John Higdon thought he was doing his cellular services provider a favor when he let the company know about a security problem that left the voicemail boxes of Pacific Bell Mobile Service customers vulnerable to intruders. But he said he was intimidated and harrassed when he tried to deliver the news.
Pacific Bell treated him like a criminal suspect first, Higdon claimed, and a customer second.
"Today I'm being treated like a person," said Higdon, a San Jose, California, telecommunications consultant. "But it was a great big distance between point A and point B."
Pacific Bell Mobile Services, with 5.8 million customers, is the wireless subsidiary of SBC Communications (SBC).
Pac Bell spokeswoman Dori Bailey confirmed Monday that Higdon helped the company identify a security problem, which has since been fixed. But she would neither confirm nor deny Higdon's claims of intimidation, and she said she couldn't provide details on the company's communications with Higdon.
On 15 July, Higdon discovered that anyone with administrative access to a PBX corporate phone system could access and listen to the voicemail of any Pacific Bell Mobile Services customer. Since the system uses caller ID to verify a caller and grant voicemail access, simply modifying a caller ID number would grant unauthorized access to the system's voicemail.
PBX administrators can assign any number as a phone's caller ID: a user's home phone number, another familiar number, the cellular number of any Pacific Bell Mobile Services customer. By assigning a number to a particular PBX extension, calls placed from that extension were allowed access to the voicemail of the customer assigned to that Pac Bell cellular phone number.
The First Calls
After discovering the problem, Higdon spent eight hours explaining the problem to Pac Bell customer support representatives and trying to persuade them to alert the company's technical staff.
Higdon said he was so frustrated that he finally left an ominous message, threatening to make the security flaw public unless the company promptly addressed the problem. That night, Higdon received a call from a Pac Bell fraud investigator. For weeks after that, Higdon said the company alternately treated him with skepticism and criminal suspicion.
Finally, Higdon agreed to prove his claims in a demonstration, which he conducted with the help of a friend who was a PBX administrator. He showed that he was able to gain access to the voicemail box the company had created for the demonstration.
"That's when they changed their tone from crackpot to criminal," said Higdon. "They wanted to know how many mailboxes I'd entered."
Shortly after that, Higdon fired a warning shot, posting an Internet message about the security hole, without providing details.
Getting Legal
On 21 July, Higdon said he got a call from an attorney representing Pacific Bell, Chris Ottenweller.
"He asked me how many boxes I'd entered that way, was I familiar with the Telecommunications Act of 1996, did I know that I may be violating federal law, that 'if you damage us, we have actions we can take,'" said Higdon. "And when we got to the end of all that, he wanted me to commit to not saying anything about the problem in public."
Higdon said he agreed to keep quiet if Pacific Bell agreed to let him to speak with its technical staff so the problem could be resolved. Higdon said Ottenweller told him someone would contact him within the week. Higdon demanded a call within 24 hours.
He got his call, but the security problems persisted.
After another two weeks, Higdon said he had had enough. He decided to post detailed information on the problem in Internet discussion groups frequented by telecommunications professionals and engineers.
According to Pacific Bell, technical personnel investigated the problem and devised a fix much sooner. Bailey said the company's technical staff reported a fix on 21 July, within a week of Higdon's first contact with the company.
A Matter of Tone?
Bailey said Higdon's initial contact with Pac Bell may have caused the company's confrontational response. If he threatened to publish details of the security hole, she said, "You can see how that would be taken as a threat."
What Higdon said at any point may have "escalated to a different place," Bailey added. But whatever the initial tone of their interaction, both parties "ended up in a good place." More importantly, the problem was fixed.
The Fix
The company's temporary fix for the problem was to limit voicemail access to customers dialing in directly through the Pacific Bell Mobile Services wireless network. As a result, if customers are dialing in from outside phone networks -- including out-of-state cellular networks -- their voicemail is inaccessible.
Bailey said Pac Bell will replace the temporary fix with another that will restore access to voicemail from any phone or network. After the solution is in place, access to voicemail will require a password to be entered by the customer.
