Hackers Found Hilton's Phone An Easy Target

T-Mobile's Sidekick combines a phone, organizer and camera.
T-Mobile's Sidekick combines a phone, organizer and camera. (By Victoria Arocho -- Associated Press)
By Brian Krebs
Special to The Washington Post
Friday, May 20, 2005

The caper had all the necessary ingredients to spark a media firestorm -- a beautiful socialite-turned-reality-TV-star, embarrassing photographs and messages, and the personal contact information of several young music and Hollywood celebrities.

When hotel heiress Paris Hilton found out in February that her high-tech wireless phone had been taken over by hackers, many assumed that only a technical mastermind could have pulled off such a feat. But as it turns out, a hacker involved in the privacy breach said, the Hilton saga began on a decidedly low-tech note -- with a simple phone call.

According to the young hacker's account, a group of hackers participated in the scam. One member rang a T-Mobile sales store in a Southern California coastal town on Feb. 19 posing as a company supervisor inquiring about reports of slowness on the company's internal networks.

The sales representative answered, "No, we haven't had any problems really, just a couple slowdowns. That's about it."

The hacker pressed on: "Yes, that's what is described here in the report. We're going to have to look into this for a quick second."

The sales rep acquiesced: "All right, what do you need?"

What the hackers needed was a way to connect names to phone numbers, and the sales rep gave them that, offering the password to a T-Mobile Web site used by employees to manage customer accounts.

The hackers were interested primarily in customers who owned a Sidekick, a pricey phone-organizer-camera device that stores copies of its videos, photos and other data online, the young hacker said. Due to a vulnerability in T-Mobile's software, members of the group had figured out how to reset passwords used by Sidekick owners to access their data online.

The young hacker described the exploit during online text conversations with a washingtonpost.com reporter and provided other evidence supporting his account, including screen shots of what he said were internal T-Mobile computer network pages. Washingtonpost.com is not revealing the hacker's identity because he is a juvenile crime suspect and because he communicated with the reporter on the condition that he not be identified either directly or through his online alias.

A T-Mobile spokesman said the company "will work with federal law enforcement agencies to investigate and prosecute anyone that attempts to gain unauthorized access to T-Mobile systems," but declined to comment further.

The group's members -- who range in age from their mid-teens to early twenties -- include a handful of "AOLers," a term used in hacker circles to describe youths who honed their skills over the years by tampering with portions of the network run by Dulles-based America Online Inc. Four members of the far-flung group have met face to face, but the majority of their day-to-day interactions take place online.

The hacker said group members began looking up famous names and their phone numbers. At one point, the youth said, the group harassed Laurence Fishburne, the actor perhaps best known for his role in the "Matrix" movies as Morpheus, captain of the futuristic ship Nebuchadnezzar.

The group then set out to find a high-profile target, one that would ensure their exploits were reported in the press, the young hacker said. They ultimately settled on Hilton, in part because they knew she owned a Sidekick; Hilton had previously starred in a commercial advertising the device.

The hackers pulled up the secure T-Mobile customer records site, looked up Hilton's phone number and reset the password for her account, locking her out of it. Using their own Sidekick phone, they were then able to download all of her stored video, text and data files to their phone, the hacker said.

"As soon as I went into her camera and saw nudes my head went JACKPOT," the hacker recalled.

By early Feb. 20, the pictures, private notes and contact listings from Hilton's phone account -- including phone numbers of celebrities such as Christina Aguilera, Eminem, Anna Kournikova and Vin Diesel -- had appeared on GenMay.com (short for General Mayhem), an eclectic, no-holds-barred online discussion forum.

It wasn't long before the information ricocheted around the Web.

Krebs is a staff writer with washingtonpost.com.

© 2005 The Washington Post Company