back to article Reg probe bombshell: How we HACKED mobile voicemail without a PIN

Voicemail inboxes on two UK mobile networks are wide open to being hacked. An investigation by The Register has found that even after Lord Leveson's press ethics inquiry, which delved into the practice of phone hacking, some telcos are not implementing even the most basic level of security. Your humble correspondent has just …


This topic is closed for new posts.
  1. Adus

    I'm actually surprised, I wasn't aware that if you are calling from your own phone you don't need to authenticate.

    I live in Canada, and if I call my voicemail, even from my own phone, I have to enter my pin. Calling from elsewhere requires my number and pin. I don't see it as an inconvenience, it's the same concept as having a pin on your phone or a password on your laptop.

    Someone with physical possession of your phone shouldn't be able to check your voicemails with no auth.

    1. Matt 21

      Well I've never come across a system which made you enter a PIN when calling from your own phone, neither for mobile nor fixed. I've lived abroad in Europe and it was the same in the countries I lived in there.

      Simply stopping the spoofing would be a good step for me as I like the convenience of not having to enter yet another PIN.

      1. Anonymous Coward
        Anonymous Coward

        "Simply stopping the spoofing"

        Actually stopping the spoofing isn't really a solution. It can be, and is, a useful facility of telecoms that the CLI can be presented as something other than the line you are on. Also, in some cases, if you area calling from a voip system you may not actually have a line that can present something intelligible to the destination so being able to present another number is useful. This is part of telecoms equipment throughout the digital world and it isn't really viable to suddenly stop this facility.

        The problem actually arises by people/companies who should know better validating on something so inherently unvalidatable(? that a word?). They should use the ANI, not the CLI to validate, or request a PIN. A pin should be forced to be set as soon as someone gets a new account with a mobile provider.

        1. Matt 21

          Yeah, OK to be clear, I meant stopping voice mail systems from not seeing past snooping. I'm not against CLI being used for a variety of other purposes.

          1. Anonymous Coward
            Anonymous Coward

            I'm entirely against CLI being spoofed, whether that facility is "useful" or not, since that's what makes it impossible to identify and block nuisance calls.

            1. Yet Another Anonymous coward Silver badge

              re: CLI being spoofed

              >I'm entirely against CLI being spoofed

              If you aren't going to allow it to be "spoofed" - then you will need a government agency to issue official CLIs and enforce their use. A phone version of the DVLC

              And it's going to have to have international agreements so foreign calls are also correctly id-ed.

              And it's going to have to deal with Skype, VOIP, conference calls web-sms gateways etc.

              It's a little like having a law saying your reply-to email can't be "spoofed"

            2. Simon Rockman

              Why spoof

              As I explained in the article I have a perfectly valid reason for spoofing. When the call is going through a switchboard the person receiving the call wants to see the number from the subscriber who originated it not the switchboard in the middle.

              OTOH and I have come across an opposite scenario. You are not supposed to use a SKY decoder outside the UK. Sky will occasionally ask the box to ring it up so that they can check the CLI. A friend had his box in Europe and intercepted the line so that outgoing calls went to his home in the UK where he had an ISDN PABX. From there it routed the call out to Sky with his Home CLI

              1. Guus Leeuw

                Re: Why spoof

                Hi Simon,

                Sky box spoof ? I had a Sky box in the UK for nearly 7 years, and all but 1 year, it was disconnected from the phone line, because BT couldn't figure out how two incoming business lines could be packaged with a third (domestic line) so that the sky box had it's own number... Sky didn't care.. You just can't do certain things like online account checks etc, and box office movie ordering, which happen via the modem... (You can still get Box Office: Just ring Sky yourself :))

                Supposedly(!!) it would be easy to figure out where the Sky box is... Surely the comms protocol between Sky Satelite and Sky Box / Dish do something like a hand shake (How else do they deliver box office movies, after you personally called Sky, or do set top box upgrades without phone line?), and from that handshake sky should be to deduce where the machine is, should it not? (Satelites are sort of line-of-sight communication devices, aren't they?)

                Having a PABX seems to be a bit of overkill... Just remove the Sky box from the phone line, and Bob's your uncle...



