[ISN] Hilton hack underscores mobile security lapses

InfoSec News isn at c4i.org
Fri Feb 25 04:47:14 EST 2005


By Junko Yoshida 
EE Times 
Feb 24, 2005  
PARIS - The gory if inconsequential details of how hotel heiress and
professional celebrity Paris Hilton's cellphone address book was
hacked this week nevertheless generated a buzz among engineers in the
mobile phone industry.

The address book in question was stored on Hilton's Side Kick II smart
phone, and backed up on a T-Mobile server.

Kevin Kissell, an architect at MIPS Technologies Inc., said he
wondered "whether the hackers accessed numbers stored in the phone — a
default for most mobiles — or on the SIM card." He also wondered
"whether the outcome might have been different if Ms. Hilton had
stored her numbers on the SIM."

T-Mobile wouldn't discuss its investigation. A company spokesman,
however, suggested that "someone had access to one of Ms. Hilton's
devices and/or knew her account password."

Most reports postulated an attack on T-Mobile's server rather than the
client. Speculation was based on the fact that T-Mobile's database was
hacked last year by 22-year-old Nicols Jacobsen, who pleaded guilty
earlier this month.

Nonetheless, speculation was rampant regarding how hackers might have
snagged her account password.

Possible scenarios ranged from correctly guessing the name Hilton's
dog to the theft of records and passwords stored in her SideKick II.  
The phone's Bluetooth interface was also cited.

Hackers could have accessed T-Mobile's database using SQL (structured
query language) injections, said David Naccache, vice president,
research and innovation at Gemplus, based here. By adding SQL to a
query, Naccache said it's possible to manipulate a database in ways
not anticipated by administrators.

Or, Hilton could have handed her phone to an acquaintance who
extracted the information, said Naccache. "You need a key to the door
in order to get into a house," he said. "But you can also get into the
house through a window." Naccache, a forensic expert, said a hack was
possible anywhere between the handset and the network.

Even if the server was hacked rather than the client, Kissell's
questions remain valid for chip vendors, SIM card manufacturers and
mobile handset companies. All are racing to add security features to
next-generation phone and network designs.

Added Mike Yonker, director of Technology Strategy at Texas
Instruments Inc., "This incident really stresses the need for stronger
security. Consumers have reason to question even the security of the
servers where their data is stored at the mobile operator."

More information about the ISN mailing list