Paris Hilton's Sidekick gets hacked. What is T-Mobile going to do about it?
by Peter Rojas 
posted Feb 21st 2005 at 11:46AM
So we're still waiting for someone from T-Mobile to get back with us with an official comment on what happened, but
the big thing to take away from the Paris Hilton
Sidekick hacking scandal (besides all the amateur porn and celebrity cellphone numbers) is that if she didn't
"inadvertantly" give someone the password to her Sidekick, then T-Mobile didn't adequately protect the personal data of
one of their subscribers (yeah, we're getting a little heavy on you all).
We already knew that T-Mobile's security had been
compromised--the hacker behind all that plead guilty last
week—but in this specific case the crux of the problem is that they keep all of your contacts and data on a server
and not on your Sidekick. Why? Because they want to own the data so they can hold on to you as a customer (if you can't
take your emails and contacts with you, it'll be tougher to switch, right?). It's a bad practice for a lot of reasons,
but at the end of the day it just makes it that much easier for a hacker—or a mischievious T-Mobile employee—to snoop
around. Sure, you could theoretically use Bluetoooth or whatever to directly hack into someone's phone and grab their
address book, but it's way, way harder than just yanking it off of a server somewhere. We feel bad that Avril Lavigne's
personal assistant had to get her boss a new phone number on a Sunday, but that's a small price to pay if T-Mobile (and
every other company that handles their customers' private data) finally gets hammered home that they need to do a lot
better job securing our privacy.
Reader Comments (Page 1 of 1)
Casual Observer @ Dec 19th 2005 12:10AM
My problem with the sidekick from day one.
Why in the WORLD would I entrust my personal data to telecom schmoes? You have to be nuts.
DUH!
Dominic @ Dec 19th 2005 12:10AM
I think that it was just a breech by a bad T-Mobile employee. I mean, let's say he/she was going to be laid off. That person might want to get a little revenge on his/her company. And what a perfect way to do it then by posting Paris Hilton's address book on the Internet?
Steve B @ Dec 19th 2005 12:10AM
Easy now with the indignation. We have no idea here that it's even T-Mo's fault. For starters, that Sidekick info is kept on Danger's servers, not T-Mos. And it is kept on those servers probably so that if you have to get a new Sidekick, all your data appears on it.
Oh, and there's plenty of easy ways to sync that data off now. Even Macs can do it now, right?
So thinking it is a plot to trap you seems rather harsh to me.
Anyway, my guess here is that someone simply guessed Paris' password. She wouldn't be the first it happened to. I say this because all the Sidekick celebs' data is kept on a separate server from everyone else, and if you were going to hack into it, why didn't they take Jesse James' data? Or Tony Hawk's? No, it appears to me (and this is a guess) that someone simple compromised Paris' account, probably by guessing her password.
Rich @ Dec 19th 2005 12:10AM
To be fair to T-Mobile, from what I've read elsewhere, it sounds like someone just guessed Paris's password -- she probably used her dogs name or something.
Frankly, the information on the servers can be as secure as you like, but if you give users access to it, and let them set their own passwords, then this is going to be the weakest link. You could make the security regime much more difficult to log on (RSA SecurID, random number/letter passwords, etc.). The problem with this is, people just write their passwords down -- usually on a PostIt note on the side of their PC. This in the end is generally far less secure.
From what I understand, the security of T-Mobile USA's servers is now very much higher thanks to the previous large scale hacker; so it seems less likely that someone actually hacked the Sidekick system. If they did, expect other 'celeb' Sidekick user's details to appear on the web soon...
As for the issue with keeping information only on the servers -- this is probably much more secure than on the actual phone. I recently lost my own phone, with all my contacts in it, diary dates, notes, etc. If all this had been secure on a server, as soon as I barred my old phone, the theif wouldn't have access. Swings and roundabouts...
timndaly @ Dec 19th 2005 12:10AM
The Paris Hilton hack is not the first time that T-Mobile has had this issue regarding the Sidekick device. Late last year, a hacker accessed the servers that T-Mobiel uses for the sidekick, and accessed info for about 400 customers...including an FBI agent's Sidekick which just happened to have emails and info that he had investigating the hackers access to the network.
T-Mobile and Danger, the maker of the Sidekick, need to come up with a more secure way to use the device...maybe having a larger memory in the device itself (i.e. a memery card) so info is not stored on a central server.
What a slap in the face for T-Mobile.
Jeff @ Dec 19th 2005 12:10AM
I'm willing to bet her password is...
*****
Erik @ Dec 19th 2005 12:10AM
d like to know what T-Mobile plans to do about this, not only for celebs, but for common folks like me who have a sidekick. Does their Security Breach void the 1 year agreement allowing me to cancel my service without penalty? This offers a huge problem with company Execs that hold trade secrets within their sidekicks; it once was secure and thought to be trusted. I doubt the hacker got Pariss password, Im sure he/she used the same method that the previous hacker did and I imagine that if there were enough demand, more celebs will be showing up.
chuck @ Dec 19th 2005 12:10AM
yep, your claim that says t-mobile has stuff saved on "their" server (which is actually danger's and not theirs.. get your facts right) so it's hard to switch to another carrier is total crap. you can easily sync all your data onto your computer. the idea of saving stuff on the server is actually so that you can easily access all information on your sidekick from the desktop interface, and also, if you ever lose/break your sidekick or if it's stolen, when you get a new one, it can sync with the server and you can get all your data back. it's actually quite a good idea.
