Patching is too important to be neglected
Patching is too important to be neglected

Always keen for a good story, particularly one involving the Royal Family, the press recently jumped on claims that certain royals had been subject to a spate of eavesdropping of their mobile phone conversations.

It's nothing new; we had the Princess of Wales's romantic conversations plastered across the tabloids. But that was in the days of analogue mobile phones, when a trip to the electronics shop would provide the necessary gadgets. In this age of digital systems, mobile phone tapping is more newsworthy.

On reading the story, I reacted with scepticism. While off-the-shelf systems for tapping digital mobiles exist (nice briefcase-sized devices that pretend to be mobile phone network "cells", for example), they are outside the typical muckraker's budget. The encryption algorithm is also crackable with readily available hardware and software, but not without significant technical effort. There must be more to it, I thought.

My scepticism was rewarded when it was revealed that it wasn't the calls, but voicemail messages. This is a far simpler operation, as voicemail systems are typically protected only by a short PIN, if at all. By carefully accessing only "read" messages, the legitimate user is none the wiser of a nosy reporter's intrusion.

Not to be outdone by the computer security community's insistence on polluting the vocabulary, the tabloids even have their own delightful phrase for this: "screwing" the mailbox. At least they didn't pick something beginning with "ph".

It isn't the first case of "second line" telephone services being attacked like this. The attractive but technologically naive Paris Hilton had pictures stolen from her mobile phone (actually, from the host website). She made the mistake of using her dog's name as the "secret question" for her account; a poor choice when said dog is also a celebrity (note to Ms Hilton: I waive my normal security consultancy fees for attractive female socialites).

In security terms, it is an example of the need for universality of protection. Sensitive information should receive equal levels of protections at all stages, whether in transmission through the air or at rest in a voicemail system.

In the same way that software vendors are learning the lesson about dumb default configurations, phone companies ought to assign random PINs to consumers rather than rely on them to choose one. Celebrity users of voicemail also need to learn not to leave messages they don't want to read in the next day's newspaper.