        2. Alan Brown Silver badge

          "They should use the ANI, not the CLI to validate,"


          CLI is spoofable BY DESIGN. It's just a way of presenting a arbitrary message to the enduser which bears no actual relationship to the calling number other than that's the most common use.

          ANI is used to generate accounting data so the telcos have a vested interest in making sure it's accurate and unspoofable.

          Guess which one the emergency services get?

          CLI has always been spoofable from a ISDN connection, VOIP just makes it even easier.

          USA-style CLI is even easier to spoof. A burst of appropriate tones during the call will tweak most of their CLI boxes and if done as the call connects, most recipents will be none-the-wiser as it happens in the time taken for the handset to actually reach their ear.

      2. MacroRodent

        I guess depends on the carrier in Europe as well

        My provider (Elisa, in Finland) has always required the PIN, which I consider the only sane method, because just because it is my phone does not mean it is me using it.

      3. fajensen

        Bloody Telenor.SE always want the PIN - It is a pain in the ass because I have run out of storage area for PIN numbers so I cannot use their voice mail.

    2. Anonymous Coward
      Anonymous Coward

      Same in the U.S.

      I have never used a network in the U.S. that doesn't require a PIN for all voicemail access. Honestly I'm shocked that it is possible to do so in the UK or other countries in Europe. You can never guarantee that the person using a phone is the owner of the phone.

      1. fajensen

        Re: Same in the U.S.

        Honestly I'm shocked that it is possible to do so in the UK or other countries in Europe.

        Because we do not care. The majority here never use voice mail for anything; It just never caught on. Almost everyone use a mobile as their main phone so they can always see the missed calls and they use SMS instead of voice.

        For me it's a stupid misfeature and I would like to switch it off: People let the phone ring till it get to the voicemail (this happens easily because the "ring counter" starts well before the "bell" in the other end rings), then they hang up - often leaving 3-4 seconds of scratchy sounds - and then the person they dialled gets hounded by SMS's from the voicemail service for quite a while and one cannot ignore it entirely because about 1% of the callers still leave a voice message and then expect you to act on it instead of just sending an SMS, like normal people do.

        1. Danny 14

          Re: Same in the U.S.

          agreed. I have *never* used my voicemail on my phone. The main reason? They charge me to do so. If I get charged to pick up voicemail then I sure as hell aint going to use it. The message recorded is "I wont check voicemail don't leave one".

  2. Chris Miller

    Isn't this just like filtering external packets arriving at your network with a source IP address in the private ranges? It's good to know that at least Vodafone have a clue.

    1. Terry Barnes

      No, it's not at all like that.

      The same device or address (tel no in this case) can legitimately exist inside and outside your own network at different times and number portability means that any address could belong to you or could belong to another network.

      There are techniques that can be employed - but simple, static address filtering isn't one.

  3. Roger Stenning

    EE: "First and foremost it’s illegal to access a voicemail account without the owner’s permission." As if that's going to stop a hacker. Come on, how can a network be so sodding naive and/or lazy?

    As to Three. ouch. Not at all good.

    1. Pypes

      Maybe they took the RFC seriously?

    2. Guus Leeuw

      Both Three and EE fail, in my opinion for the same, or at least a very similar reason: They are hiding behind PR spin that quite simply indicates that they did not even fully understand the impact of the accusation... Or they did, but try to have a stupid answer that will satisfy most of their customer base...

      This is what happens when you do things on the cheap, like Three... Not sure about EE and doing things on the cheap, but clearly their investments aren't there where they should be...

      Just my two cents,


  4. Alister

    Sorry, what did you say Orlowski's mobile number was, again?

    Sent from my iPhone

    1. James O'Shea


      or maybe not

  5. DagMurphy

    how much time did you give them to put their house in order?

    how much time did you give them to put their house in order before posting?

    1. Phil W

      Re: how much time did you give them to put their house in order?

      Not really neccessary to give them any time. For one thing they've had since the early days of the Leveson enquiry, or even before that if you look at the advice from various bodies against relying on CLI.

