Reporting Jason DeRusha
MINNEAPOLIS (WCCO) — To be clear: I’ve never tried to hack into anyone’s cell phone. Until James Wray sent in a Good Question asking: How secure are our cell phones?
“We have high expectations of privacy with our cell phones, with our social networks accounts. And yet, they could not be more open,” said John Carney, CEO of Carney Forensics, a digital forensics firm specializing in getting data off of smart phones.
You don’t need to be a forensics expert. Some cell phone networks have vulnerability to something called “spoofing.” People can go to legal websites and place calls where the called picks the Caller ID that’s displayed.
Some people don’t have passwords set to access their voicemail from their own phone, so by setting the caller ID, you can trick a phone into thinking it’s calling from itself, getting you into the voicemail.
Ryan Lindberg gave us permission to try to get into his voice mail.
“I saw my number calling me… completely freaked me out,” he said.
Because Lindberg has AT&T for his cell service, and he doesn’t have a password set for calling from his own phone, we were able to access his voicemail and settings.
“I thought it would take at least a little bit of software or even hardware to accomplish. So, the fact that it’s just a website is nuts,” said Lindberg.
“This is often done as a convenience to the consumer, who doesn’t want to be bothered by hitting more buttons than absolutely necessary. Often, as we increase convenience, security decreases proportionately,” said Chris Schulte, a consultant with LuciData, a Minneapolis computer forensics company.
“The more interesting situation is when someone has access to the phone and they can plant cell phone spyware on the phone,” said Carney.
Carney has seen people putting spyware on other people’s smart phones to track a cheating spouse or engage in corporate espionage. It allows hackers to hear you — even when you’re not making calls.
“Once that material is on the phone, that phone becomes a spy phone, or it becomes essentially a wiretap of whatever happens on that smart phone,” he explained. “It’s still a little troubling that can happen that easily.”
We couldn’t get into accounts with passwords using Caller ID spoofing, but a real hacker wouldn’t necessarily have such a hard time.
“People often use poor passwords, (such as 1234). If a password can easily be guessed, it is only minimally more effective than no password at all,” said Schulte.
However, even if you have a good password, you’re relying on the security procedures set by your cell phone provider.
“For example, the attacker will contact the wireless carrier’s customer service center and attempt to convince the customer service representative that they are the owner of the voicemail box. At that point, it can be quite easy to have the voicemail password reset,” Schulte explained.
The bottom line: a strong password will thwart most efforts by would-be hackers. And our smart phones are not as secure as we think they are.
“They don’t need a Ph.D. in computer science to hack these accounts,” said Carney.