[ISN] Sidekick 2 hacks - Re: Hilton hack underscores mobile security lapses

InfoSec News isn at c4i.org
Mon Feb 28 05:37:44 EST 2005

Forwarded from: Anonymous Sidekick Developer <nobody at mixmaster.it>

I just read the last ISN article about the Sidekick hacking.

I cringe when people who don't really don't know anything about the
Sidekick start making statements and don't even look at the abilities
of the device in question.  Sorry about using the remailer, I am a
developer for Danger's Hiptop/Sidekick, as I would like to continue to
be a developer.

Some facts about the Sidekick (called the Hiptop, everywhere except

1. It's not Bluetooth.  There are no production Sidekicks with
Bluetooth.  There's a good chance that there are working prototypes,
but nothing available for consumers yet.  You can rule out
bluesnarfing or any type of Bluetooth hacking/virus/sniffing.  The
Sidekick has to Bluetooth hardware.

2. The sim card storage capasity is so small there is virutally no
data on it that the Sidekick could use.  The only thing the Sidekick
stores on a sim card is around 30 sms text messages (depending on the
sim card).  The Sidekick stores its data on the 16mb (color Sidekick)
32mb (Sidekick II) internal device memory, and also on a backend
server run by Danger Inc, the company that created the

3. It's the backend that got hacked, not the actual phone.  As a
sidekick developer and user, the screenshots I saw online are from the
backend server.  Danger's backend service is the backbone of the
device, all data is backed up on those servers.  This is done for two
reasons, A Sidekick device is not the sole location of data, if truck
runs over your Sidekick you can take the sim card, put it in a new
Sidekick and all your data, contacts, and email will be wirelessly
downloaded to your new device.  Secondly, Sidekick users can to log in
to tmobiles website and use the website like they would their
sidekick, any changes are made to both the backend and their device.

4. Tmobile uses their account page on their website (tmobile.com) to
allow access to the backend system.  Therefore, anyone that could
steal, or guess a Tmobile.com phone number, username, or password
could have full access to all the data on that customer's Sidekick.

5. By default, for Sidekicks the sim card is used mostly for user
identification on the network, all data entered onto the Sidekick is
stored on the device memory and the backend server, not the sim card.  
There is also no user selectable option to change this.  The only
thing stored on the sim card is sms messages.

6.  Tmobile Sidekick users are given an email address for their device
in the format USERNAME at tmail.com.  It appears that Paris's e-mail was
ParisHilton at tmail.com.  I would have hoped that Tmobile would have had
her pick something different when they started using her in their
Sidekick TV commercials.

Now that we have a username, it's just a hop skip and a jump to find
the password.  One of the "forgot your password" questions on Tmobile
is "what is your favorite pet's name?"  Its not hard to imagine
someone trying the name of her dog, Tinkerbell, as an answer.  The
dog's name has previously been the the tabloids and hollywood tv shows
after last year when the dog was lost for a short while.

I honestly believe this whole incident happened because of a few

First, poor selection of a username by Paris herself, or whomever
didn't advice her to choose something a little more obscure, instead
of her name.

Second, using any type of public knowledge as a backup security
question, such as your favorite pet's name, when you are a fairly well
known public figure, is not very smart.

Hopefully, that puts to rest some of the bad information going around
and being picked up and reprinted.

On Fri, 25 Feb 2005 8:29 am, InfoSec News wrote:
> http://www.commsdesign.com/story/showArticle.jhtml?articleID=60403328
> By Junko Yoshida
> EE Times
> Feb 24, 2005
> PARIS - The gory if inconsequential details of how hotel heiress and
> professional celebrity Paris Hilton's cellphone address book was
> hacked this week nevertheless generated a buzz among engineers in
> the mobile phone industry.
> The address book in question was stored on Hilton's Side Kick II
> smart phone, and backed up on a T-Mobile server.
> Kevin Kissell, an architect at MIPS Technologies Inc., said he
> wondered "whether the hackers accessed numbers stored in the phone
> — a default for most mobiles — or on the SIM card." He also
> wondered "whether the outcome might have been different if Ms.
> Hilton had stored her numbers on the SIM."
> T-Mobile wouldn't discuss its investigation. A company spokesman,
> however, suggested that "someone had access to one of Ms. Hilton's
> devices and/or knew her account password."
> Most reports postulated an attack on T-Mobile's server rather than
> the client. Speculation was based on the fact that T-Mobile's
> database was hacked last year by 22-year-old Nicols Jacobsen, who
> pleaded guilty earlier this month.
> Nonetheless, speculation was rampant regarding how hackers might
> have snagged her account password.
> Possible scenarios ranged from correctly guessing the name Hilton's
> dog to the theft of records and passwords stored in her SideKick II.
> The phone's Bluetooth interface was also cited.
> Hackers could have accessed T-Mobile's database using SQL
> (structured query language) injections, said David Naccache, vice
> president, research and innovation at Gemplus, based here. By adding
> SQL to a query, Naccache said it's possible to manipulate a database
> in ways not anticipated by administrators.
> Or, Hilton could have handed her phone to an acquaintance who
> extracted the information, said Naccache. "You need a key to the
> door in order to get into a house," he said. "But you can also get
> into the house through a window." Naccache, a forensic expert, said
> a hack was possible anywhere between the handset and the network.
> Even if the server was hacked rather than the client, Kissell's
> questions remain valid for chip vendors, SIM card manufacturers and
> mobile handset companies. All are racing to add security features to
> next-generation phone and network designs.
> Added Mike Yonker, director of Technology Strategy at Texas
> Instruments Inc., "This incident really stresses the need for
> stronger security. Consumers have reason to question even the
> security of the servers where their data is stored at the mobile
> operator."

More information about the ISN mailing list