Cell phone privacy and hacking

In the past two days, there have been two major developments relating to cell phone privacy. First, in the UK, verdicts were returned for Andy Coulson and Rebekah Brooks in the infamous News International phone hacking scandal. Verdicts on the charge of conspiring to commit misconduct in a public office are also pending against Coulson and former editor Clive Goodman.

The second major development was a unanimous ruling by the U.S. Supreme Court that police need warrants to search the cell phones of people they arrest.

These developments reveal two distinct ways in which our privacy is threatened: by hackers and by the government. In the phone hacking scandal, the voicemails of victims such as Prince William and missing schoolgirl Milly Dowler were illegally accessed by hackers. On the other hand, the US Supreme Court’s ruling addressed two cases in which suspects were convicted based on data found on their cell phones.

In the case of government intrusion, there are limits on what we can do to protect our privacy. In particular, governments must balance the privacy of their citizens against the need to combat crime. As the opinion of the US Supreme Court acknowledged, their decision “will have an impact on the ability of law enforcement to combat crime.”

The government has unique powers that allow them to obtain data far beyond what mere hackers can obtain. For example, they can subpoena your phone company to provide records of your calls, text messages, and other data. In some cases, the FBI has even been known to use a technique known as a “roving bug” to eavesdrop on conversations that occur near a cell phone.

The best way to limit government invasions of privacy is to stay abreast of new laws and ask your members of Congress to ensure that the appropriate balance between privacy and law enforcement is maintained.

The law is also an invaluable tool for protecting your privacy against criminals. For example, the Truth in Caller ID Act of 2009 prohibits caller ID spoofing “for the purposes of defrauding or otherwise causing harm.” This law would presumably make it a crime for an identity thief to pose as your bank to ask you for sensitive information such as your Social Security Number, credit card numbers, or date of birth.

Besides speaking to your legislators, there are also other specific measures you can take to protect yourself from phone hackers. For example you can reduce the risk that sensitive voicemails can be accessed by taking the following measures:

1. Do not give out your cell phone number to just anyone, particularly if you are a celebrity, government official, or any other person of interest. In some cases where you must give out a number, you can use a disposable prepaid phone or a temporary phone number to avoid giving out your real phone number. For example, an app called “Burner” is available on both Google Play and Apple’s App Store. Burner apparently forwards any calls received on the throwaway number to your real phone without revealing your number to the caller. (Caveat: I have not tried Burner)

However, you should be careful about assuming that all call forwarding hides your real number from the caller. In some cases, the ultimate receiving number may be revealed to the caller. Before relying on a call forwarding service to hide your real number, always do your research and consult a professional if necessary.

Another option is to use a number that is completely unconnected to your actual phone number. For example, the free service K7.net provides free voicemail service. Although you cannot directly speak to callers, callers can leave a voicemail message by calling the number you provide. You can then listen to the message by downloading a file of the recording, and call the other party back if you desire, perhaps using caller ID blocking.

2. Do you really need remotely accessible voicemail? If you do not need the convenience of remote access, one option is to receive messages on an answering machine at your home (or other secured location). If you choose an answering machine that gives you the option of disabling remote access, an intruder would need to physically break into the premises in order to listen to any of your messages. Hopefully, this is more difficult than remotely hacking into your voicemail.

In many cases, phone manufacturers have made it impossible to disable remote access, so the best you can do would be to change the password to something other than the factory default to make it more difficult for hackers to guess your password. Remember that factory default passwords are publicly available and can easily be found via a simple Google search.

3. Delete voicemail messages as soon as possible after you listen to them unless you absolutely need to save the message for some reason. Although this doesn’t directly protect your voicemail from being hacked, it is better to leave the hacker with less information than more if it should happen.

Similarly, remember that cell phones are very easy to lose. Do not store any sensitive information on the phone that you do not have to, unless the phone is adequately protected by measures such as full-disk encryption.

Edit: Encryption on phones is unlikely to protect against wiretapping by the government. It may help if your phone is merely stolen or lost.

4. Where remote voicemail access is absolutely necessary, set a strong password (or PIN). Do not use personal information that can easily be researched or use any of the most commonly used passwords such as 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, and 1998.

5. Use a strong password. This means:

If your voicemail provider allows more digits, then use as many as you are allowed to. With 4 digits, a hacker only has to guess at most 10,000 possible combinations (0000 to 9999) to access your voicemail. With 7 digits, they would need to guess 10,000,000 different combinations; a significantly harder feat.

As previously mentioned, do not use any of the commonly used passwords.

Avoid using passwords that use only one number (e.g. 5555555) and passwords with easily recognizable patterns (e.g. 1234567, 7654321).

Do not use any personal information such as your phone number, birth date, home address, or social security number as your voicemail password.

5. If your phone is a smartphone, protect it as you would a PC (this is a topic for another post). This includes traditional advice such as being alert for phishing attacks, not clicking random (potentially malware-filled) links e-mailed to you, etc.

6. Turn off Bluetooth to prevent Bluesnarfing attacks.

7. Never try to access your voicemail outside the proper channels. Your phone company provides instructions on how to access your voicemail, such as calling a certain number. For example, for AT&T, you can access your voicemail by dialing 1 from your own phone.

Suppose one day, you receive a strange text message from an unknown sender telling you to call a specific number. If you call this number and you get what sounds like a voicemail prompt asking you to enter your password, hang up immediately. The number you called was probably set up specifically for the purpose of tricking you into giving away your password.

Leave a Reply

Your email address will not be published. Required fields are marked *