July 08, 2011, 2:43 PM —
Hopefully this woman's cell phone company isn't letting tabloid PIs bully their way into her voice mail.
Source: REUTERS/Olivia Harris
No one endorses hacking someone else's voice mail or cell phone accounts. For an audience of geeks curious to know how it's done, though, the waterfall of coverage of the News of the World scandals skipped the most important part: how did it hack all those cell phones and how could I do that if I wanted to can I ensure none of my users are hacked that way.
[Also see: Should 'News of the World' phone hackers do jail time? and Coming soon: A new way to hack into your smartphone]
For the most part, News of the World investigators allegedly paid to access the phones didn't clone the target phones and reproduce identical spoofs, as is often portrayed in spy thrillers and almost-accurate tradecraft voice-overs on Burn Notice.
They just got the victims' PIN numbers so they could listen to v-mails stored on server-based voice mail systems owned by cell phone carriers.
NOTW and its boring hacks
News of the World did it in particularly dull ways, though.
It meant they could call government agencies, cell phone carriers and other potential sources and con them into thinking they were the celebrity being targeted so they would either be given the password or could create a new one.
The more technical approach was to have two investigators on a multiline connection call the victim's phone and, while the first investigator kept the line engaged, the other called the voice-mail line, and connected that call to the already-open line to the victim's phone so when the voice-mail system asked for the phone's unique ID, the victim's phone would give it.
That's way too boring a solution to accept though. It just makes the whole hacking scandal worse because it was accomplished in such stupid ways.
On this side of the pond our geeks are more ambitious.
Here are some ways the've been going about it – or at least talking about online without having admitted anything incriminating.
How to crack a cell phone
There are a lot of ways to get the PIN, or get through without needing it, but none require a CS degree and years hacking firewalls at NSA to build up the expertise.
It's not even hard to find the information. Searching Google for "how to hack a mobile phone" turns up a lot of solutions so simple some people appear to be trying to make the whole thing harder just to keep it interesting.
You do have to know the victim's private cell phone number and the carrier providing the service, if only to know the generic voice-mail access number to dial.
Spoof your victim's ID
The big barrier is convincing the voice-mail servers you are calling from the victim's phone. Cell-phone networks identify every phone using a 17- or 15-digit International Mobile Equipment Identity number on GSM phones or the Electronic Serial Number (ESN) on CDMA phones.
The numbers are flashed onto the phone at the time of firmware burn-in and can't be easily changed.
In the U.S. at least, the FCC requires ways to change it not be easily accessible.
You can change it by taking the chip holding the IMEI out of the phone and replacing it with another, but you'd just be changing the IMEI, not adding a different one.
Tools like this one promise to give you a different IMEI appropriate to your model of phone, but not to imprint it on the phone or discover one owned by your target.
Finding the IMEI or ESN
On most phones the ID numbers are printed inside, often under the battery. If you can get access to the phone and open it, you can get your victim's ID. Most phones will also show the ID if you hit a specific key code -- *#06#, for example.
It's also possible to intercept the data stream between a cell phone and its access point and decode it, but if you have the equipment on hand you don't need my help to figure this out.
Cell phones use radio the same way WiFi does, but on different frequencies . WiFi is 2.4GHz; cell phones operate on 850 MHz, 900 MHz, 1800 MHz and/or 1900 MHz.
You could tune a receiver to pull in the signal, but carriers encrypt cell phone traffic using their own algorithms, so cracking the encryption to unencrypt the traffic and find the IMEI sent by the phone when it first connects to tower is possible. If you're with the NSA.
Far easier is to work for a cell phone carrier or bribe someone who does or pay a service provider for your own access to the global Equipment Identity Register (EIR) database carriers use to identify all those mobile devices.
Access is normally used to track stolen phones, but that process can be reversed to find the phones you'd like to steal, or at least break in to.
The hard way
The old-fashioned telecom-engineer approach – according to a BBC story written in 2002, not long before the first wave of phone-hack scandals began at NOTW – is to spoof the victim's cell phone number and authentication data, dial in to the voice mail system, and fake your way to the v-mails.
Ways to do that vary from the nicely hands-on techy to the embarrassingly commercial.
The key is to be able to convince the voice-mail server that you are calling from the cell phone of your victim – an identification they make using the.
In 2002 the BBC described techniques requiring special cable connections and hardware for "chipping" the phone – directly changing the ID number within your phone, which would require knowing the victim's identifier as well.
Highly specialized hardware designed to analyze and, often, clone cell phones, can pick up the ID numbers and image everything on the phone at the same time.
That may be a trick, but once you have it, you could be home free.
In 2005, when Paris Hilton made news after her phone was hacked, U.S. carriers allowed customers to bypass the PIN requirement and access voice mails directly, relying on the IMEI or ESN, with no PIN necessary.
The easier way
It's not even necessary to change your phone anymore. Using any of a dozen Caller ID Spoofing services – which are designed, they say, to protect the privacy of callers, not abet invasions of privacy – you can make calls that appear to come from someone else.
Those services only change the Caller ID number that shows up on the phone, however, not the IMEI or ESN the voice-mail servers use to verify the identity of the hardware itself.
Though they resolutely refuse to talk about it in public, because IMEI spoofing is illegal in the U.S. and most other countries, experts on smartphone jailbreak forums treat changing IMEIs as only a moderately interesting configuration process.
There are a number of Java scripts and apps for both Windows and MacOS designed to change out the IMEI, often as only one of a wider range of features to root the phones, create a backup image and change out portions of the operating system.
Some emulators are able to send fake IMEI numbers to the carrier's network, even without changing the IMEI on the phone itself. They spoof by replacing a number you choose with the real one, and return the phone to normal when they're shut down.
The easiest way
There's an app for it.
In fact, there are a lot. Most are designed to test applications that have to identify multiple IMEIs, or to recover an IMEI when an attempt to root or re-flash the phone bricks it instead. Many can be used to emulate phones with other IMEIs as well.
You should realize this is illegal.
The stupidly easy way
If your victim's phone supports Bluetooth and he/she has Bluetooth turned on, you can connect to the phone directly. Once you make the link, there are any number of (also illegal) tools to pick up the phone's ID, copy the contacts or voicemails already on the phone and sometimes change the victim's password as well.
If you have a good idea what the password is, or know the victim's username and are willing to use the Change Password function on the cell phone carrier's voice-mail access page on the Web site, you can skip all the rest and just do that.
It's a lot easier to lie to one web app than it is to figure out what lie you have to tell and then tell it in the right format to your phone, a whole cell phone network and then to the voice mail server.
See? Easy. If you're into that kind of thing.
