Monday 28 April 2014

Should voicemail be trusted?

As a member of HP's Advanced Technology Group I take security very seriously. It is a primary thought in everything that engineer does at HP.

I will start this discussion with a disclaimer: Don't hack voicemail!  Not only is it a really nasty thing to do, it is illegal!

In the UK we have had a phone hacking scandal in our media for a long time. The short story is reporters for tabloid newspapers were accessing the voicemail of celebrities to find out gossip to sell papers.  Phone providers made this easy by having an easy to guess default PIN number or no PIN number at all to access voicemail remotely.

Whilst things have improved slightly in the wake of this, The Register recently proved you can still access the voicemail of others without a PIN number very simply.  By the time you read this I suspect both providers affected by this will have closed the loop hole but there is bound to be other loop holes just waiting to be exploited.  This still raises several questions in my mind about the security of voicemail.

Judging by the data from a recent Data Genetics article you could reasonably guess a PIN in three tries with around 18% chance of getting it correct.  I've not tried to lock myself out of a voicemail system before but I would hope it locks out after three attempts (if not then we should really worry).  If you have some information such as memorable years/dates about the person owning the number you could probably even increase your success rate.  So in theory a hacker wouldn't have to try too many phone numbers until he/she got in.

If your PIN number is not stored in an encrypted form it is likely that it would be vulnerable to some form of social engineering attack at the provider's end.  I also suspect that many would use their credit card PIN number as their voicemail PIN number to make it easy to remember which adds an level of insecurity with the system.

I think it is very unlikely that the voicemail is stored as in an encrypted form, much more likely that it is a bunch of MP3s on a disk array with a database table pointing to your messages (or just blob data in the DB).  This brings the security of it down inline with email (worse because a PIN number is easier to guess than passwords).  Even if the voicemail data is encrypted the provider holds the locks and the keys, rendering you powerless.

The general saying is that email should be considered public and you shouldn't send messages you wouldn't want the world reading without at least some form of encryption (such as PGP). I would say that exactly the same is true of voicemail, don't use it for messages that you don't want the world to hear.  Voicemail doesn't have anything like PGP encryption built-in.

Several of my friends and I have our voicemail greeting messages set to say that we don't listen to our voicemail ever and that messages should be left in a different form.  In this decade, where security is really under the magnifying glass, I think someone needs to start taking a serious look at a better way of doing voicemail.