Mobile Competency Report Focuses on Hack of Cell Phone Voice Mail
March 3, 2005 -- Bob Egan, President and CEO of Mobile Competency, issued a report last week on a faulty cell phone security exploit that puts users' voice mail systems at risk. Egan was able to hack into his own cell phone voicemail system to change passwords and user options. He won't reveal how this exploit was done to avoid giving the information to those who would use it maliciously. He does say that it involved a faulty authentication mechanism and a skip-password feature currently available on several phone systems.
Mobile Competency is a market analyst and professional services firm whose focus is assessing key business and technology initiatives to determine their contribution to business performance. The company does both independent research and research sponsored by clients. This particular report, Egan said, was the result of independent research
sparked by two recent high profile incidents involving hacks on mobile phones. Paris Hilton and a secret service officer had information stolen from their mobile phones, and both exploits involved the same device. Egan wanted to see whether the security risk was related to the specific device used by the victims or whether it involved a greater flaw that
existed across the mobile network. He found that it was a flaw that existed up in the network involving several mobile operators.
"Millions of people were exposed to this blatant security risk," said Egan. He called the operators and got a variety of responses, ranging from some knowledge of the problem to total ignorance. "T-Mobile and
Sprint in particular, who have millions of subscribers at risk here, appear to be too hampered by a combination of political concerns and technical issues to forcefully alert people at risk or to implement
new security technologies. The face-saving issue (once we had publicly announced this flaw) seemed more of a concern to them than actually protecting their subscribers."
What did the flaw involve? Egan did reveal that the culprit was a combination of bad authentication practices and the skip-password
feature, which allows users, when calling from their own phones, to skip the password authentication process. The authentication method that is used to tell the system that you're calling from your own phone is one's
caller ID. As there are tools available online to spoof the caller ID of any mobile phone, it is now possible to have someone get into your voice mail and delete messages if you've got the skip-password feature enabled. This is true whether they're calling from the physical phone or from a spoofer.
How can users protect themselves from this exploit? Egan says there are
three necessary steps:
- Operators need to change the security method they use to validate the user.
- Users should not use the skip-password feature.
- Users should create their own unique password when they get their phones and not use the system default (which is publicly available on the Internet on many of these operators' sites.)
Macromedia ColdFusion and Flash now have more capabilities for programming mobile applications, so I asked Egan whether either
technology represented a significant security risk. Egan said, "I have not investigated the underlying mobile security implementations by
Macromedia, but generally when using an active executable in some form, you need to spend some time making sure the implementation is secure." These are words that most companies would do well to live by.
You can read more about the cell phone voice mail exploit, and other mobile security (and business) issues by accessing Mobile Competency's reports (available by paid subscription only) at
http://www.mobilecompetency.com/research.html.
Mobile Competency Research
Mobile
Competency Releases Latest Wireless Security Report 'Faulty Cell Phone
Security Leaves Millions Exposed' (MSNBC Wire Services, February 28,
2005)
