UK Voicemails Still Wide Open to Hacking Years After Leveson Inquiry
Lord Leveson published his report in November 2012 in the wake of the News of the World phone hacking scandal, yet mobile phone networks in the UK still leave their customers vulnerable.Reuters

Update (9pm, 24 April):

EE has issued an updated statement on this matter to say it has fixed any security breach. The full statement said:

"Thanks to Simon and The Register, for bringing this to our attention. Our engineers have worked hard since then to identify the root fault and work on a fix. We can now confirm that we have urgently updated our systems and patched the issues, raised in the article."

Original story (published at 4pm, 24 April):

The Leveson Inquiry into the culture, practices and ethics of the British press laid bare the ease with which some journalists were able to access the private and sensitive voicemails, yet over a year-and-a-half after the publication of its report, two major UK mobile phone networks are still leaving millions of their customers at risk.

New research carried out by Simon Rockman of Fuss Free Phones - and published in The Register - shows it is still incredibly easy to access the voicemails of millions of EE and Three customers without once being asked for a PIN or to answer a security question.

Using a relatively simple method, Rockman was able to spoof the mobile phone number of EE and Three customers and get direct access to their voicemails without having to input a PIN - even if the customer being attacked had one set up on their account.


EE said it was investigating the matter adding: "First and foremost it's illegal to access a voicemail account without the owner's permission. If any customer has concerns about voicemail security we would advise them to follow a few simple steps on their device and set up PIN entry."

Three's response was was to simply say the advice it has "always given customers about security is to mandate their PIN. This is particularly so for people who worry that if a phone is stolen, it might be used to access their voicemail."

While the security implications of this security flaw are obvious, there is also the potential for cybercriminals to carry out fraud.

For example, if someone left a voicemail from a premium rate phone number on your phone, then got access to your voicemail, picked up the message and returned the call, they could impose huge charges on their victims.

How it works

While Rockman has redacted the intricate details of just how he went about breaching the security of EE's and Three's voicemail security, the basic details are worryingly simple.

Mobile phone networks typically offer two ways of accessing your account. Through a short code which you use on the mobile phone associated with your phone number. This gives the user direct access to their voicemail without need to enter a PIN as the call is being made from the user's own phone.

The other way to access voicemail is using a long number which is typically used from a landline and this does normally require you to input your phone number and your PIN number.

However, using a system created by Sebastian Arcus for making voice calls over the internet (VoIP in other words), Rockman used the long number to call but spoofed the "calling line identification (CLI)" which is what the operators use to identify whether or not it is the user's phone making the call.

While Rockman's method failed on both O2 and Vodafone's systems, he was able to get direct access to people's voicemails on EE and Three. Rockman also found that at times he was able to access Orange phone numbers, though the system didn't always work.

Missed opportunity

Rockman concludes that not only is it a huge security oversight by EE and Three, he believes they are missing out on a commercial opportunity too:

"The mobile phone networks are more than missing a trick. While they complain about how the over-the-top players, such as WhatsApp and Skype, are stealing their lunch money, they do have one thing no one else can offer: complete control over the signalling and voice path. They could offer security at a level that would command a significant premium and yet they leave the door keys under the flower pot."