      For another it's bloody obvious that doing this is stupid, it's akin to your bank giving dealing with you either in person or over the phone after simply asking for your name to prove that you are the account holder, which of course they don't hence why I don't have all your money.

      The only time it is conceivably OK not to require the PIN is when you are calling from your own mobile, and they verify it by using back end network info about the call other than CLI as O2 and Vodafone do. This would likely only work when you were calling your voicemail on your mobile and connected to your carrier's network and not while roaming ( I don't imagine El Reg tested this? ), but that seems like a fair trade off if you want the convenience of not having to press 4-6 extra keys

      Personally I have no use for voicemail on my mobile. 95%+ of the calls I receive are from other mobiles, so if I don't answer and they don't want to try again later or see if I call back, they can send me an SMS text message.

      1. The Mole

        Re: how much time did you give them to put their house in order?

        Bank's really aren't much better. I recently had to call various of my banks for travelling but had forgotten half my password information but that wasn't a question as long as I answered a set of security questions, all of which could easily be answered by anybody who had got possession of my wallet (containing cards+drivers license), a couple of the slightly 'better' ones would also have required them to have stolen my Wife's purse at the same time. Given that often both wallets will be together (possibly in the same handbag) this really the sort of security to be comparing to.

    2. silent_count

      Re: how much time did you give them to put their house in order?

      I'm all for giving people time to fix their stuff before making a vulnerability public but that's not what's happening here.

      These carriers know the security of their voice mail system is pathetic but they don't care. There's zero chance that any halfway competent carrier doesn't understand that CLI can be spoofed.

    3. flippet

      Re: how much time did you give them to put their house in order?

      I think you're confusing Investigative Journalism with Ethical Hacking.

    4. diodesign (Written by Reg staff) Silver badge

      Re: how much time did you give them to put their house in order?

      I understand we contacted the affected mobile networks last week. EE says it has now fixed the hole - a follow-up will be published shortly.


      1. Tom 13

        Re: how much time did you give them to put their house in order?

        That sounds like about 7 days more than they deserved.

        But I applaud your respect for the punters.

  6. Martin Maisey


    'We approached Three about this, and a spokesman said: "The advice we've always given customers about security is to mandate their PIN. This is particularly so for people who worry that if a phone is stolen, it might be used to access their voicemail. This advice is given under the voicemail security pages of the Three website."'

    Unfortunately, that's describing a completely different threat model from being hacked by any random person who knows your mobile number. Also, their voicemail security page says "You'll always be asked to enter your phone number and PIN if you access your voicemail from another mobile or landline phone." - which is manifestly wrong. Not impressed, good thing I'm not using them for voice at the moment.

    1. scmgre

      Re: Hmm

      You can turn pin skip off through the Ctui/IVR so even if you call from your own handset you are asked for a pin. Not many people take up this option as it is not default.

  7. Bronek Kozicki


    One thing I have learned when working on diagnostic software for mobile networks, was they do not like being treated like ordinary utility company. Complex billing structures, subsidised phones etc. play rather well with plenty of "add ons" they will be happy sell you, so what's how they view themself. Yet, there is precious nothing on offer that goes beyond utility company for your communication needs.

    And even this not being done very well.

    1. A J Stiles

      Re: haha

      Yep! If you take out a SIM-only contract with "unlimited" text messages, stick your SIM into something loike an OpenVox G400E and start sending text messages, you will soon find out just how unlimited "unlimited" really means .....

  8. A J Stiles

    Come on, it's not hard

    On the BT landline network, you are definitely only allowed to use caller IDs that belong to you. I happen to know this because we once had two ISDN30s; and due to an administrative cock-up, they were ordered in two different names. So the presentation number ranges we had paid for were effectively locked to one or other of the line groups.

    So our Asterisk was asking for what should have been a permitted ident; but if the call happened to get routed over the wrong line, then the ident got silently dropped, with the call coming through as anonymous.

    This was, as you can imagine, a 'mare to troubleshoot. It only even became obvious when we started running afoul of anonymous call barring services even despite supposedly setting an ident on every outgoing call .....

