Back in 2004, when I was the technology editor on the New Zealand Herald, I received an intriguing call from a contact with information that sounded like the stuff of journalists’ dreams.
My contact, a teenager hacker who had previously introduced me to the murky world of bulk Internet spamming, told me he had found a way to hack into the voicemail boxes of 027 Telecom mobile phones. Any mobile, he said, that didn’t have a four digit PIN number enabled on it, was fair game.
I was initially sceptical – the telcos after all wouldn’t be stupid enough to leave a backdoor open allowing access into voicemail boxes of thousands of people. Surely not?
Within half an hour, the hacker, who went under the name “Phreaker” had patched me in on a phone call so I could listen in as he hacked into a Telecom voicemail box. There were a series of beeps as he entered various codes, then a male voice asking the caller to leave a message, then “beep!”. It actually worked.
Phreaker had already accessed the voicemail boxes of prominent politicians, the Mayor of Auckland Dick Hubbard, senior police officials and with delicious irony, the head of PR at Telecom. He had also tried to hack my own 027 voicemail box but luckily just a few months beforehand, I had enabled the four digit PIN number, blocking access via the back door Phreaker had exploited.
I got off the phone from Phreaker, my mind working over the possibilities. Back then, a lot of people didn’t protect their voicemail boxes with PIN numbers seeing it as time-consuming and cumbersome. And why would they anyway? We were told that voicemail was safe, locked down, unless someone managed to get hold of your mobile handset. So people would put a PIN number or password locking their phone itself, but not worry about protecting the digital voicemail box connected to the phone account.
So a lot of big names – celebrities, politicians, who were customers of Telecom, were possible targets of Phreaker. Indeed, the teenager had been delighting himself by trawling through directories, finding numbers on government websites and dialling them, as part of his fishing expedition to exploit unprotected voicemail boxes.
The possibilities seemed endless I thought, as I sat back in my chair in the bustling newsroom, journalists working on deadline around me. In partnership with Phreaker, I could systematically listen in on the voicemail messages left on the phones of cabinet ministers, Shortland Street stars, All Blacks, maybe even Prime Minister Helen Clark. Indeed, Phreaker wanted to know if I could get her mobile number. I fudged, sensing danger, “probably, I’ll look into it”.
All I would need to do would be to listen and wait for the good stuff. I mean, an estimated 75 per cent of 027 mobile customers were vulnerable – thousands of well-known people would be hackable as long as I knew their mobile numbers. Luckily, the Herald‘s contact database was full of those. Results would depend on how revealing the messages left on people’s voicemail boxes were. So you might not get some juicy, scandalous nuggets straight away. But over time, who knew?
Political tactics could be revealed, angry rants from jealous lovers, lewd messages from mistresses, the business strategies of prominent chief executives outlined. I could be coming up with scoops for the Herald every week. Here was my chance to hog the front page, climb out of my tech reporting pigeon hole and beat the general news hacks at their own game!
Then I crashed back to Earth. Doing so would be highly illegal, unethical and probably get me fired. In other words, all the shame, embarrassment, threatened legal action and worse currently being heaped on the News of the World journos involved in the phone hacking scandal would have rained down on me.
An email came through from Phreaker: “So are you running with it for tomorrow’s paper?”
That’s the problem with teenager hackers – they can’t sit still for 20 seconds and they just want to skite about their hacking prowess. Phreaker wasn’t interested in waiting months to painstakingly gather dirt on the country’s elite. All he wanted was the glory of having broken Telecom’s voicemail box security – for which he would gain serious cred in the hacking community. Everything else was just a laugh.
The kid had potentially hit the jackpot. He could be selling info to the women’s magazines, trading commercial secrets, even manipulating the political system. Instead he wanted his name in the Herald – his real name too. That’s because Phreaker didn’t care about the consequences of his actions. He didn’t care what happened to himself as a result. I’d been to his house and seen his middle-class family – mum trying in vain to wrangle a sullen teenager who spent his life in front of a computer, hacking.
And that’s why I didn’t publish the scoop Phreaker had dropped in my lap. I knew what he was doing would get him in serious trouble with the law – which it subsequently did. Phreaker went to another technology journalist, who promptly ran the story. Soon after, the police were knocking on his door. Phreaker got his moment in the media – he even had a 20/20 piece done on him. He was happy. He’s now an Internet security consultant roaming the globe.
The phone hacking revelations were embarrassing for Telecom, which scrambled to plug the security hole. But the story quickly fizzled out. It would have been a different story if Phreaker had patiently kept listening in and collecting dirt – and found a journalist willing to break the rules in the pursuit of a juicy story. Then we could well have had a true phone hacking scandal of News of the World proportions…