A lot of hacking is playing with other people, you know, getting them to do strange things.
Voicemail hacking is a problem, one that is now widely popularised in the media, and I’m not going to discuss the political ramifications but it does present an interesting security question. The issue is that voicemail systems haven’t fundamentally changed in 20+ years since their creation with analogue mobile phones, a subscriber number and a 4 digit PIN are all that are required to reach messages.
A struggling model
The current security model relies on three things:
- External access enabled
- Username (phone number)
You do generally have to enable remote access for message retrieval, and lots of people do, you’d need the mobile number and PIN but the default PIN numbers for most of the networks are published and there appears to be limited support for remote lockout on failed attempts.
Can the networks fix this?
Yes they can, but the problem here is that it would need massive user re-education, infrastructure upgrades and possibly handset updates.
A Risk and Mitigation approach is really what has to be undertaken. If you are a government department, senior executive at a Fortune 500 company or a high net-worth person then the reward for someone getting into your voicemail is likely higher than if you are a student*
Technology to the rescue…
The interesting thing is this was not an unexpected problem! The latest version of Exchange, 2010, has some clever security protections designed in:
Protected Voice Mail: Exchange Server 2010 solves the problem of unauthorized distribution of the messages by securing the message content, specifying the users who may access that content, and the operations that they may perform on it. It uses Active Directory Rights Management Services to apply Do Not Forward permissions to voice messages that are designated either by the sender (by marking the message as private) or by administrative policy. This prevents the forwarding of protected voice mails in a playable form to unauthorized persons, whatever the mail client used.
What this is saying is that with a Windows Rights Management Services server and Exchange 2010 you can create rules based on anything you like really that can enforce really stringent security policies. So if you’re an Account Manager you might need access to your VMs from your Windows phone while you’re on the road and your home phone when you’re back; but if you’re the CEO your voicemail might be so sensitive that access from anything but a secured company device is too risky and isn’t allowed.
What does that actually mean?
- No simple PINs
- Encrypted storage and playback
- Control on where the voicemail can be accessed
- Forwarding rules
More info at http://www.microsoft.com/exchange/en-us/unified-messaging.aspx
*No offence to students of course! :p