Phone hacking: Are you safe?

Woman holding mobile phone Could anyone else be picking up your messages?

Can my mobile phone be hacked? A question a lot of us have been asking over recent days, for obvious reasons. So I set about finding out about the threats to your phone and mine.

I called the network I've been using recently, O2, in search of reassurance. They told me that the original hacking technique which made the phones of anyone who used voicemail insecure does now appear to be obsolete.

It involved exploiting the fact that mobile phone operators gave customers default pin numbers - 0000 or 1234 - to access their voicemail from another phone.

O2 say that when they investigated back in 2006, 40 customers were identified as having had their voicemail accessed without authorisation by the News of The World's Clive Goodman and Glenn Mulcaire. After that the network changed its system.

"A customer is now required to personalise their PIN number from their mobile phone if they wish to access their voicemails from another phone. If a customer does not choose a PIN, they will not be able to remotely access any of their voicemails."

But there are other threats out there - just look at this post on the technology site CNET.

The security consultant Kevin Mitnick describes another technique that could allow someone to access your voicemail if they knew your phone number.

Caller ID spoofing allows anyone with a modicum of technical know-how to get access to your voicemail by convincing the system that it's you calling.

According to CNET, the technique has been used in the past to hack celebrities' messages. But rest easy - both O2 and Vodafone told me their systems were designed to make this technique impossible in the UK.

Beyond voicemail

Don't be too relaxed, though, if you are the owner of a smartphone.

The fact that these mini-computers now store vastly more data - from e-mails to calendar appointments to photos - means that any intrusion can be all the more damaging.

Last year a security firm called Vigilante Bespoke, which works to protect its clients' phones and computers from hacking, showed me just how vulnerable a modern smartphone might be.

Start Quote

The mobile phone operators can't afford to ignore security”

End Quote Graeme Cluley Security blogger

Techniques such as text message spoofing and fake wi-fi hotspots that can capture your phone are now available to those bent on mischief with your mobile.

I checked in with Vigilante Bespoke this week and was told that new techniques are popping up all the time, when they examine their customers' mobiles for signs of vulnerability.

On one client's phone they found a piece of software, a legitimate product, used by businesses and parents to monitor everything that happens on a mobile phone - from voicemail, to e-mails to web use.

But in this case it had been installed without the client's knowledge, possibly when he put it down in a public place for a few minutes.

Other threats to your mobile security - from scanners to tracking devices - involve a lot of technical knowledge and in some cases a great deal of investment of time and money from those bent on invading your security.

But, as we've seen, for some journalists and private detectives backed by organisations with deep pockets, that's feasible if the target is deemed sufficiently valuable.

Clueless users

The security blogger Graham Cluley told me it was shocking how ignorant most of us were about the threat to our phones.

"As devices become more complex and we store more of our lives on our cellphone it will become increasingly important to properly protect them," he says.

George Michael The singer says that police want to talk to him as part of the hacking investigation Operation Weeting

"The mobile phone operators can't afford to ignore security, and should build in defences and guide users about how best to protect themselves."

And even if your phone itself is perfectly secure, what about your computer?

On Twitter yesterday George Michael made a series of allegations about the invasion of his privacy by journalists and the police.

"In recent years it's gone way further than phone hacking," he said.

Others who have been the target of newspaper investigations are suggesting that they were sent Trojans - e-mail attachments that allow someone to gain access to your computer.

We still need to see more evidence on that , but a Panorama investigation earlier this year found that this technique had been used in at least one case.

So the question to ask is not so much is my phone safe, but is all of my personal data, wherever it is stored, secure from the hacker?

Luckily, most of us lead lives so mundane that we are unlikely to find ourselves targeted by the tabloids.

That does not mean we can relax - our data may not be valuable to journalists, but for fraudsters it's a potential goldmine.

Rory Cellan-Jones Article written by Rory Cellan-Jones Rory Cellan-Jones Technology correspondent

Instant translation – no longer sci-fi

Automated translation is no longer the stuff of sci-fi fiction, since Skype launched a beta version of its Translator service.

Read full article

More on This Story

Phone-hacking scandal


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 43.

    I think what most people will see is the in-built collusion between government, media & the police to protect capitalism as it imposes cuts in services (that impact disproportionately on the poor) to avoid facing increased taxes for you your friends. hey you are all in the same club? Well done the guy with the custard pie - symbolised the circus/farce.
    Useful that all this is distracting from cuts

  • rate this

    Comment number 42.

    I dont suppose for one minute that there are millions of people dying of thirst and starvation in Africa while we debate the comings and goings of the less than honest, the power crazed, and the plain unsavoury folk who guide our so called "democracy". Perhaps we should take to the streets, I wonder how our police would deal with us - I expect a la Gadaffi. Unless we bunged them of course!

