This is a guest post by Chris Brace (AKA Mr Ceebs on Twitter) who helped me compile the Leveson Amnesia Appendix to my book, The Fall of the House of Murdoch, and will soon be joining the new Bellingcat site set up by Brown Moses, who has a phenomenal record in documenting both Hackgate and the Syrian civil war.
Chris is writing in response to new evidence at the Hacking Trial. Rebekah Brooks, in her testimony, expressed astonishment that Glenn Mulcaire had managed to hack her phone (on the orders of another News of the World journalist the jury have been told) even though she’d changed her default PIN number to a personalised one.
Clive Goodman, the former NOTW Royal Editor, also told the court that Mulcaire provided both personalised PIN numbers and direct dial numbers for voicemails.
Previous prosecution evidence had shown Mulcaire blagging, using engineering passwords, a reset to default from the customer service lines of mobile phone companies. But how could he get hold of a personalised PIN number?. Goodman claimed he had met a contact of Mulcaire’s from the security services and that they provided key data.
These claims have not been thoroughly tested in evidence in Court 12, and much remains speculation. But Chris has devised a thought experiment about how to get hold of personalised pins.
Glenn Mulcaire has pleaded guilty to further charges of conspiracy to intercept voice-mails. But all the defendants at Court 12 deny all the charges and the trial continues.
A Thought Experiment on PIN Numbers and Security
Now the following all depends on the phone companies following normal computer security practices, The equipment on the back of phone networks are all basically computers but you never know the people in charge could actually be idiots, and not have the necessary paranoia to be in charge of people’s personal information.
When you type your PIN number in on a phone or bank, what happens?
Well firstly the code you’ve typed is passed to a chunk of hardware that encrypts the code you have typed to produce an encrypted key and then this is the number that is then passed over a further encrypted link, to phone company or bank. At the far end this is then either compared to a pre-encrypted copy stored in the phone company or banks database, or the pin is calculated on the fly from data held in the user’s account from the users account number and a couple of other factors.
The PIN number can’t be found by a member of staff at the phone company, because they don’t store it in any human readable form, just in the form that at best is the pre-encrypted version. If you ring the company up you can’t just ask them for your pin number, they can offer to change it for you using an automated process, but they can’t get to see it themselves so the member of staff doesn’t know.
The result of this has been that one of the major phone blags reported in phone hacking has been to get the PIN number reset on mobile phones. You ring up, get them to reset the pin number to default and then you have access for whatever nefarious purposes you require. However there’s a chance that the actual phones owner will realise that something has gone wrong when they keep getting their pin number failing and it has reset to default. (it’s possible that the companies security people might notice this happening too, although now that phone hacking and blagging has hit the public consciousness this is much more likely)
As a determined phone hacker what do you do?
Just guessing is not a good strategy. After three failed attempts the sim is temporarily locked until a Personal Unblocking Code is obtained from the service provider, So for a phone hacker, even picking the two most popular numbers so you didn’t trigger any blocks but would only give a just over 1 in 10 chance of gaining access. And that is if the user has chosen an incredibly stupid password number.
So what other methods are available to gain access to PIN numbers?
Well most of them are exceedingly non-trivial, involving the grabbing of real time data being run across the phone network then extracting plaintext from inside extended chunks of transmitted data. This is something that is in any way easy, Now the encryption of these real time streams is extremely secure s it’s the same level of encryption that is used for encrypted financial transactions across the internet. And the last things the banks want to happen is for anyone apart from them to run off with your money, so we can be fairly sure it’s tight. If it fails and advanced groups can waltz in and out of the data stream at will, somebody would have wandered off with enormous amounts of cash by now and that isn’t something that wouldn’t have been noticed. If the phone companiy’s encryption works properly then it’s a problem to be talked about in terms of many years of supercomputer power to effectively crack. So not something to be done on a whim to help a mate who does the odd PI job for a newspaper.
So what other options are there?
Well the majority of possibilities come from things like social engineering, ringing people up and asking them for their Pin numbers which amazingly works, or grabbing them from over their shoulders when they are typing them, both of which require a level of time and risk and aren’t doable as a majority of celebs are going to notice the dodgy bloke in the mac reading their pin numbers over their shoulder – especially celebrities who keep changing their phones because the tabloid press seem to know everything they are doing.
So it’s not a reasonable proposition for PI or reporter, especially when you need the number here and now on tabloid schedules to produce tomorrows edition and the editor is shouting.
Apart from those methods there is one, but it would require a number of things to line up just right and quite a few resources for it to work.
Lets say you had complete access to the phone companies passcode database, the files that match up PIN numbers with user accounts. If you have those individual numbers, and understand the encryption formulas made to encrypt the PIN into the key, then on a separate machine you could generate all thousand possible PIN combinations to see what encrypted key came out as a result. And from that work out which one resulted in the key held on file. All it would take was a relatively trivial amount of computing power and time compared to breaking PINs from the outside.
But you do need the access for this to work – and that was always where a scheme like that would fail when it was considered by people thinking about such things: they couldn’t see the company’s network security allowing anyone access to their data files.
But that is something that is no longer beyond the bounds of reasonable imagination since the Snowden revelations started appearing inside the Guardian and associated newspapers.
And if one set of data is available to State security forces without the necessary security, then it is hard to believe that they haven’t stretched that access to obtain more than is necessary. People have a tendency to re-use passwords and PIN codes, so it’s likely that one set has been lifted to facilitate access to other accounts on networks that formally the state guardians don’t have access to. And would it be such a stretch from there for an underpaid and overworked individual to slip a PIN number to a PI in the pub for a few quid or a couple of pints of beer?
Is it something that would ever remotely be provable in court? I think you would be waiting a very long time before anyone in authority even started to admit things like that