Last modified: Friday, August 5, 2011
CACR Fellow: AT&T’s decision to enhance voicemail privacy a win for consumers
FOR IMMEDIATE RELEASE
Aug. 5, 2011
BLOOMINGTON, Ind. -- AT&T, one of the nation's largest cellular telephone service providers, announced today (Aug. 5) that it will begin automatically enabling the voicemail password protection system on phones of every new subscriber or line added to an account.
"This is a win for consumers," said Indiana University Center for Applied Cybersecurity Research graduate fellow Chris Soghoian, who called for enhanced voicemail privacy settings in an op-ed he co-authored for The Hill last month. "Consumers should have hacker-free voicemail by default."
Chris Soghoian
Soghoian has been working with AT&T executives over the last several weeks, encouraging the company to make changes to their policy. "This is an example of a company listening and working with privacy and security researchers, resulting in a positive change for consumers," he said.
The topic of voicemail security has gained international attention in recent weeks, following revelations that private investigators -- working on behalf of several British tabloids -- were able to access voicemail messages of actors, politicians and other high-profile individuals using simple techniques.
Soghoian said it is easy to do in America, too. "Here in the U.S., our voicemail systems have different, yet easy-to-exploit security flaws," he and co-author Peter Swire wrote. "U.S. carriers do require their customers to establish PINs to authenticate access to voicemail services. Several companies, though, do not require users to enter their PINs when they are calling from their own telephone numbers."
Several programs and services allow hackers to dial into the voicemail system from what appears to be the victim's phone, bypassing the PIN check.
"'Spoofing' is trivial to perform, does not require technical skill, and takes just a few seconds using one of several popular websites," Soghoian said.
AT&T's new policy will automatically set the default voicemail setting to "password-protect" on any new subscriber or line added to an existing account, according to a statement from the company.
"This is a step in the right direction, one that will hopefully protect consumers from potential attacks," Soghoian said. "With AT&T and Verizon now requiring PINs for voicemail access, I am hopeful that the rest of the wireless industry will follow suit."
"It is inexcusable for the carriers to continue to leave their voicemail systems open to hackers as unskilled as Paris Hilton, who broke into actress Lindsay Lohan's voicemail in 2006," Soghoian said. "The scandal in the United Kingdom alone will alert 'copy cat' hackers of how easy it is to break into many Americans' voicemail. AT&T helped reduce that chance for its customers today."
Soghoian is available to comment on phone security and privacy. He can be reached at: chris@soghoian.net.
The Center for Applied Cybersecurity Research has been designated a National Center of Academic Excellence in both Information Assurance Education and Research by the National Security Agency and the Department of Homeland Security. CACR is part of the Pervasive Technology Institute at Indiana University.
