Feeds

back to article It woz the Reg wot won it: UK mobe network EE fixes voicemail hack flaw

Since we alerted EE to the security flaw in its voicemail system that allowed us to access the messages of anti-terrorism bods, the mobile telco has been working to close the hole. As we explained in our original article, the vulnerability was only exploitable through certain routes, and we disclosed the problem to EE ahead of …

COMMENTS

This topic is closed for new posts.
Thumb Up

Huzzah! A victory for common sense!

It's nice to see that El Reg has the pulling power to get a large company to fix stuff, rather than be dismissed as "some niche website"

It's good to see that we are now a step closer to having such impersonation attacks closed off.

(Actually posted by Simon, spoofing this random user's account)

16
0

Re: Huzzah! A victory for common sense!

Agree it's good the register article got someone to do something sensible... but... the thought of the reg with power -- shudders.

Remember Reg, great power great yada yada yada

0
0
Silver badge

Well done Simon

Kudos for getting something done in the security chaos arena.

Every little bit helps.

3
0
Silver badge
WTF?

Three's voicemail settings are odd

Following their instructions to toggle the "fast login" setting just now, the voicemail system then said that fast login was now switched off; implying it had been switched on in the first place (which it hadn't!). Toggling it again does seem to have changed it now, though, so thanks to El Reg! Confusing, though, Three.

0
0

This post has been deleted by its author

Anonymous Coward

Can you talk to O2 as well?

Maybe they fixed it, but whilst O2 tells you that you can set a 4..8 digit PIN on your PAYG voicemail, it will actually only accept a 4 digit one..

0
1
Bronze badge

Re: Can you talk to O2 as well?

Odd, every time I use my O2 voicemail it tells me to set a pin (Which I have already done a million times) so I know it states enter a 4 digit pin.

0
0
Bronze badge

The $64K question...

Who is - or should be - responsible for identifying potential flaws, checking if they exist, and ensuring they get fixed if they do?

Too often it seems discovery of serious flaws and vulnerabilities is down to individuals who risk breaking the law when it comes to checking their theories, and only fear of an outraged torch and pitchfork wielding mob which gets things fixed.

That's always available as the path of last resort but there must be something better we could have so we aren't dependent upon that. Not sure what that would be though.

5
0
Silver badge

Re: The $64K question...

That's assuming that a company actually wants to check for flaws and do something about it...

Because fixing it would cost money... and that's why many companies are

so reluctant to do anything unless forced by public outcry...

4
0
Silver badge

Re: The $64K question...

surely companies the size of EE amd 3 have internal audits. If loose security allows voicemails to be hacked I wouldn't wonder that lawsuits could follow.

3
0
Silver badge

Re: The $64K question...

Internal audits are controlled by internal managers who don't want to rock the boat and who want to 'get along'. An external audit by a company with experience in the field would be the best kind of audit.

0
0
Anonymous Coward

Re: The $64K question...

You assume that the mobile companies are resourced adequately to spend time on security audits and reviews. In reality, many of their technical teams have been cut back to the bare minimum and are too busy rushing around fire-fighting.

I assume that the Voicemail teams have known about this problem for ages, but havn't been able to justify a fix to the bean-counters. Now that El Reg have highlighted the problem, then magically the money will have been made available to fix it...

0
0
Silver badge

Re: The $64K question...

"Who is - or should be - responsible for identifying potential flaws, checking if they exist, and ensuring they get fixed if they do?"

Well, companies have to turn a profit on limited resources, so do what is required to avoid scandal or breaking the law. Anything else is a bonus.

It's not the government's job to oversee private business, shoulder some of their running costs and help them make more cash, either.

There are allegedly watchdogs and ombudsmen, but they are underfunded and have no teeth or real powers of enforcement: Pretty much worthless bureaucracies.

To a degree, it's in the customer's best interests to be aware and abreast of issues and to vote with their feet if security is poor.

Ideally a free, active and informed Press is the best defence: They inform us of risk, which then spreads word and hits the industry's pockets via consumer uproar if things get too shoddy, or potentially triggers government or police action if laws are broken or need amending. They perform quality investigative reporting to find such stories and report them in a useful and informative way to educate all parties (state, businesses and customers).

Investigative reporting is a priceless thing in our society and a fantastic use of media. It's such a shame that it doesn't sell advertising and copies so well as click-bate sensationalist stories, trolling opinion pieces and soapy-hand-job self-affirming articles to tell us that our opinion on immigration/whatever is absolutely correct because the writer agrees with us and made some figures up to tell us so.

I mourn the scarcity of good journalism.

(The Guardian used to be well ahead of the field when it came to important investigative articles. Sadly, it's now seems happy to reap in readers by being the Extreme Liberal Opinion Click-Bait Daily. I'd comment about the Mail's decline, but it was always a bunch of extremist, hateful xenophobic bullshit, so no loss there)

3
0
Silver badge

I've seen this story on a number of websites. Nice to see them giving el reg its due.

1
0
Rob
Bronze badge

@El Reg

You said you notified them before publishing the article, what time frames are we talking? I was just wondering whether it was a good month in advance of the current date which would correlate with the outage on their network which you also reported on?

0
0
Silver badge

How are anti-terror police supposed to listen to my voice mail now?

I'm going to have to start getting people to leave me messages on Viber.

0
0
Thumb Up

Top job El Reg :)

Now only if Three UK would listen and fix, then all the messages from my users asking for password resets on a saturday night will finally be safe!

0
0
Silver badge

Voicemail Sucks

Can voicemail be turned off completely? It seems to be a tool by which elderly relatives can leave rambling messages that effectively mean 'phone me back'. The same information is imparted by the phone notifying you of a missed call.

0
0

Re: Voicemail Sucks

"Can voicemail be turned off completely?"

I don't know about other networks, but it can be disabled on Vodafone and O2

Vodafone: 1210 to disable, 1211 to enable.

O2: 1760 to disable, 1750 to enable.

0
0

Three don't even understand they have a problem!

I forwarded the original article to 3 support and to start with they couldn't (weren't allowed to!) open ElReg. Then I sent them .pdf prints of the articles and they couldn't open them so in the end I had to paste the words into an email!!

They wanted to know if I personally had seen the problem, and I had to admit I hadn't - but that I trusted that ElReg really had - but they wanted to know if the problem still existed...

So... any chance of a retest? I'm assuming that if they haven't changed anything, it'll still exist...

hey ho...

0
0
RML
Megaphone

Where can I get the mugs from?

I am after a new mug, since some mug cracked mine.

0
0
This topic is closed for new posts.