/ 14 July 2011

SA cellphones easy targets for hackers

Hacking into cellphone voice messages on a grand scale is “easily plausible” in South Africa, says Dominic White, a security specialist at SensePost Information Services.

This comes in the wake of the News of the World scandal in which the former English weekly tabloid shut down after illegally hacking the voice mailboxes of people involved in the stories it was investigating. But despite the concern the scare raised for phone security, South African cellphones remain vulnerable to a range of hacking methods — which need not be sophisticated.

“[Voice-mail security] wasn’t really on the radar of the world until the News of the World,” White said. But security experts says similar cases of phone-hacking could already have happened in southern Africa.

Voice-mail hacking, made illegal by South Africa’s Constitution through the right to not have one’s communication infringed, is “actually very easy”, said Etienne Labuschagne, the managing director of SpyCatcher SA, a company that develops and imports surveillance devices, in an interview with TechCentral.

A lack of security on voice-mail systems is compounded by what White described as a common lack of awareness on the part of cellphone owners about phone security.

PIN drop
First off, large cellular networks such as Vodacom, MTN, and Cell C don’t offer alphanumeric passcodes, which significantly enhance the potential strength of a passcode, or PIN (personal identity number).

Providers like these limit users to either four or six digit numerical passcodes.

According to Eddie Moyce, a customer service representative at MTN, the provider does not offer alphanumeric passcodes because of limitations imposed by standard “bodies and handset suppliers,” which he said currently only offer numeric PINs.

Portia Maurice, Vodacom’s Chief Officer, said the provider “put in place additional measures to protect” customers in response to the first reports of voice-mail hacking in the United Kingdom in 2006, saying these changes made the system “extremely secure”.

Maurice would not comment further on the system’s security.

However, numeric passcodes make it easy to hack inboxes by calling from other phones, whether land lines or cellphones on a different network, a feature most major providers offer, but which White said most customers do not realise is possible.

Representatives from Vodacom and MTN confirmed that their systems do require users to create a passcode or PIN upon first opening one’s voice-mail account, and White confirmed that this is the case for Vodacom. Cell C was not available to comment.

Remote access
For example, for Vodacom numbers, White said, one can call 082-121-[remainder of cellphone number]-[hash symbol]-[PIN]-[hash symbol], to call to listen to voice mails remotely.

This system means “the user is safe,” according to Bridget Bhengu, Public Relations and Communication Representative at MTN.

Hacking four and six digit numeric passwords, however, isn’t difficult, according to White.

He estimated that within half a day a moderately skilled programmer could develop an automated system that would systematically test PIN numbers at a rate of one passcode per minute.

It would take, at most, seven days to crack the most difficult four-digit passcode, and a maximum of 231 days to crack a six-digit PIN through the same method.

Inexpensive
“If I wanted to get into Jacob Zuma’s inbox, which is probably fascinating, that wouldn’t be a big cost,” White said.

Even using the primitive method of testing PINs manually, it can be easy for hackers to guess.

The majority of cellphone owners’ passwords are likely weak, White said, citing 1234, 1111, and users’ birthdays as common examples.

“The people who access them remotely probably aren’t setting them in a way that would defend them from a possible attack,” he said.

One of the main problems with cell providers’ security systems is that they lack sophisticated ways of monitoring repeated failed attempts at access or attempted access by unrecognised numbers.

Many major cell providers such as MTN and Vodacom offer users three chances to enter possible PINs to access a voice mailbox. If three consecutive PINs are entered incorrectly, the call will be ended. But beyond this, Vodacom and MTN spokespeople could not confirm that their services offered any additional screening for access attempts.

Three strikes system
White said providers’ offering a system more sophisticated than the “three strikes” system described was “unlikely”.

“I don’t think people would know if they had been hacked,” White said.

Security can be compromised when accessing voice mail from one’s actual cell, as major providers often have a default setting on phones that doesn’t require one to enter a passcode if one calls from one’s own phone, a feature which Boorman said applies to Vodacom.

Beyond entering PIN numbers, Labuschagne identified three primary ways voice mails could be hacked.

The first is to install malware into the victim’s phone that forwards copies of all of a phone’s incoming messages via email to separate account.

The second way would be to physically obtain the cellphone and embed within it hardware or software that enables an eavesdropper to access conversations, texts, emails, or even use the phone itself as a recording bug.

The third way is to bribe government or network operators for illegal services, likely the most expensive of the three.

Not just paranoia anymore
“It used to be easy to say people were just paranoid,” Labuschagne said. “I’m dealing with more and more clients every day who have these problems.”

White said major cell providers should go further than requiring four and six digit numeric PINs to secure users’ accounts. In addition to offering alphanumeric passwords and enhancing providers’ mailbox monitoring systems, providers could also disable remote access.

As for what users themselves could do to increase security, White said: “Delete your voice mails and set your passwords long and strong.” — AFP