Steve @ Dec 19th 2005 12:10AM
Can anyone vouch for the authenticity of the photos? Are they typical quality for the Sidekick? Are they the same resolution? My experience with camera-phones would at least make me ask the question.
mike s. @ Dec 19th 2005 12:10AM
sorry, but it's bullshit that you can "easily" sync your sidekick with all your data on your computer. you have to use their lame intellisync system to wirelessly sync with your PC, you can't just do it over a cable or anything. what's with all the t-mobile apologists? why can't I have the option to have t-mobile have ZERO access to my personal data?
keith hoover @ Dec 19th 2005 12:10AM
America needs to get a life,
I'm taking a brief break from studying a med school assignment,and stumbled across this site. Quite frankly, who in the hell cares about Paris Hilton's daily drama bullshit (T mobile, etc). This bitch has'nt worked a day in her life and couldn't read a Dr. Suess book.
Get your own life and stop being consumed with other peoples lives. America could be a much better place if we all focused our energies somewhere else other than on this worthless party ho. Do you think she gives a shit about you?
Alfred @ Dec 19th 2005 12:10AM
If you really think that T-Mobile's (Danger's) server's are a lot more secure after the first hacking attempt, take a look at this article:
http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html
joe @ Dec 19th 2005 12:10AM
I have T-mobile, why in the world would you save any numbers to your sim-card?
If you save them to the device then it doesn't show up on your t-mobile account.
Alfred @ Dec 19th 2005 12:10AM
Saving your phone numbers to your sim card does NOT save them on T-Mobile's server, and only saves them on the memory contained locally inside the sim card. There's actually a big advantage to saving your numbers to a sim card, as you can move that card from phone to phone without having to re-enter all your numbers.
What happened with Paris' contacts is different. She was using a Danger Sidekick communicator. That device stores ALL it's information on T-Mobile's (techincally Danger's) servers. That way if you break your old sidekick (or lose it), you just type in your username and password on the replacement device and everything gets set up downloaded exactly the way you had it in the old one.You also have the ability to access all this information via a web interface. This is a great conveniecem but also has obvious security drawbacks (as Paris' associates have discovered).
Mark H @ Dec 19th 2005 12:10AM
I have about the dumbest blutooth phone you could possibly find and a bluetooth pda. I love my current setup, pda for web, email, sms and dialing infrequent phone numbers. Phone for talking. My eggs aren't all in one basket, and while bluetooth does have some security risks a hacker would have to stay within 30 feet of me for about 12 hours to really milk my pda (512MB SD card).
Patrick Dodds @ Dec 19th 2005 12:10AM
Hacked? I don't think so. Publicity for the video had died off so what was the poor girl to do? If she was really hacked I'm going to a get a haircut like Bill's.
cLOUDFAn @ Dec 19th 2005 12:10AM
I am using T-M
does this mean getting a sidekick now is a bad idea?
Fine James @ Dec 19th 2005 12:10AM
Um, well, does anyone know if I can use my Hilton Honors points to get inside Paris Hilton?
Minuk @ Dec 19th 2005 12:10AM
"why can't I have the option to have t-mobile have ZERO access to my personal data?"
you do. it's called verizon.
Nick @ Dec 19th 2005 12:10AM
Rootsecure.net offer a detailed look into how it could have happened: http://www.rootsecure.net/?p=reports/paris_hilton_phonebook_hacked
This exploit is quite simple, you can gain access to anyones tmobile account via their website
Refresh @ Dec 19th 2005 12:10AM
Any 1 tried calling Eminem?
jambalaya @ Dec 19th 2005 12:10AM
As a previous T-Mobile employee who dealt with sidekicks on a daily basis, i can assure you, the network is secure. Even an employee cannot access pictures or contacts or emails from the sidekick servers, at least not from work. They do not have access to the passwords, either. Most likely, Paris let her sidekick fall into the wrong hands, or let her password slip.
I have an account with T-mobile, and i have never been happier with any other cell phone service. I can assure you, T-Mobile has your total security as a priority, and I recommend them for all your mobile needs!!!
Suren @ Dec 19th 2005 12:10AM
I don't know why people would go with T-mobile in the first place. They got good phones, but crappy service. T-mobil is for cheap people.. and once they have the service for a year they switch to Verizon.
Why don't people realize that quality is much greater then quantity.
Go ahead and switch from T-mobil people.. the company has been around for about 2 years and its been hacked a few times. Verizon has been around for 20 years.. do yourselves a favor :)
Aldemar @ Dec 19th 2005 12:10AM
Who care?
lastcall42 @ Dec 19th 2005 12:10AM
T-Mobile has only been around for 2 years?? Do some homework,
T_mobile is Deutsche Telekom ya fuckin retard. Yeah, thats a real small time
Mom and Pop outfit, huh.
Samantha @ Dec 19th 2005 12:10AM
WHY in the hell would I make a sex video on my cell phone KNOWING they are always leaking through because of satelites !??? Thats her fault and she deserves it !