Beware of rising phone hacking incidents

Following U.K. News of the World scandal, IT security vendors say phone hacking on the rise and illustrate different methods hackers intercept victims' phone conversations.

Phone hacking incidents are on the rise and users need to take measures to prevent their phone conversations from being breached, warn industry watchers who say hackers today deploy various tactics to intercept conversations on landline as well as mobile phones.

Amateur hackers are expected to be more active in hacking phone conversations with the growing availability of mobile encryption cracking tools, according to Ng Jun Wen, ICT Practice research analyst at Frost & Sullivan Asia-Pacific.

He point to Karsten Nohl, chief scientist of Berlin-based Security Research Labs, who noted that some network operators in Europe currently do not encrypt their GPRS network to monitor traffic and filter out viruses or software such as Skype.

"This will put unsuspecting users at risk of being hacked by hobbyist hackers who have access to recently released technical know-hows, decryption and interception software," Ng told ZDNet Asia in an e-mail.

A recent Frost & Sullivan study predicted that there are currently some 2.8 million subscribers on GSM and GPRS networks in the Asia-Pacific region, and this number is projected to grow another 3.4 million subscribers by 2015, he noted.

"The ramifications of phone hacking threats in Asia-Pacific are obvious," Ng said. "The concern that telco companies in Asia-Pacific need to address is [whether] they are doing their best to ensure the privacy of their subscribers."

David Jacoby, senior security researcher at Kaspersky Labs' global research and analysis team for Nordics, however, disagreed that phone hacking incident are on the increase, noting that such activities are not as popular as it used to be since threats today are more targeted toward individuals and single devices, rather than entire phone switches.

Instead, more phone conversations are transmitted over the Internet today, opening them up to more attack vectors, Sweden-based Jacoby said in an e-mail interview.

"The problem with phones is there are small computers with the same functionality as a normal computer," he explained. "This makes it very difficult to secure since, even if the phone networks are secure, the device may be running other vulnerable software which can be exploited by the hacker."

Singapore Telecommunications (SingTel) told ZDNet Asia that it has not encountered any phone hacking cases. "To safeguard the privacy of our customers, we have strict measures in place to prevent hacking and tapping of our fixed and mobile networks," said a spokesperson from the Singapore telco.

Ng also noted that in the recent phone hacking scandal in United Kingdom, whereby employees of News of the World tabloid were convicted over phone hacking charges, it was the voicemail, not telephone conversations, of victims that were breached.

Tapping phone stations, cracking codes
Describing phone hacking, also known as "phone phreaking", as a "very old subculture", Jacoby noted: "There are many different ways an attack can snoop on another phone conversation, and it also depends on the phone the victim is using."

For landline phones, he explained that attack methods include breaking into the phone station and plugging in a device that enables hackers to tap the phones connected to that station or compromise a private branch exchange.

For mobile phones, hackers can infect the device with malware to record phone conversations or crack the cryptography of the GSM or GPRS network through various techniques, he added.

Elaborating, Frost & Sullivan's Ng explained that Nohl had demonstrated a GSM hack in 2009 to show how phone hackers were able to acquire a few Motorola C-123 phones, upload modified firmware on the devices and use them to "sniff" out raw location data which could be used to route voice and text messages.

Nohl then fed the raw data into a laptop running interception software, used a 2TB table of pre-computed keys and managed to break and listen to a live GSM call within 20 seconds, Ng added.

Set voicemail passwords, secure smartphones
"In this advanced stage of technology, we would like to advise customers to practise caution with the wide availability of their communication devices," said Ivan Lim, corporate communications and investor relations at Singapore mobile operator, M1."In circumstances where defaulted passwords are presented, it is best to ensure these are changed for the prevention of unauthorized access."

Voicemail systems by default do not require a password pincode when users are calling from their own phone, Ng said while issuing a warning that there were tools which would enable hackers to spoof caller IDs.

"Through this method, phone hackers are able to gain access to the victim's voicemails," he explained. "A miscall from your own number is a clear indication of a voicemail phone hack attempt [so] it is critical that users set a pin number for their voicemails to avoid any untoward incidents."

However, Patrick Cox, co-founder and CEO of TrustID, said in a previous report that passwords alone were insufficient in protecting voicemails. He stressed the need for call centers to use at least two-factor authentication to ensure the person asking for personal information was in fact authorized to access that information.

To safeguard conversations on smartphones from being breached, Jacoby advised: "Make sure your smartphone is secure and that you have protection against malicious code."