Last week, we showed just how insecure voice mail systems really are by letting a 21-year-old British hacker break into my inbox. Obviously, somebody didn’t get the memo.
An impulsive startup founder named Avi Zolty hacked Web entrepreneur and Inside founder Jason Calacanis’s voicemail this week. And we know this because Zolty later blogged about his exploit on Medium.
The inane hack, according to Zolty, was a “social experiment,” “something unique” to draw attention to his startup company, which is trying to revolutionize the way we book rental cars.
Who knows, maybe Zolty’s company will “disrupt the $24bn a year US car rental market.” But first, he might want to think about finding a way to keep himself out of prison.
Zolty’s big idea was to replace Calacanis’s voicemail greeting with a message of his own: an advertisement aimed at venture capitalists who he thought might be interested in his startup, Skurt. What could go wrong?
“Hey guys, we temporarily borrowed Jason Calacanis’s voicemail,” Zolty’s message said. “If you wanna check out what we’re working on, we’re at Skurt.co. Jason, we hope there’s no hard feelings. We’re huge fans.”
Accessing Calacanis’s voicemail required little or no technical skill on the part of Zolty, so it’s curious why he believed that anyone would find his stunt impressive. It was accomplished by spoofing Calacanis’ phone number, thereby tricking the voicemail system into assuming it was actually him, and not Zolty, calling to check the messages. There are paid services online, such as SpoofCard, that do the technical magic for you. These services are usually employed by social engineers wanting to masquerade as other people over phone.
Unless you setup your voicemail to require a password each time you call it, there’s really no way to stop someone from checking your messages. There’s really no way to detect it either, if the hacker deletes a message before you’ve heard it. As Zolty eagerly points out in his blog, one can simply “call *67 to have it sent straight to voicemail.”
Rather than blow a gasket, Calacanis responded to having his inbox compromised by expressing concern over social media for Zolty, who may have violated state and perhaps federal laws with the shameless pitch. “Obviously you have not paid attention to the U.K. hacking scandal, but people go to jail for doing these kind of things—your intent does not matter in the eyes of the law,” wrote Calacanis.
— jason (@Jason) October 27, 2014
Indeed, Calacanis’s concerns are more than warranted. Zolty might easily find himself in handcuffs after publicly announcing that he’d exploited the phone company’s voicemail system. The Federal Bureau of Investigation (FBI), for one, has no patience and no sense of humor when it comes to hackers. And while surely the only damage done was to Zolty’s reputation—seriously, how did he think this was a good idea?—the U.S. government is in the business of making examples out of curious young hackers by crushing them under the full weight of the U.S. justice system.
Even a neophyte U.S. prosecutor could presumably find cause to charge Zolty with a federal crime under the Computer Fraud and Abuse Act (CFAA). All it takes is the slightest connection to interstate commerce—if Zolty was, for instance, in a different state than Calacanis when he hacked his voicemail. Likewise, it may be enough that the phone company’s servers were across state lines.
Regardless of whether or not a federal law was broken, there are plenty of state laws that apply; California Penal Code Section 502, for one. Anyone who “knowingly accesses and without permission adds, alters damages, deletes or destroys data … which reside or exist internal or external to a computer, computer system, or computer network” is said to be guilty of committing this public offense.
Hopefully, the authorities have their hands tied this holiday season pursuing serious criminals, like the ones launching cyberattacks against our financial institutions and point of sale (POS) systems—crimes that actually place U.S. businesses and their patrons at risk of fraud.
But if you’re reading this, Avi, you should probably get a good lawyer, just in case.
Photo by Samantha Celera/Flickr (CC by 2.0)