gain access to their voice mail and all their administrative tools.

Mobile companies warned in August
Spoofing caller ID is easy -- a California company even began offering a commercial service to do so last September.

And last August, a company named Secure Science Corp. issued a warning predicting that the combination of password skipping and caller ID would lead to cell phone hacking. The report specifically named T-Mobile's service as vulnerable. 

Lance James, chief technology officer of Secure Science Corp. was critical of T-Mobile for not insisting after his report came out that its consumers use a password.

"I've never heard a complaint from people who have to enter a four-digit number to get their voicemail," he said. 

T-Mobile spokesman Jackson Jeyanayagam said the company couldn't comment on the report.  The firm issued a statement saying it encouraged consumers to use passwords.

Eagan's reports says several other cell phone providers offer a skip passcode function, and they are all vulnerable to the same attack.

"We were shocked by mobile voicemail vulnerability," he said. "This is not about (cell phone) operator bashing. This is about generating attention. They knew this and haven't generated any action."

Eagan said the method was used to listen to Paris Hilton's voicemail and steal her address book, containing a host of celebrity phone numbers. T-Mobile's Jeyanayagam said he couldn't comment on Hilton's case, citing an ongoing investigation.

Majority of Sprint customers turned off password
Sprint's Charles Fleckenstein said Monday that Sprint customers were vulnerable to the attack. In fact, the majority of Sprint subscribers have turned off their password protection, he said.

"Having learned of this new method for potential voicemail abuse, Sprint is exploring ways to communicate with its customers about this potential threat," he said. "Sprint will also turn to exploring possible enhancements that could make the voicemail product even more secure against unauthorized use."

Fleckenstein said he couldn't comment on why the firm didn't issue a warning when caller ID spoofing systems came to light.

Ritch Blasi, a spokesman for Cingular, said only consumers who pay for service's "enhanced voicemail" have the ability to turn off their passwords. Cingular's new merger partner, AT&T wireless, doesn't let consumers turn off their passwords, he said.

He said there have been no complaints of voicemail hacking by Cingular consumers.

"We haven't received any calls into our customer care channels," he said, adding that very few consumers choose to skip the password step. "We haven't heard from customers that it's a problem."

Internet sites brag how easy it is
But word is out on the Internet that such cell-phone spying is easy. On one message board, a cell phone hacker brags about how easy it is to "bust your boyfriend/girlfriend."

"If you call your girlfriend/boyfriends cellphone and you have their own caller ID show up, it will fool there service provider into thinking that you are calling from their cell, and will go directly into their voicemail. If they have the "skip password" function on, wahla, you can hear all their messages," the poster writes. "I have tested this."

Verizon didn't immediately return calls for comment. Eagan said Verizon's service is largely unaffected by the attack. A spokesman for Nextel said there is no way to skip the password needed for using the service.

Both Blasi of Cingular and Fleckenstein of Sprint said consumers want convenience and have asked for password-disabling features. Both firms say they are informing consumers of the risk, and letting them choose the level of security they want to place on their voicemail.

"People have to take some onus to make sure they properly secure their own devices," Blasi said.

Sprint is considering sending a new warning out to consumers, Fleckenstein said.

"They will have to balance the ease of use versus the potential threat," he said. The responsible thing is to let them know the threat is out there, so  they can balance one verse the other."

Bob Sullivan is author of "Your Evil Twin: Behind the Identity Theft Epidemic."