    1. Anonymous Coward
      Anonymous Coward

      Re: Come on, it's not hard

      I haven't worked in telecomms for a good few years but I remember that, in the UK at least, it was actually illegal for a subscriber to change their CLI. A Telco could do it as long as the new number was within their assigned numbers range. Whichever VoIP to POTS provider they used should have just rejected the changed cli

      1. Number6

        Re: Come on, it's not hard

        Even back to the days of DASS2 it was possible to present any number in your valid DDI range to the exchange on call set-up. If you had a 2-digit DDI in the range 00-49 then you could claim to be from any of those numbers, but if you tried to give it a number in the range 50-99 it would ignore you and default to the presentation number you'd chosen for your range. Of course, it helped that back then BT already knew what you were allowed to use and range-checked it. Interestingly, if you received a call from such a DDI number on a digital line you'd find the incoming CLI had an X in it immediately before the DDI digits, which was BT's way of informing the called party that they couldn't vouch for the digits after the X. This didn't happen with analogue CLI, although I wasn't in a position to check whether it was being sent but the CLI box (official BT one) was quietly eating the X.

      2. A J Stiles

        Re: Come on, it's not hard

        When you have an ISDN30 (thirty B-channels and a D-channel), you get 30 numbers with it; but those numbers are not locked to individual B-channels. Anyone else who dials any one of those numbers will send a call up some available B-channel, and you can identify a call going down any one of those 30 B-channels as any one of those 30 numbers.

        You change your CLI by means of D-channel messages (in Asterisk, the dialplan command is Set(CALLERID(num)=.....)), but BT will only let you identify as a number that actually belongs to you.

        I have never actually worked with ISDN2 lines, but would imagine it is at least broadly similar.

        An analogue line doesn't give you any access to the D-channel (and there is no in-band signalling anymore; it was the advent of ISDN that finally put an end to the Blue Box), so you can't change the CLI.

        1. Peter2 Silver badge

          Re: Come on, it's not hard

          With any ISDN lines channels and DDI's are seperate. I have a block of 200 DDI's delivered to my switch. To the best of my knowledge per circuit you can have 5 blocks of DDI's of any size.

          As of 2007 you could also present any number as the CLI- as part of an office move I have set:-

          1) My mobile number

          2) geographic numbers on a different exchange (ie; the new office DDI's while at the old office)

          3) non geographic numbers

          All of which presented correctly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Come on, it's not hard

      BT don't allow it and I doubt any of the other major operators do.

      Be aware though that there's a difference between Presentation Number - a legitimate product, and spoofed CLI which is always illegitimate. Presentation number is used to display a switchboard or main office number on outbound calls where the 'real' CLI would be unreachable or inappropriate, but the actual CLI contained in the signalling and call record is correct and identifies the line. In a call centre, for example, direct dialing inbound to an agent is forbidden and so using the real CLI would just give a number that can't be reached. Showing the switchboard number solves the problem. Spoofing actually involves putting knowingly false data in the signalling message.

      The problem is that you only need one operator who will allow it. Since the end of Ofcom licensing anyone can set up a telco and there's little 'threat' of having your licence removed for bad behaviour, though the telcos will refuse to interconnect if you persistently misbehave.

      Spoofed CLIs often originate internationally however. They might pass through three or four or five networks before they reach the UK. Until recently BT and others treated CLIs that came from call aggregator routes as 'untrusted' and showed 'INTERNATIONAL' or 'UNAVAILABLE' in the CLI field. They'd only trust the CLI if they trusted the operator sending them the calls - a dedicated France Telecom route for example that only has 'own network' calls on it. The problem with that approach is that very few incoming international calls to the UK actually touch BT or Virgin's networks. Foreign telcos buy international routes on a spot market, calls are aggregated and eventually end up in somewhere like Paul Street in London, a private international exchange, and calls are handed to the national network. No-one, not even the aggregator, has any idea where those calls came from. They only know which network gave them the call, which almost certainly won't be the network the call originated on.

      That situation is changing and I believe there's been lots of pressure for the UK telcos to now show the CLIs where they are present - but it does mean that spoofed CLIs will have an open door. My best guess is that UK switches are now inspecting the CLI and rejecting calls from what appear to be international routes but giving a UK CLI. I don't think the mobile operators can do that though - it breaks roaming - so this may be at the heart of the problem. Any attempt at policing will cause call rejection of calls made by UK mobiles abroad on a non-home network. Making your PIN mandatory might be the only way of ensuring security.