  • rate this

    Comment number 41.

    The grapevine has it that use of smoke signals / jungle drums has seen an unprecendented patronage of late.

  • rate this

    Comment number 40.

  • rate this

    Comment number 39.

    I don't know whether the phone hacking scandal counts as phone hacking as they are were using default codes to access the voicemails.

    I do agree with the closure of the NOTW after what has been done but also believe that this should result in criminal proceedings that pin the people down that are responsible so that an example can be made.

    There are human rights laws that have been broken....

  • rate this

    Comment number 38.

    Also stop online banking on your smart phones. Burst the bubble you have been manipulated into and now mindlessly enclosed within.

  • rate this

    Comment number 37.

    I'm still surprised mobile phone operators have not yet been criticised for their awful implementation of voice mail security. It was the simplicity of gaining access that caused the hacking (agree with previous poster, it wasn't really hacking) to be so wide spread. I can remember discovering in 2000 how easy it was to access other people’s voicemail. It was in the manuals, but who reads them!

  • rate this

    Comment number 36.

    We seem to have missed two important points here. Firstly: the security of GSM has been compromised on more than one occasion, which is likely to be a concern for all handsets and operators, particularly if the attacker is using the same cell. Secondly, if a call from a mobile phone is routed via landline, we have another weak link in the chain.

  • rate this

    Comment number 35.

    I run an information security consultancy and take the following approach: I don't manage my banking or credit cards online - this is inconvenient - but nothing is ever 100% safe and I could not afford the reputational damage. I shop online - but am prepared to put up with the problems of card details being compromised. At the end of the day it won't cost me money. I don't use any clouds!

  • rate this

    Comment number 34.

    I count myself extremely lucky; these days I do not need, and therefore do not own, a mobile phone. I've tried my hardest to identify a disadvantage but in fact I'm about £300 year better off, I don't get constantly disturbed with other people's issues, I have an answerphone that covers any obligation to return a missed call - at a mutually convenient time - of course.

  • rate this

    Comment number 33.


    If you have done this on a mainstream public network in the UK you should ask them how. If they are accepting untrusted CLI as legitimate something is very wrong. This could have fraud implications that go well beyond voicemail. If you call a landline with your spoofed CLI what gets displayed as the caller Id?

  • rate this

    Comment number 32.

    Two tin cans and some string, those were the days.
    No-one could listen in, unless they just happened to be passing by.

  • rate this

    Comment number 31.

    Just tried CLI spoofing to hack into my own voice mail and it worked. It wouldn't be fair to single out one network for criticism here but it wasn't O2 or Vodafone which are mentioned in the article as claiming to have put an end to this method.

    So, it seems at least one network still hasn't plugged the hole even with recent publicity. Wonder how extensive this problem still is.

  • rate this

    Comment number 30.

    The company I worked for 20 years ago mandated that voicemail passwords be changed every six months (real pain!) and that no confidential messages should be left. Dennis Mcshane (Min for Europe in 2004) said he'd been hacked in 2004 during the Gibraltar negotiations with Spain. Why are confidential diplomatic messages being left on VM anyway as Spanish secret service could intercept anyway?

  • rate this

    Comment number 29.

    What price Sky's 3-in 1 offer?

  • rate this

    Comment number 28.

    One might suppose that so many communications companies, especially BT, have their call centres in overseas countries who are not bound by the UK Data Protection Act?

    The same could be said of some banks whose customers are vulnerable to this anomaly - online or over the 'phone?

  • rate this

    Comment number 27.

    Posters on this site are not secure either. Say anything you don't like about the government, police, NHS, politics, business - these are all key words out in the ether of the internet and will attract attention.

    Critical about online banking - we know how insecure it is, will also attract attention. Letter to your MP or sign a petition online for good causes such as woodlands - same problem.

  • rate this

    Comment number 26.

    @SevenOfMark Not quite. The data collected by Mobile Operators and ISP's has to be anonymised so that individual subscribers cannot be identified. (aside possibly from data made available to law enforcement agencies). Cookies and what Google does with your browsing history is more of a privacy threat although to be fair they're only really using it to sell you targetted advertising.

  • rate this

    Comment number 25.

    Interesting what comments garner a minus with this 'improved' new system.

    'does now appear'

    Gravestones throughout history probably had that inscription

  • rate this

    Comment number 24.

    Rory et al have you ever noticed the RAF, converted Brittan Norman Islander, circling over London, rumour has it that it is listening in to mobile phone conversations. No idea how, there was a Daily Mail feature on it a few years ago...


Page 1 of 3



BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.