The Phone Hacking Scandal is Probably the Tip of an Iceberg

Robert Peston muses on the latest developments in the Murdoch phone hacking scandal.

The interesting thing about this scandal is that it very much looks like a case of the stupid being caught and the more deviously clever getting away, as is so often the case.

From what I've read, it appears that (most of?) the phone 'hacks' have consisted of celebs having their mobile phone voice mail accessed by the press because they didn't bother to change the default PIN on their voice mail service.

Mobile phone providers generally provide a service whereby if you ring a mobile number and get put through to voice mail (for example by not answering the phone), then you can not only leave a message but also listen to recorded messages if you know the PIN. Not changing the default PIN is rather like leaving your front door unlocked. Yes, the mobile phone companies should do more to make customers change the default number. Yes, it's unethical and perhaps downright criminal for anyone to take advantage of someone who doesn't know what they're doing. Yes, it's foolish to not read the manual and secure your voice mail.

My reason for highlighting the stupidity of the celebs for not changing their PINs is not to ridicule them (who hasn't made a mistake of this sort, at some point?) but to point out that the simplicity of this so-called-hack means it is easy to do, and also easy to track down and catch. The unsaid reverse of this, is that there are probably much more sophisticated hacks currently undetected and unreported.

On a 'social engineering' level, it would be somewhat surprising if there wasn't some bribery or blackmail going on within the lower-paid sections of major communications companies, such as Virgin or BT. As communication hubs for telephone and internet, they'd be obvious and valuable targets, and the people who work there who have access to the recordings, logs and traffic probably aren't paid enough for all of them to resist bribery, nor sufficiently vetted to resist blackmail. If that sounds far-fetched, then perhaps you didn't read the news stories quite recently about phone banking call centre staff giving up information about their clients for money in their lunch breaks, as reported in the press. I'll add a link if I can find it again.*

On a technical level, computer software has become so complex that securing it has become almost impossible. Every month, Microsoft releases various software updates that close security holes. They do that because someone has brought a security problem to their attention, sometimes directly, sometimes by publishing the exploit on a website or forum somewhere, sometimes because a virus that exploits the hole has become so widespread that it can't fail to be noticed. So that's potentially an entire month where a security hole was open for every Windows PC in the world. In many cases, the security problem may have been known about for a long time amongst a select group of hackers, but only recently surfaced in the public domain, at which point it gets fixed. By then, the damage is done, and the compromised machines will probably stay compromised until reinstalled.

An unethical journalist would no doubt be prepared to pay decent money to a hacker who wrote a program that quietly exploited a security weakness that no-one knew about (without the viral-spreading properties that tend to get them noticed). From there, all it would take is an email sent to the target, or even a link posted to a social media website that the target is known to frequent, like Facebook or Reddit (both have been used to spread viruses in the past).

Even technically-astute targets wouldn't be safe. Firewalls are useless if the infection arrives via a trusted route, such as the internet or email. Virus-killers are generally useless if the virus is completely new. Caution and paranoia is only somewhat useful if the exploit takes advantage of a relatively trusted file format, such as PDF.

I suspect these phone hacking cases are the obvious tip of a deeply submerged iceberg.

*Edit 18.05.2013:

I can't seem to find that news story anywhere - it seems to have dropped off the face of the internet. However, on 14 May 2012 Channel 4 aired a quite disturbing edition of its Dispatches programme, Watching the Detectives, which revealed just how easy it is for the press to get hold of personal data from any number of sources, including the DWP, the NHS, phone companies and more.