[ISN] An Oscar Surprise: Vulnerable Phones

From: InfoSec News (isn@private)
Date: Wed Mar 02 2005 - 09:23:35 PST


http://www.nytimes.com/2005/03/02/movies/oscars/02leak.html

By JOHN MARKOFF and LAURA M. HOLSON 
March 2, 2005

Paris Hilton is not alone.

According to a Los Angeles security consulting firm that went skulking
outside the Academy Awards ceremony in Hollywood on Sunday, as many as
100 people who walked the red carpet were carrying cellphones
vulnerable to the kind of privacy invasion that recently gained Ms.  
Hilton a new round of unwanted notoriety.
 
Three employees of the company, Flexilis, founded two years ago by
four University of Southern California students, positioned themselves
in the crowd of more than 1,000 people watching celebrities arrive at
the Kodak Theater. John Hering, one of the company's founders, wore a
backpack in which he had placed a laptop computer with scanning
software and a powerful antenna.

The Flexilis researchers said they were able to detect that 50 to 100
of the attendees had smart cellphones whose contents - like those of
Ms. Hilton's T-Mobile phone - could be electronically siphoned from
their service providers' central computers. The contents of Ms.  
Hilton's phone, including other celebrities' phone numbers, ended up
on the Internet.

The researchers said they were uncertain about the precise number of
vulnerable phones because some phones may have been detected more than
once, They did not tap into any of the cellphones that were scanned -
which would have been illegal - and so could not identify exactly
whose phones were vulnerable.

The researchers said that their stunt, which scanned the red carpet
from about 30 feet away, was meant to raise awareness of a threat to
privacy that is becoming more common as advanced cellphones carry a
growing range of personal data, including passwords, Social Security
numbers and credit card information.

"Celebrities, V.I.P.'s, executives and politicians are among the most
vulnerable to this kind of attack, because they are frequently the
first to adopt new consumer technologies," Mr. Hering said.

He also noted that despite extensive security measures at the Oscars,
his company's surveillance activities went unnoticed. "We were only
doing this passively, but it was possible that someone could have been
standing right next to us doing this maliciously," he said.

John Pavlik, director of communications for the Academy of Motion
Picture Arts and Sciences, said: "We're very confident about the
ability of our security to keep our guests and performers and nominees
safe. The problem with the privacy issue is that it is, in fact, a
growing phenomenon with these smart phones and it will get to be more
and more of a problem each year. This year, we tried to address it as
strenuously as we could."

Flexilis has specialized in a short-range wireless data technology
known as Bluetooth, which is intended to replace cables over short
distances. Many cellphones now have Bluetooth wireless capability to
permit synchronizing with computers, or to connect to peripherals like
wireless headsets.

Bluetooth is also becoming a standard technology in luxury cars to
permit them to integrate easily with cellphones. And it is
increasingly found in personal computers as a cable replacement for
keyboards, mice and printers.

The Flexilis team said their concern was not with Bluetooth itself,
which contains adequate security protection, but with the way the
technology has been used by many manufacturers. "We're attempting to
raise the level of security in the wireless world to the same standard
that is now expected in the wired world," Mr. Hering said.

Mike Foley, executive director of the Bluetooth Special Interest
Group, an industry association, said that his organization "takes
security very seriously" and that "so far no security holes have been
discovered in the Bluetooth specification itself."

Actors interviewed over the Oscar weekend expressed varying degrees of
concern about their vulnerability.

Sandra Oh, one of the stars of "Sideways," which was directed by her
husband, Alexander Payne, said she rarely used a cellphone. "Who wants
to be that accessible?" she said in an interview Saturday at the
Independent Spirit Awards. "People have so many lines-of-defense phone
numbers so people can't reach them. Alexander has, like, four or
five."

Robin Williams, at the same event, pulled a phone from his inside coat
pocket and deadpanned: "These phones are amazing. They have
everything. Games. Phone book. A vibrator."

Mr. Williams said it was unlikely that an eavesdropper would have much
interest in monitoring his cellphone. "I don't have a lot of numbers
in my phone book," he said. But he added: "It wouldn't be hard for a
hacker to get inside one of these things. You've got to be careful."


Catherine Billey and Matt Richtel contributed reporting for this
article.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Wed Mar 02 2005 - 10:22:22 PST