The cellular service provider's default phone settings could allow attackers to access a victim's voice mail.
Staff Writer, CNET News.com
A convenient voice mail feature has likely opened up many T-Mobile subscribers' voice mail boxes to anyone armed with a simple hack, the embattled cellular service provider acknowledged Thursday.
The attack, publicized by wireless security company Flexilis, could be used to download a person's voice messages or take control of the victim's voice mail functions, provided the attacker knew the subscriber's phone number.
"The attacker would be able to listen to the victim's voice mail, record the voice mail to a file on a remote server, and also make calls out from the system posing at the victim," said John Hering, director of business development for Flexilis. "This can all be done from a public pay phone, which is extremely difficult to trace."
While Flexilis did not give details of the flaws, at least one Internet site has pointed out that T-Mobile's voice mail system can be accessed by anyone who uses a service to spoof caller ID. T-Mobile acknowledged the problem, but said that the solution is simple: Users should set their voice mail to require passwords.
"By default, customers are not required to put a password on their voice mail," said spokesman Bryan Zidar. "If you enable the password protection, it solves the problem."
Zidar said the issue has no relation to the high-profile privacy hits suffered by Paris Hilton and other celebrities or to a previous incident, in which an online intruder had access to the mobile phone system. T-Mobile is still investigating that case and has not released details of how the information was stolen.
"The silver lining of this Paris Hilton thing is it is an opportunity for customers to take further steps to protect their data," Zidar said.
Flexilis also advised T-Mobile subscribers to change their voice mail settings to require a password from the mobile device.