Saturday, July 26, 2008

How Mighty Virus' phone gets hacked

Poor Hannah Montana. The beloved 15-year-old (known in the real world as Miley Cyrus) made headlines this week when her cell phone was hacked—again—revealing pictures she (and someone else) had taken of herself, posing with her belly bared and, in one shot, in a wet t-shirt standing under the spray from a shower.

Now one of the hackers involved with the theft of the photos from the cell phone has spoken up to take responsibility for the incident and, more importantly, to publicly discuss how it is done.

Requesting I refer to him by the handle "K Dollars," the hacker says he and his friends obtained the photos from Cyrus's cell phone months ago. The shots were ultimately released on the website on July 12 and spread widely on the web, and though some observers claim the pictures are faked, no compelling evidence has emerged to indicate the shots are not real.

If you've seen how this works in the movies, you might think hacking a cell phone involves complex sessions of password cracking, heavy-duty computers, and dark underground lairs filled with custom equipment, but that's not the reality at all. In fact, says K, to get the pics off a cell phone, he barely has to touch a computer. The hack is almost completely done via the telephone, as K simply calls the cell phone company and pretends to be a supervisor, then simply requests a customer service rep give him the information he needs to access the account. In the case of a T-Mobile Sidekick like Cyrus's, he says, it's even easier since T-Mobile stores notes, contacts, and, yes, photos on a server instead of just on the phone, for use as a backup in case the phone is lost.

After obtaining the account information, K can call back and claim to be Cyrus (or another account holder) and switch the account to another phone he has handy, giving him instant access to all the original phone's contents. What if the rep asks for personal information to authenticate the call? If K needs additional data, like a Social Security Number, he says he usually calls the electric company, which usually has it on file, and pulls a similar trick to get them to give him the information, then calls back the cell phone company.

K says T-Mobile is hardly alone. This simple social engineering hack works the same way on any ISP, cellular carrier, or web-based email provider. The same basic techniques are responsible for the hacking of Paris Hilton's and Lindsay Lohan's cell phones (though some say Hilton simply used a password that was simply too easy to guess). In fact, K says he's been pulling these hacks since 2000, and little has changed since then. (I last interviewed K (then using a different handle) in 2003 regarding similar hacks of AOL accounts, which also relied on heavy telephone use and simply "mumbling" when the account rep asked for security information.)

Now for the sad part: I asked K what the average user can do to protect himself from these attacks, and aside from getting rid of your cell phone or computer, the answer seems to be "not much." "It's in the provider's hands for the most part," says K. Nor is anything likely to change. "I've been doing this for years," says K. "It just always works. It isn't new to the industry... both law enforcement and the ISPs know about it. They just choose to do nothing about it, at all."

No comments: