Recently there was an explosive news story about Rupert Murdoch’s worldwide press interests and something generally called "phone hacking." According to that story, Murdoch's employees hacked into the phones of various people in the news to try to gather information about them that would not otherwise have been available to members of the press. The most egregious hacks happened at the British tabloid newspaper News of the World (NOTW), and in the aftermath of the story Murdoch decided to shut the newspaper down. Repercussions were felt all over the world, because Murdoch's press interests spread from the UK to the US (for example, the Fox TV network and the Wall Street Journal) and even to Australia (he owns several newspapers there).
In our book The Dark Side of Software Engineering, one of the subjects that we cover in depth is Hacking, which we define in the book as "getting illegitimate access to computer systems and data." It is a bit of a stretch to include phone hacking as a topic of discussion in this Dark Side blog, because in our book we speak only of computer hacking, but because of the recent and heavy attention given to phone hacking, we would like to make a few comments here about it.
Phone Hacking Incident
The British police discovered evidence, as we said above, that NOTW had accessed telephones by hacking into their voicemail. In July 2011, these events cumulated in Murdoch closing NOTW.
From a technical point of view, "hacking into the mailbox” is too strong an expression for what happened.
Let's first recall what is necessary for you to do to control the mailbox of your own cell phone. You have to dial a number that is composed of a prefix and your cell phone number. Notice that you can dial this number from any phone in the world -- not just from your cell phone. Then you have to key in a four digit PIN code. That's all. Having done that, you can listen to messages, delete messages, and do everything necessary to control your mailbox. Isn't it really user-friendly?
What are the obstacles for the attacker?
The above-mentioned prefix is the same for all phones of a certain company (at least in a certain geographical region). Once the phone number of the targeted victim is known, it should be easy for an attacker to figure out which number he or she has to dial to arrive at the mailbox.
Then the attacker has to know the PIN code. This may or may not be an obstacle -- depending on whether the victim has changed the PIN or not. Plenty of people have stayed with the default PIN 0000 all their lives. Meanwhile, phone companies have changed their security policies, so new users are obliged to pick a PIN before they can use the mailbox. This practice makes the mailbox technology slightly more secure. However, many users still pick a PIN that is easy to guess -- such as 1234 or a regular pattern on the keypad such as 2580. So, in many cases hacking into a mailbox is trivially easy once the attacker knows the phone number of the victim.
Finding out the phone number of celebrities might be quite difficult -- for example, if the attacker wants the private phone number of Barrack Obama or Queen Elizabeth. But beside these few very protected phone numbers, any experienced journalist working for a big newspaper could likely find a way to get access to a phone number he or she wants to know.
Summarizing these facts: this "hacking" into mailboxes did not require much technical knowledge beyond the "skills" necessary for using a telephone.
In addition to voicemail hacking, NOTW journalists applied another interception technology: pinging. The term "pinging" is used in telecommunication jargon for identifying the position of a cell phone. The technology behind it is rather easy: the signal of a cell phone is received by multiple antennas -- the antennas in the geographical region where the cell phone is. These antennas receive the signal in different amplitudes, depending on the distance between the antenna and the cell phone. Based on the strength of the signals, the position of the cell phone can be computed with surprising precision -- frequently within a few steps.
This data is available in the computers of the phone provider on a routine basis, and nothing is wrong or illegal with it. The key is that only law enforcement authorities are allowed to use this information.
In the context of the phone hacking scandal, this data became important because NOTW journalists found a way to access this data by illegitimate means. In this way, they could find out where a given person is right now. More precisely, they could find out where the person's cell phone is -- but this is usually enough.
Extent of the incident
In the beginning of the scandal, we knew about a few isolated cases. A few weeks later the news reported on hundreds of cases. NOTW had a real infrastructure in place -- including private investigators who provided the journalists with technological tricks and the phone numbers of future victims. Did NOTW use phone hacking on a routine basis?
Sean Hoare, a whistle-blowing insider, told The New York Times this hacking was far more extensive than the paper acknowledged when police first investigated hacking claims. Sadly, Sean was found dead a few days later.
In the aftermath of the events, a lot has been written about irresponsible journalists and careless users. The interested reader might find in-depth articles by searching Google news for keywords such as "Murdoch phone hacking."
In this blog, however, we want to raise two other questions from this incident.
Do we care?
All of us who followed the news about this incident know that our current way of using mailboxes is extremely insecure. But did we change the PIN of our mailboxes? By the way: would you even know how to change the PIN of your mailbox? Has this problem of your (probably insecure) mailbox been something that made you feel uncomfortable, something that should be resolved urgently? Most likely the answer is: no, not really.
This reaction is very typical for the entire field of computer security: we know that our systems are not secure, we know we ought not to reuse passwords across applications, we know that we ought to update to the latest versions of all installed software at least once a week. We know all these things -- but we don't care.
Somehow the situation reminds one of the American Old West: life there was insecure and everyone knew it. However, access to the land and the resources there justified assuming the risks, and protecting against all possible discomfort and hazards of the Old West would have disrupted life there too much.
Was this the first and only case of voicemail hacking?
We can’t know (yet). Let’s look for a moment at things from a pessimistic point of view. As mentioned already, from a technological point of view it is anything but difficult to "hack" into a mailbox. Everyone who has ever accessed his own mailbox from a fixed line abroad already knows the necessary steps. So it is quite obvious that there might have been persons who tried to access the mailbox of someone else in the same way they access their own mailbox, just by replacing their own phone number with the phone number of the targeted victim.
We all know that there are curious and unfair persons out there. And it's easy to imagine that some journalists or disloyal business people might have failed to resist the temptation of sneaking into others' mailboxes.
The phone hacking incident is like finding two undesirable creatures on the steps down into the cellar. This fact of finding two creatures does not mean that you have two creatures in the house; it means that you may have 2000 creatures.
News of the World applied phone hacking in the context of the criminal case of a kidnapped girl. This case received a lot of coverage in British media and was heavily researched by police. In addition, NOTW not only listened to messages in the mailbox but left traces by deleting some of the messages. These facts might add to the reasons why the incident came out at all.
There might be many more cases of phone hacking -- another "2000 creatures" from the analogy above -- which we haven't seen and might never see.
A Larger Issue?
Rupert Murdoch is controversial not just because of the phone hacking episodes. His newspapers and TV outlets are often regarded as heavily biased purveyors of political viewpoints rather than news outlets. The Fox TV channels, for example, are rabidly conservative in their US outlook, and "news" reported there may not match news coverage of the same events by less biased media outlets. The same is true of the Murdoch-owned Australian newspaper, which switched from legitimate news coverage to conservative political side-taking almost immediately after Murdoch took it over several years ago.
It is interesting to speculate which is the worst offence: phone hacking or biased news reporting. The phone hacking episodes, of course, became a primary focus of world attention, caused the firing or resignation of several key Murdoch employees, and were even the cause of parliamentary inquiries in the UK. But there has been no investigation of the biased political reporting -- even though there have been hints of it in Australia -- since (a) the political side Murdoch seems to favor defends his actions vigorously, and (b) members of the press generally take the position that making Murdoch change his approach to journalism would be a violation of Freedom of the Press (his actions are, of course, a violation of journalistic ethics, which say that politically biased stories should not be on the news pages, only on the editorial pages).
Could manipulating the opinions of the people be a more serious breach of social responsibility and perhaps the law than phone hacking? The former eventually affects the direction a nation may take, whereas the latter, though devastating to those hacked, only affects the people involved. But it is so far evident that neither the political system nor the legal system, in any of the countries involved, will address the biased news issue.