Has your phone been hacked too?
2011 saw many explosive revelations about alleged phone hacking supposedly purported by the News Corporation tabloid, News of The World.
What is remarkable is that there has been virtually no discussion about how the technology in mobile phone networks let this happen: don't the networks have any systems in place to prevent such widescale abuse? Did choices in the design of the network contribute to the vulnerabilities in those systems?
With virtually everybody now having a mobile phone, and many of them smartphones, what does it mean for each of us? Can we all be so easily `hacked' by anyone who wants to? Would you know if your employees, employer, parents or children are listening to your voicemail or reading your private email right now?
Friends and family: enriching your phone company
Voicemail systems are actually quite a profitable activity for phone companies. If you don't answer the phone, or you are on a call, the caller hears a busy tone. With a busy tone, there is no justification for them to charge any fee to the friend who tried to call you. Unless you have voicemail enabled.
Some phone companies are so driven to milk every cent out of every friend that calls you that some of them no longer permit you to opt-out of their voicemail service. Have you noticed that if you disable the service, it comes back on again by itself within a few weeks?
In the rush to impose voicemail on everybody and to guarantee that it is working in some basic form, ready to take money from your family and friends when they call, these companies appear to have taken a few too many shortcuts.
The most obvious one, widely speculated about in relation to the British hacking allegations, is that too many British phone companies have used customer's birthdays as default PIN numbers.
Another common example was the use of a robot voice to announce `you have called 0792XXXXX' if you had not recorded a greeting. Of course, if your office phone was diverted to the mobile phone, this meant the phone company was effectively giving your mobile number to anyone who possessed the office number.
Do you feel these practices take your privacy very seriously?
With smartphones, voicemail is just the tip of the iceberg
The people behind these initiatives have the mentality that they know what is best for us, and that we are willing to have our privacy at risk (with potentially large consequences for us individually) so that they can make a slightly higher profit ratio on each of our phone accounts. They prevent us making our own informed decisions about whether or not we want voicemail. Sadly, that is not where the problem finishes: in reality, it is just the tip of the iceberg.
On November 12, 2011, a security researcher discovered that his smartphone running the Android operating system was pre-installed with what amounts to a `virtual' bugging device. The malicious software is marketed by a company called Carrier IQ. It has the capability to monitor every keystroke, the location of the phone, charging status and even the content of text and email messages.
A few words from the Carrier IQ web site:
Capture a vast array of experience data including screen transitions, button presses, service interactions and anomalies
Just as some phone companies are responsible for brainwashing customers with an enforced screensaver, imposing an insecure voicemail service and blocking phone features (such as free internet SMS) that they don't like, these companies have decided that when we ask to buy a phone, we want bugging technology inside to help them understand us and, of course, we don't want to know they put it there. It is unlikely that they are setting out to steal email passwords from your phone (although the risk is much higher when malware like this is on the phone). All they really want of course is to learn more about your lifestyle and habits so that they can find more ways to sell you things. Doesn't that help you feel at ease?
In fact, the risks come from things the company executives didn't anticipate: maybe they haven't anticipated that some private detective, debt collector or rogue journalist will give a bribe to a phone company employee to get access to Carrier IQ on your phone. The News of the World revelations disclosed that it cost just £1,000 to get the Queen's mobile phone number from a less than trustworthy member of the Royal Protection Squad. With most phone companies outsourcing their data to low income centres, your privacy, and your whole lifestyle, might be blown wide open for less than the price of a beer. It is already speculated that private detectives (the type of person who tries to find proof of a marital affair on behalf of your spouse, but potentially also with a goal of blackmail) have insiders working in various call-centres, systematically exchanging personal data for kick-backs that far outweigh their normal salaries.
You might think that this Carrier IQ discovery is a strong reason not to use an Android phone - would you now feel safer with an iPhone perhaps? In fact, it is the open, hacker-friendly nature of the Android system that has allowed this violation to be discovered and exposed by owners of these phones. The world of Apple iPhones is much more tightly controlled and technically adventurous users have few opportunities to inspect what is inside.
I'm sticking with my Android phone - but one of the first things I did when I received the phone was to eliminate all the software installed by the phone company, and install the alternative Cyanogenmod firmware.
Shutting them out
- Completely disable voicemail - tell your friends to email you
- Tell your friends to use email or chat (e.g. Jabber) instead of SMS - there are now plenty of Jabber apps for smartphones that are convenient and free
- Almost every phone features a software image that has been `enhanced' by your phone company. Replace it with a standard image from the phone manufacturer or an independent image such as Cyanogenmod
- Start using encryption: OpenPGP is a peer-to-peer system that allows you to secure emails within your circle of friends: you can use Enigmail and similar software to make it work for you today