Sunday, July 24, 2011

Irish mobile phone companies act on voicemail hacking - but why the delay and have they gone far enough?

Yesterday's Irish Times has a story detailing what Irish mobile providers are doing about voicemail security, in light of the UK phone-hacking scandal. There is more detail on the Data Protection Commissioner's website, which indicates that the DPC has abandoned earlier plans to make remote access to voicemail a user option. Instead, according to the DPC:
[The networks] have now all put in place or have committed to put in place in the coming days additional measures to assist their customers to protect the data on their phones. It is now important that the public follow the advice of their mobile provider and where they have not already done so take steps to either secure their voicemail and phones generally or improve upon the measures they may have already taken. At the end of this process it will no longer be possible to access a person’s voicemail using a default password.
The state of play is now as follows:
Meteor and eMobile
No default security PIN is applied and every customer is required to choose their own secure PIN when enabling voicemail. In an effort to encourage customers to take proactive steps to secure their voicemail service they have enhanced the information contained on both websites ( or with additional details and guidance on how to secure voicemail services. Additionally, an educational SMS will be sent to all voicemail users in the coming days. Customers can strengthen their password today by dialing 171 (both Meteor and eMobile) and follow the instructions.

O2 has commenced a programme of communications with customers to advise on how they can keep access to their voicemail secure at all times. The communications will include text messages to customers and a pre-recorded advisory when customers dial in to their voicemail service to retrieve messages. O2 has also updated its website with a range of security tips, available at in the "Can we help you today?" section on the homepage. Customers can change their password today by dialling 173 from their handset and follow the instructions.

Three is communicating to its customers the importance of securing their voice mail with a unique PIN known only to the customer. The communications will include text messages to customers with advice on setting up a voicemail PIN. There will also be an Online Help & Support update to the section on Voicemail to advise customers on the level of security they should use when setting up their PIN. Customers can change their password today by dialling 171 (in Ireland) or +353 83 333 3171 from abroad from their handset and follow the instructions.

From tomorrow Vodafone Ireland customers will hear information when they dial 171 on how they can change their voicemail password at any time. Voicemail and password information is also available today on Vodafone will continue to inform its customers in the coming weeks on new enhanced security options available to its customers. Customers can change their password today by dialling 173 from their handset and follow the instructions.
At first glance this might seem like a step forward, but it leaves many questions unanswered.

First - why has it taken the Irish networks so long to act? Wrongful access to voicemail messages was well known long before now - and I blogged about it here back in 2006. There is simply no excuse for the delay that most networks have shown.

Second - will the networks continue to issue new phones with default voicemail passcodes? Credit must go to Meteor/eMobile who don't do so, but it isn't clear from the DPC's statement - "At the end of this process it will no longer be possible to access a person’s voicemail using a default password" - whether the other networks will be required to abandon their ongoing use of default passcodes. If not, however, then it's hard to see how they would not be in breach of Regulation 4 of the new ePrivacy Regulations, which provides that:
(1) With respect to network security and, in particular, the requirements of paragraph (2), an undertaking providing a publicly available electronic communications network or service shall take appropriate technical and organisational measures to safeguard the security of its services, if necessary, in conjunction with undertakings upon whose networks such services are transmitted. These measures shall ensure the level of security appropriate to the risk
presented having regard to the state of the art and the cost of their implementation.
(2) Without prejudice to the Data Protection Acts, the measures referred to in paragraph (1) shall at least—
(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes,
(b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and
(c) ensure the implementation of a security policy with respect to the processing of personal data.

(Daragh O'Brien has more on the ePrivacy Regulations and their impact on voicemail hacking.)

Third - have the Irish networks taken steps to secure against other methods of voicemail hacking such as Caller ID spoofing? This is a well known problem in the US and at least some European countries - as Brian Krebs puts it:
For years, it has been a poorly-kept secret that some of the world’s largest wireless providers rely on caller ID information to verify that a call to check voicemail is made from the account holder’s mobile phone. Unfortunately, this means that... your messages may be vulnerable to snooping by anyone who has access to caller ID "spoofing" technology. Several companies offer caller ID spoofing services, and the tools needed to start your own spoofing operation are freely available online.
The recent statement from the DPC doesn't address this particular attack, and the track record of most Irish networks doesn't fill me with confidence that they are on top of this issue either.

No comments:

Post a Comment