      The current telephone signalling and addressing system was designed in an era when the telcos knew each other and trust between them was implicit. That's been blown apart but the system (CCITT SS7) can't easily be changed without upgrading every single telephone exchange in the world. All the time a single operator, anywhere in the world, allows CLI faking on an interconnect, this problem won't go away.

    3. Alan Brown Silver badge

      Re: Come on, it's not hard

      "On the BT landline network, you are definitely only allowed to use caller IDs that belong to you"

      That's a recent change. When I tested the premise that CLI was freely spoofable over ISDN in 2004 it would accept any old cruft.

      1. Mike Pellatt

        Re: CLI freely spoofable on ISDN

        Whereas that wasn't the case for me. Did you test more than one ISDN circuit ?? If not, it might have been misconfigured at the exchange (By BT ?? Shurely not !!)

  9. JetSetJim

    It's not just 3 or EE you need to badger

    Who made the HLR and Voicemail systems - I suspect they're made by someone completely different, and specced to "competitive" prices. I agree that it's shoddy by today's standards to not have these security features, but I wonder how old the current kit is and if there is budget to replace it (as, if it's quite old, chances are the firm that made it has been bought by someone else and EOL'd, so no more s/w upgrades).

    Ask 'em who provided the kit, and then go knocking on their doors. Ask them for their feature list & roadmap to find out if the operator is being tight and not paying for optional features, or needs to fork out for a new platform cos the old one won't ever get a s/w upgrade.

    I've disabled by voicemail, so no worries about hacking there :)

  10. Anonymous Coward
    Anonymous Coward

    This might not entirely be the fault of the voicemail providers.

    The originating line switch which accepted the access connection (from your VOIP line - but could as easily have been a Basic Rate ISDN or a Primary Rate PBX interface) should be marking the originating line identify as *untrusted* (user provided not screened) That is, unless it has gone through screening in which case it can become trusted.

    If the originating service provider isn't doing things properly then when the call is being passed to the voicemail provider (terminating exchange) they could be acting on the incorrectly marked fields.

    Another number to use is the Network Number. In the UK, at least, this should always be provided by the originating service provider and be trusted (public can't change it). Ideally this is the number that should be used for voicemail access/validation, where possible (but there are other complications with this).

    Either way, EE and 3 should not allow non-PIN authentication if originating CLI can't be trusted to be network screened/provided. Shame on the *Test Teams* within Three and EE for not picking up on this. O2 and Vodafone proved it can be done right, so why can't YOU?

    1. GarethB

      A voip provider unless its a very small one is highly unlikely to be using ISDN connections. Most likely they are using a SS7 interconnect so the voip provider is able to provide whatever network number and callerid they wish when placing the outbound call.

      There are services such as skype which allow a mobile number to be used as the callerid but these are always first validated. There is an ofcom guideline NICC ND1016 which states that a callerid which is set by the carrier should be correct so that a call made back to that number should reach the original caller. So whatever telco the register used for this testing was technically in breach of this regulation. They probably got permission to provide the particular number in their testing but the fact remains whichever telco is allowing other to hack voicemail using this method could get into trouble.

      1. Mike Pellatt

        "There is an ofcom guideline NICC ND1016 which states that a callerid which is set by the carrier should be correct so that a call made back to that number should reach the original caller."

        Which is of course honoured far more in the breach than the observance.

        You ever tried calling back a silent direct marketing call ?? Or one of those with a UK number that are clearly coming from a sweatshop call centre in Mumbai/Durban/etc ?

        1. Anonymous Coward
          Anonymous Coward

          "There is an ofcom guideline NICC ND1016 which states that a callerid which is set by the carrier should be correct "

          Ofcom only have jurisdiction in the UK. Most of the spoofing is happening outside of the UK.

  11. Pypes
    Thumb Up

    Nothing like a busty Welsh songstress to brighten up a technical article about the inner working of the UK phone network, for illustrative purposes of course.

