Telecom New Zealand Ltd.’s 027 voice mail system is vulnerable to the same hack that led to the theft of Paris Hilton’s mobile phone book — and it has been actively exploited in New Zealand.
Users of Telecom’s mobile phone network can protect themselves by disabling Optional PIN entry. Optional PIN entry is a feature that allows immediate access to voice mail when calling from the owner’s phone, but leaves voice mail vulnerable to callers who can forge their caller ID.
An Auckland teenager showed Computerworld how easy it is to access 027 voice mailboxes. A test with an 027 phone and a newly changed PIN confirmed that the service is vulnerable to spoofing. With Optional PIN enabled, the teenager, who cannot be named for legal reasons, was able to reveal the PIN for the mailbox as well as play back and record messages in it. With Optional PIN turned off, the mailbox could not be accessed.
The teenager claims he had listened to messages in the mailboxes of Telecom spokesman John Goulter and Auckland Mayor Dick Hubbard. He also hinted that he had been listening in on messages in the voice mailboxes of senior police officers and had been able to glean details such as the names of officers involved in a local police pornography scandal.
The teenager says he had also targeted Labor MP John Tamihere, but had not been able to find his phone number.
Telecom was unaware of the vulnerability when contacted by Computerworld this week. An Internet search reveals the vulnerability is known about in some quarters and has also been exploited overseas, however.
The teenager told Computerworld the contents of a message left on the phone of Telecom’s public affairs and industry relations manager, John Goulter. A surprised Goulter confirmed the content of the message to Computerworld on Wednesday.
Goulter says Telecom regards accessing its customers’ voice mail as a serious breach of security and will alert the police over the matter.
The convoluted method the teenager used involves forging the caller ID and routing the call through an overseas VoIP provider. Computerworld will not reveal further details at this time.
Telephone networks depend on physical security with access to equipment being strictly controlled, as neither calls nor the controlling signals are encrypted. There is no authentication built into the telephony protocols either — telcos operate a “web of trust” and apply policy filters to sanitize the information received, for example by not accepting caller IDs originating from outside their networks.
However, in the case of Telecom’s 027 voice mail service, the eavesdropper is able to forward bogus caller ID and Automatic Number Identification (ANI) from outside the 027 network.
The voice mail vulnerability raises additional security concerns. Some people use their voice mail PIN for other services such as online banking. Because attackers can retrieve the victim’s PIN from the voice mail, they may also be able to access those other services.
Using a forged caller ID, a malicious attacker could also place multiple emergency calls to police or ambulance services that appear to originate from the victim. Alternatively, an attacker could, say, order pizza deliveries from every delivery company in town.
Goulter says Telecom is planning to warn its 027 customers of the vulnerability. About one-third of its mobile and fixed customers use optional PIN entry, Goulter says, and the company will be encouraging those customers to disable the feature “as fast as we can”.
Telecom isn’t certain whether landline mailboxes are also vulnerable, he says.
Asked whether Telecom could mitigate the problem in its network, Goulter says the telco doesn’t yet know, but is discussing the issue with other providers outside New Zealand.