Phone Hacking
Páginas: 8 (1916 palabras)
Publicado: 20 de abril de 2015
Techniques
Voicemail
Contrary to what to their name suggests, scandals such as the News International phone hacking scandal have little to do with hacking phones, but rather involve unauthorised remote access to voicemail systems. This is largely possible through weaknesses in the implementations of these systems by telcos.[3]
Since the early days of mobile phone technology, service providershave allowed access to the associated voicemail messages via a landline telephone, requiring the entry of a Personal Identification Number (PIN) to listen to the messages. Many mobile phone companies used a system that set a well-known four digit default PIN that was rarely changed by the phone's owner, making it easy for an adversary who knew both the phone number and the service provider toaccess the voicemail messages associated with that service.[4] Even where the default PIN was not known, social engineering could be used to reset the voicemail PIN code to the default, by impersonating the owner of the phone during a call to a call centre.[5][6] Many people also use weak PINs that are easily guessable; to prevent subscribers from choosing PINs with weak password strength, some mobilephone companies now disallow the use of consecutive or repeat digits in voicemail PIN codes.[7]
During the mid-2000s, it was discovered that calls emanating from the handset registered against a voicemail account were put straight through to voicemail without the caller being challenged to enter a PIN. An attacker could therefore use caller ID spoofing to impersonate a victim's handset phonenumber and thereby gain unauthorized access to the associated voicemail without a PIN.[8][9]
Following controversies over phone hacking and criticism that was levelled at mobile service providers who allowed access to voicemail without a PIN, many mobile phone companies have strengthened the default security of their systems so that remote access to voicemail messages and other phone settings can nolonger be achieved via a default PIN.[4] For example, AT&T announced in August 2011 that all new wireless subscribers would be required to enter a PIN when checking their voicemail, even when checking it from their own phones, while T-Mobile stated that it "recommends that you turn on your voice mail password for added security, but as always, the choice is yours."[10]
HANDSETS
An analysis ofuser-selected PIN codes suggested that ten numbers represent 15% of all iPhone passcodes, with "1234" and "0000" being the most common, with years of birth and graduation also being common choices.[11] Even if a four-digit PIN is randomly selected, the key space is very small (10,000 possibilities), making PINs significantly easier to brute force than most passwords; someone with physical access to ahandset secured with a PIN can therefore feasibly determine the PIN in a short time.[12]Enterprises may therefore implement policies enforcing strong passwords through mobile phone management systems.[13]
Mobile phone microphones can be activated remotely by security agencies or telcos, without any need for physical access.[14][15][16][17][18][19] This "roving bug" feature has been used by lawenforcement agencies and intelligence services to listen in on nearby conversations.[20]
Other techniques for phone hacking include tricking a mobile phone user into downloading malware which monitors activity on the phone, or bluesnarfing, which is unauthorized access to a phone via Bluetooth.[6][21]
OTHER
There are also flaws in the implementation of the GSM encryption algorithm that allowpassive interception.[22] The equipment needed is available to government agencies or can be built from freely available parts.[23]
In December 2011, German researcher Karsten Nohl revealed that it was possible to hack into mobile phone voice and text messages on many networks with free decryption software available on the Internet. He blamed the mobile phone companies for relying on outdated...
Techniques
Voicemail
Contrary to what to their name suggests, scandals such as the News International phone hacking scandal have little to do with hacking phones, but rather involve unauthorised remote access to voicemail systems. This is largely possible through weaknesses in the implementations of these systems by telcos.[3]
Since the early days of mobile phone technology, service providershave allowed access to the associated voicemail messages via a landline telephone, requiring the entry of a Personal Identification Number (PIN) to listen to the messages. Many mobile phone companies used a system that set a well-known four digit default PIN that was rarely changed by the phone's owner, making it easy for an adversary who knew both the phone number and the service provider toaccess the voicemail messages associated with that service.[4] Even where the default PIN was not known, social engineering could be used to reset the voicemail PIN code to the default, by impersonating the owner of the phone during a call to a call centre.[5][6] Many people also use weak PINs that are easily guessable; to prevent subscribers from choosing PINs with weak password strength, some mobilephone companies now disallow the use of consecutive or repeat digits in voicemail PIN codes.[7]
During the mid-2000s, it was discovered that calls emanating from the handset registered against a voicemail account were put straight through to voicemail without the caller being challenged to enter a PIN. An attacker could therefore use caller ID spoofing to impersonate a victim's handset phonenumber and thereby gain unauthorized access to the associated voicemail without a PIN.[8][9]
Following controversies over phone hacking and criticism that was levelled at mobile service providers who allowed access to voicemail without a PIN, many mobile phone companies have strengthened the default security of their systems so that remote access to voicemail messages and other phone settings can nolonger be achieved via a default PIN.[4] For example, AT&T announced in August 2011 that all new wireless subscribers would be required to enter a PIN when checking their voicemail, even when checking it from their own phones, while T-Mobile stated that it "recommends that you turn on your voice mail password for added security, but as always, the choice is yours."[10]
HANDSETS
An analysis ofuser-selected PIN codes suggested that ten numbers represent 15% of all iPhone passcodes, with "1234" and "0000" being the most common, with years of birth and graduation also being common choices.[11] Even if a four-digit PIN is randomly selected, the key space is very small (10,000 possibilities), making PINs significantly easier to brute force than most passwords; someone with physical access to ahandset secured with a PIN can therefore feasibly determine the PIN in a short time.[12]Enterprises may therefore implement policies enforcing strong passwords through mobile phone management systems.[13]
Mobile phone microphones can be activated remotely by security agencies or telcos, without any need for physical access.[14][15][16][17][18][19] This "roving bug" feature has been used by lawenforcement agencies and intelligence services to listen in on nearby conversations.[20]
Other techniques for phone hacking include tricking a mobile phone user into downloading malware which monitors activity on the phone, or bluesnarfing, which is unauthorized access to a phone via Bluetooth.[6][21]
OTHER
There are also flaws in the implementation of the GSM encryption algorithm that allowpassive interception.[22] The equipment needed is available to government agencies or can be built from freely available parts.[23]
In December 2011, German researcher Karsten Nohl revealed that it was possible to hack into mobile phone voice and text messages on many networks with free decryption software available on the Internet. He blamed the mobile phone companies for relying on outdated...
Leer documento completo
Regístrate para leer el documento completo.