  12. Dan 55 Silver badge

    "First and foremost it’s illegal to access a voicemail account without the owner’s permission."

    Doesn't mean that the teleco is not negligent in leaving the front door wide open.

    "If any customer has concerns about voicemail security we would advise them to follow a few simple steps on their device and set up PIN entry."

    That is promptly ignored by their yoghurt pot-and-string systems. The right advice would be disabling voicemail altogether until they sort it out, but that means they lose out on the incoming call revenue.

  13. ACZ

    Consumer convenience v security

    Just set up voicemail on a new mobile on EE, and it does give you the option of requiring a PIN every time you call the voicemail number, even from your own phone. It seems from the page on the 3 website linked to by the article that they have the same option.

    That said, the marketing droids could have actually given a direct answer to the question/issues raised, rather than the usual tripe that they seem to churn out.

    I guess that ultimately this might come down to the mobile phone companies providing the mass-market convenient option of not having to enter a PIN when calling from a number that appears to be your own, whilst providing the "always on" PIN requirement for those who want some security.

    CLI spoofing has been an easy option for many years, so the fact that it provides a way to get into people's voicemail doesn't surprise me. Oh well...

  14. Anonymous Coward
    Anonymous Coward

    Three: "The advice we've always given customers"

    Er, no they haven't. Just because it is buried away on a website if you wanted to specifically search for it does not mean it is advice they always give customers. That would require them stating that the device will always require a PIN unless they choose to turn it off when connecting from their own handset and then giving appropriate warnings if they do.

  15. nsld

    EE and Security, dont make me laugh

    I left Orange as it was a few years ago and one of the reasons was the call centre droid telling me my full password which was visible to him and stored in plain text along with all my bank details etc etc.

    Orange/EE have been aware of the CLI spoofing flaw for years and have done nothing about it, this is not a new revelation but they won't do anything about it as that would involve investment.

    Useless bunch

  16. Preston Crow

    Google Voice Lite

    At least in the US, you don't have to use the voice mail provided by your carrier. I've set mine to use Google Voice Lite (essentially just the voice mail part of Google Voice). This gives me free speech-to-text, which Verizon decided to charge extra for. It also means that it's protected by my Google password (which my phone app has saved, so I'm out of luck if I lose my phone). Good luck hacking it without guessing my password.

    Unfortunately, Google Voice is only available in the USA right now, so you need to find some similar service elsewhere. (I hope they'll expand it, but they seem to be instead cutting it back and integrating it with Hangouts, much to the dismay of those who use an adapter to get free home phone service through them.)

  17. Andy Hards

    My voicemail

    If anyone wants to hear Flo down the road grumbling that she wants me to get her a pint of milk then they are welcome to that. The only other voicemail I get is from my missus asking where the fuh I am. The Sunday Sun are welcome to it too

  18. Timo

    VM PIN vs CLI

    The idea of using the incoming IMEI and/or billing number ID will be hard to do. Yes those numbers are presented to the mobile operator network, but into a much different part of the network (billing system vs. call processing), and at a much different stage of the call setup. CLI may be handled in real-time, while billing records are not exactly handled in real-time.

    The network has to allow you to dial in from remotely for the cases when you are roaming and your call to yourself would come in from outside the operator. This seems to be a convention the GSM-based carriers have arranged, as others have stated there are many networks where PIN is mandatory for every access.

    About the only solution that I could see happening quickly is that if you are authenticated on the network (like home network, or home operator) that you could get straight into your voicemail. The other cases where the call comes from outside the network, would require a PIN for voicemail access. (Conceptuallly very similar to port tagging on the inbound trunks.) This will create lots of fun and confusion for all of the people (me included) who set a VM PIN years ago, but then find they can't get into their voicemail from the road the first time after this is enabled.

    1. georgied

      Re: VM PIN vs CLI

      The quick fix is to always require a PIN.

      In the longer term, EAP-SIM is the way to go. Authentication is tied to the sim card, so will allow device swapping and should be significantly harder to spoof.

      It's already being extensively developed as a means to auto authenticate to wifi hot spots, to try and offload data from the mobile networks.

