By Leisa Zigman, I-Team Reporter
St. Louis, MO (KSDK) - Missouri Attorney General Chris Koster had his voicemail hacked last week. So did KSDK I-Team reporter Leisa Zigman. It was part of an experiment to expose whether there were serious vulnerabilities with smart phones.
The Rupert Murdoch hacking scandal raised the question: how easy is it to hack into voicemail? NewsChannel 5's I-Team test found it is not only easy, but you can do it for as little at $10.
The I-Team partnered with Michael Gregg of Superior Solutions in Houston. He had my permission to try and hack into my voicemail and he also had the permission of Missouri Attorney General Chris Koster.
From his hotel room in Atlanta, Gregg went to work. It took him less than a minute to hack into both phones. He even recorded our voicemails and sent it to us as proof. He heard voicemails left by my friends and family.
Calls were on my phone in advance of the test. Mr. Koster did not use his personal phone but instead used an extra phone he had in the Attorney General's office. He wiped any sensitive messages in advance. Still, Gregg was able to record messages from two of Koster's assistants.
"I believe Attorneys General from around the country and phone companies are going to voluntarily have to take steps forward to give people a greater sense of security," Koster said.
Gregg points out all kinds of alarming scenarios.
"If someone were in a position where they wanted to stalk somebody, they could figure out who they're talking too, who her friends are, where she lives," he said. "If you're thinking of people like government officials or people that work for the military you could intercept those phone messages. It could be for the corporate executive talking about the next big deal. Is the stock going up or down?"
Koster admittedly was not surprised his voicemail was hacked. But he was stunned that it only took 15 seconds. Gregg explained you don't need to be a computer expert to hack into voicemail. In fact, there are online products that let you spoof a phone into thinking it's your own personal phone.
"They are accessing your account and listening to your messages. Unless you've figured it out by some way, you'll never know they've done this," Gregg said.
Koster said, "Whether you are at the top levels of law enforcement or business or whether you are a homemaker, you take your personal privacy to the maximum level and everybody deserves the maximum level of privacy."
There are federal laws against this type of hacking, but Koster said that shouldn't give you any sense of security.
"With regard to the federal law, I don't know the federal government has the resources to really track this type of thing with prosecutorial resources as they are," Koster said. "At the state level I have to say I have concerns with the ambiguity of certain state statutes. Technology is far in front of the wording of state law."
Koster hopes to strengthen Missouri law in the next legislative session and will host an electronic security and privacy summit in October.
Gregg believes the technology needs to have some type of controls. But many phone companies don't seem to agree.
Both Koster and I had AT&T phones. A spokesperson for AT&T Missouri sent a statement saying:
"AT&T takes the security of our customers and their information very seriously. AT&T customers are required to set up a password to use voicemail. Customers have a choice to use a password when calling voicemail from their own mobile phone, but we do not require this. However, customers can change these settings to require a voicemail password quickly and easily from their own mobile phone. We strongly urge our customers to use a password for their voicemail boxes under any circumstance."
Gregg is known as a "white hat," an ethical hacker hired by corporations to expose and fix security flaws. He said our experiment exposes very serious flaws.
"There are fixes for this. One easy fix would be to require people when they sign up for service that it forces them into using a strong pin. And not the situation where there's no pin or more there are we can select 1234," he said.
Koster agreed with Gregg, saying this experiment shows just how vulnerable we all are.
"The Murdoch situation opens up an entire new chapter in the way all of us think about our own privacy. It made us all feel more vulnerable than we had two weeks ago," he said.
To set a voicemail password for AT&T, visit http://www.att.com/wirelessvoicemail. If you look at the heading Voicemail Security, it provides instructions on how to set or change your password.
To set a voicemail password for T-Mobile:
1. Call your voice mailbox from your mobile phone by pressing and holding the 1 key or by dialing 123.
2. Once you arrive at your voice mailbox, press the * key to ensure you are in the main menu area.
3. To access the password security menu, press the 5 key.
4. To toggle your password on or off, press the 2 key.
(Note that if you do have a password, you have to enter in this PIN before accessing the main menu to make any changes.)
SPRINT provided two online sources for changing your voicemail password:
T-Mobile issued the following statement:
"T-Mobile does not require a PIN to access voicemail if calling from your own phone. That said, if you call your voicemail from a different line, by default you are required to set up a password to access your voicemail. When you set up your voicemail, by default your password is the last 4 digits of your phone number, this PIN can be proactively changed to any four digit code you choose.
"In addition to the security T-Mobile provides throughout our network we also offer our customers the option to employ passwords for further security. T-Mobile encourages customers to protect mobile phones just as they protect their desktop computers and believe that with the appropriate use of passwords and other simple safety precautions, T-Mobile customers should not be concerned about the security of their devices, their personal data or account information.
"Effective password protection includes:
• Create separate passwords for voicemail access, online access, and for your use when calling Customer Care.
• Set complex passwords using both numbers and letters where appropriate.
• Change your passwords regularly - at least every 60 days.
• Memorize your passwords - never write them down.
• Don't share your passwords, even with friends and family.
"Customers who wish to take advantage of password security can follow steps on their handset, or can receive assistance online or by speaking with a T-Mobile representative.
"Customers can turn on or off the password functionality at any time. All customers are required to place a password on their account during voicemail set up and they can choose to enable password protection at that time. If a password is not established then the voicemail box is not available for use. People who are gaining unauthorized access to voicemail are committing a crime. T-Mobile directs customers who believe they've been a victim of a crime to immediately contact their local authorities.
"For further information, please refer to the T-Mobile Privacy Resources: http://www.t-mobile.com/Company/PrivacyResources.aspx?tp=Abt_Tab_AccountSecurity&tsp=Abt_Sub_AccountSecurity_PasswordSecurity"
Sprint issued the following statement:
"Voicemail and concerns about voicemail 'hacking' have been receiving a lot of attention recently. Please know that Sprint places a high priority on protecting the personal information of our customers.
"A passcode offers the best protection when it comes to protecting a voicemail account from unauthorized access. At Sprint, when a customer sets up a voicemail account, they are required to establish a passcode. We strongly encourage them to continue using that passcode. We tell our customers that if they choose to skip the passcode, the voicemail account will be vulnerable to unauthorized access. This decision, however, is up to the customer to make. Sprint proactively offers guidance and information, but the customer must balance the desire for convenience with other concerns."
Verizon requires customers to have a voicemail pin.
John Walls, Vice-President of Public Affairs for CTIA, issued a statement and tips:
"The wireless industry supports the federal laws that prohibit unauthorized access of a cell phone account or records. The penalties were established as a deterrent to this criminal activity, and the industry believes its customers deserve strict enforcement of the laws.
"Carriers dedicate significant resources to protecting their consumers through their technical and customer service operations. They also share with each other industry best practices and augment their systems to address new and evolving threats.
"CTIA encourages consumers to use the security features provided by their carrier. We also recommend consumers take the following steps to protect their device and their service.
1. Keep your wireless device with you at all times. Use the lock feature, so that if someone takes your phone, s/he cannot use it to access your voicemail.
2. Don't give your device to a person you don't know. If you lose your device, contact your carrier immediately so they can turn off service and prevent others from accessing your voicemails (or other personal information).
3. Create a voicemail password and change it periodically, using passwords that are hard to guess.
4. Limit the number of messages allowed in your voicemail and delete once you've listened to them.
5. If you are prone to losing things like your phone, consider purchasing one that allows you to remotely wipe the data clean from your device.
KSDK partnered with Michael Gregg and Superior Solutions Inc for this experiment. Contact Superior Solutions Inc at 713-482-8323.