Bill Bumgarner


Paris Hilton's T-Mobile SideKick compromised.

Apparently, Paris Hilton's T-Mobile SideKick has been compromised and the contents have been posted to the Internet. As a result, many famous folk's phone numbers have also been posted. If this were the personal info of any random John Doe, it wouldn't have made the news. But it wasn't just anyone and the list of numbers includes all kinds of people the rabid celebrity worshippers and tabloid press obsess over. I bet there are a lot of personal assistants stressing out as they try and grab a new device and transfer all the data.

This raises a more serious concern. That T-Mobile's network is vulnerable has been known for some time. Personal photos of various celebrities had been ripped off along with some other personal information.

In this case, it sounds like the contents of Paris's phone was ripped down and posted. The story specifically mentions personal notes and other non-phone number information that one might keep on a SideKick.

The simplest explanation is that T-Mobile offers an automatic service via which the contents of the phone is backed-up to their systems. But I couldn't find anything like that mentioned as a service.

If not that, then what happened?

If the phone was compromised and the data was downloaded directly from it, that would imply that a powered down cell phone is the only way to keep data secure (making it rather useless). I can't imagine T-Mobile storing data without customer permission, but sillier things have been known to happen.

Google news for T-Mobile. Paris Hilton google news.

Of course, this is still very early in the Drudge "exclusive report" cycle. So, there is always a chance that this isn't a real story or it is just a case of Paris misplacing her SideKick such that the wrong person found it and posted the contents.

Update #1: Banner ads and the like are already starting to show up for Paris Hilton Phone Pic Packs. Apparently, there were about 35 pictures on the phone and you can now pay for the privilege of downloading and viewing said pics. Let's see -- less than 24 hours between the alleged hack and the "productization" of the results. The window of revenue generation is likely so short that the individuals and companies involved in the distribution will simply disappear before the law can even start to properly investigate this. I would bet that the porn-conomy is all abuzz with renewed interest in the original Sex Tape about now.

Update #2: Through very useful comments (Thanks!), I have learned two things. First, the SideKick uses Danger as the information service that drives the SideKick's data storage and handling service. Apparently, the SideKick constantly syncs the Address Book, Notes, and other data to the central server. Secondly, T-Mobile controls the authentication process and authentication with T-Mobile is also counted as authentication with Danger's service.

As documented at Security Focus, T-Mobile's service had been compromised almost a year ago.

I wonder if the recent high profile compromise exploited the same security hole or a new hole has been found. Or, to rephrase the question: Is T-Mobile completely incompetent at managing their security or are they simply feeling the pains that many companies experience as they grow over time?

Comment on this post [ so far] ... more like this: [Privacy, Technology] ... topic exchange: [Privacy, Technology]