  19. DropBear

    Well, my voicemail is certainly unhackable - I don't have one. I immediately turned it off (as basically does everyone else I know) simply because leaving it on is widely considered extremely bad form around here since it costs a caller money once the voicemail picks up, even though the call was practically a bust. We don't really see any point in leaving a message if the called party is not reachable; by the time he/she gets it, the point will likely be moot. If not, the missed call indication is generally enough and therefore a call-back is expected anyway.

    1. Alan Brown Silver badge

      Some telcos won't let you disable voicemail

      Telcos get paid for terminating calls - and voicemail counts as termination. If you're a minnow there's a strong incentive to keep the termination rates high (and some wnd up being bullied into high termination percentages by the incumbents or face penalties)

      One of the more inequitable parts of interconnect agreements is when the incumbent forces the newcomer to pay wildy high rates whilst refusing to pay for calls into the newcomer. This has happened in a lot of countries.

      1. Terry Barnes

        Re: Some telcos won't let you disable voicemail

        "Telcos get paid for terminating calls - and voicemail counts as termination. If you're a minnow there's a strong incentive to keep the termination rates high (and some wnd up being bullied into high termination percentages by the incumbents or face penalties)"

        But, but, but... They don't get paid for terminating calls generated on their own network by their own subscribers and carried across their own network.

  20. Trollslayer


    Glad I'm on Vodafone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Phew

      Enjoy your overpriced bills

  21. petef

    Here's Bruce Schneier in 2006:

    "It's also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox."

  22. Joe 3

    Kafkaesque nonsense from Three and EE

    So you presented evidence to them that it's possible to access other people's voicemail without a PIN...

    ...and their reply is "we tell customers to set up a PIN."

    Have they even understood what you've just told them? Or is it a case of heads-in-the-sand?

    1. Terry Barnes

      Re: Kafkaesque nonsense from Three and EE

      No, you're misunderstanding. It's possible to set up the account so that a PIN is required in every case, even from your own phone. That's what they're advising.

  23. Feival

    Switch to Hullomail

    I use Hullomail. Secure and effective. I am a customer and not an employee before anyone asks! The beauty is it pushes the messages to your phone using a data connection and if you pay £6 a year it forwards them to your email. If you do choose to dial in you must provide a PIN.

    1. Anonymous Coward
      Anonymous Coward

      Re: Switch to Hullomail

      +1 for Hullomail or any other visual voicemail provider. So far as I know, the only network it doesn't work with is Virgin Mobile - they do not allow the call forwarding required.

      Visual voicemail is actually usable, unlike regular voice mail.

  24. Chad H.

    How do those conversations with the mobile network go?

    Is it something like this:

    El Reg: Hey PhoneCoPR we found a security hole in your voicemail system that lets us listen to anyones voicemail even if they set a pin

    Phoneco: Oh, its you from that techynerd site. Well, our custoemrs are safe as long as they set a pin

    El Reg: Thats the thing, we can do it without a pin

    Phoneco: so they should set a pin

    El Reg: Did you want to give a staetment that actually makes you look inteligent?

    1. Mage Silver badge

      Re: How do those conversations with the mobile network go?

      I'm sure that's Three.

    2. Terry Barnes

      Re: How do those conversations with the mobile network go?

      You misread it. The networks are telling you to change the account settings to require a PIN when you call in from your own phone. That appears to be off by default.

  25. Mage Silver badge
    Thumb Up

    Not surprised

    Many companies will not even interview older experienced people. Too much is outsourced or implemented by inexperienced fresh graduates or work experience or people qualified in a different field.

    I'd have been especially surprised if Three had it right. They only know how to Sell and Market.

    Where are the regulators? Soft touch?

    If a network isn't doing their engineering responsibly they should lose their licence. The consumer is lucky if the Regulators even slap a wrist lightly.

  26. Anonymous Coward
    Anonymous Coward

    The level of ignorance... the Telcos of their own systems is astounding. I think it has a lot of to with the global game of chasing down salaries and outsourcing of their most competent techs....

  27. JaitcH

    It's comforting to know that IMEI is used ...

    by GCHQ and NSA to verify handsets. That's no doubt the reason why the law in the UK is stiff on changing it whilst elsewhere it's not even a consideration.

