T-Mobile Hacker Shows The Downside To The Real-Time Sync
By Mike Masnick, Thu Jan 13 01:00:00 EET 2005

A hacker is getting some attention for using his ability to break into T-Mobile's servers to access celebrity photos and Secret Service documents. While it raises lots of issues, one interesting one is a major downside to real time syncing.


When Danger Inc. introduced their Hiptop device with T-Mobile (branded as the Sidekick) in the US, it has one feature that was quite interesting, but didn't get very much attention (most people were focused on the device, not the service). Everything that a subscriber did on the device would sync in real time with a T-Mobile server. Every bit of data on the device was immediately available on the web as well, assuming there was a working GPRS connection. This worked both ways. A subscriber could log into the web interface and be able to manage content on the device, as well.

This has some very useful advantages over manual sync methods. The most obvious, of course, is that the subscriber never has to actually do anything. It all happens automatically. The content on the device is automatically backed up, should the handset break or need to be reset. Also, the web interface means you can access your data from any Internet connected computer, even if you don't have the device with you at the moment. Also, for some, it was easier to enter or modify data this way. Finally, any photos taken with the Sidekick camera was automatically available on the web -- without having to send it anywhere. All in all, the benefits were such that it's somewhat surprising that similar real-time web syncing solutions aren't more popular.

However, with the news breaking today that a hacker had a complete list of T-Mobile subscriber info for at least a year, it also demonstrates the downsides to such a system. The hacker in question used the info he had to sign into accounts for various Sidekick-toting celebrities where he could get access to the photos they took -- and also their address books and emails. He also logged into the account a Secret Service agent who was investigating a number of cybercrimes, which leads to the obvious question of why a Secret Service agent would trust his Sidekick to access obviously classified information.

Either way, this should make others who are Sidekick users somewhat nervous about their privacy. T-Mobile is also getting some heat for not revealing this security compromise to its California-based customers, as required under California law. However, on a larger scale, it should also make other companies looking to offer a similar real-time sync feature think a bit more seriously about security. While this is true of any web-based service, when it involves real-time syncing with a device, most people don't even think about the security holes on the web server, but just the device itself. In fact, it appears that many Sidekick users don't even realize that the real-time syncing occurs -- and thus, will do nothing to protect their own privacy. It's one thing to have a security hole, but this is a situation where it's a security hole many users didn't even realize was possible and T-Mobile has done nothing to enlighten those impacted.