    It seems that they don't verify whether or not an IMEI is correct for the type of handset it is purportedly on, though. IMEI number assignments are issued in blocks to manufacturers.

    Changing the IMEI is a breeze, the only hassle is to make sure if you are roaming, make sure that the home Cellco knows the latest IMEI which simply requires a visit to a service centre - occasionally it can be done through a call.

  28. Anonymous Coward
    Anonymous Coward

    VOIP is the problem

    This is the tip of the iceberg. Analogue phone networks are pretty secure, but once you add VOIP you are open to any sort of hacking in the same may as any email can be hacked. I believe the US is in the process of converting its entire wired phone network to an open VOIP system, unlike the UK where at the moment BT's 21CN core is IP, but not externally visible as such . This will cause chaos.

  29. Calamity

    Need help to verify this

    I have been trying this using the method outlined in the article - i cannot hack into my own EE voicemail box or that of my colleague. Just tried it with a couple of Orange mailboxes - same result, i cannot get in..

    Has anyone tested this for themselves - would be interested in hearing if it actually works... What am i doing wrong? Should SpoofCard ap work?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Need help to verify this

      Exploiting Orange has patchy results, and I don't know when you tried with EE, but by yesterday evening the mobe network had patched the bug. See a follow-up due to be published this morning.


  30. This post has been deleted by its author

  31. monkeyfish


    Do the same security holes or lack of exist in the virtual networks? I.e. is giffgaff ok because it's on O2?

  32. DaddyHoggy

    I Tweeted @ThreeUK and linked to this article.

    They linked back to their standard "Setting up a PIN" page.

    I have pointed out that this article shows PIN is bypassed.

    Fecking idiots.


    ThreeUK: @DaddyHoggy We offer the following advice to anyone who is concerned about security:

    Original Message:

  33. Chris Wicks 1

    Actually, that Three link isn't very useful...

    Decided off the back of the article to set my 3 voicemail to always request PIN.

    Turns out they have two things which can be configured separately:

    - "Fast login" uses caller ID (presumably the insecure CLI described in the article) to auto-recognise you;

    - "PIN skip" gives you the option to request the PIN if you've been auto-recognised.

    By default, both of these are on so you go straight through (even when roaming).

    I've now turned off PIN skip, so at least I still get auto-recognised - hopefully a balance of security and convenience.

  34. Anonymous Coward
    Anonymous Coward


    Wait... An El Reg staffer -- a staffer named Simon, of all things:

    - made a bet

    - of a technical nature

    - with a co-worker

    - involving a technical topic

    - in a pub

    And he didn't wager at least a few pints, a few quid, or a shift on the helldesk? Come on!

  35. Mookster

    Don't you mean the "A" number?

    Can't you just call a spade a spade? What you did is A-number spoofing. CLI is a bit different...

    (your old-person call-center redirect example just about shows it)

  36. Alistair Dabbs

    Almost on sidebar of shame (but not quite)

    Well done, you're on the front page of Daily Mail online:

    1. diodesign (Written by Reg staff) Silver badge

      Re: Almost on sidebar of shame (but not quite)

      *updates CV*


  37. h3

    I knew that is how it worked. I just thought that it had been fixed by now.

    The networks should have had the liability due to the measures being so insufficient.

  38. Anonymous Coward
    Anonymous Coward

    It sounds like

    It's all gone to POTS

  39. F0rdPrefect

    So O2 have got it right have they?

    How come every 2 or 3 months I suddenly find that they have removed my PIN from my voicemail?

    Sometimes I get a text telling me I have a message and all the message is, is O2 telling me to set my PIN because I haven't. But I first set it when I had an analogue phone and I am still with the same provider, sort of as I started with BT Cellnet. And every time they tell me I haven't set it, I do.

    So I set a PIN and then a bit later they remove it.


    1. Simon Rockman

      No one has got it really right. The Vodafone system is the most secure, but it's a pain to have to enter your PIN when you are on your mobile and roaming to a network that doesn't have CAMEL.


This topic is closed for new posts.

Other stories you might like