Sunday, August 27, 2006

Did Paris Hilton hack Lindsay Lohan's voice mail?

The feud between celebrities Paris Hilton and Lindsay Lohan has taken a turn for the geeky, with a small fake-Caller ID seller accusing Hilton of hacking into voice-mail accounts on an unnamed mobile phone network. Hilton was one of more than 50 customers whose accounts were suspended because they had been using's Caller ID spoofing service to hack into voice-mail accounts, according to Mark Del Bianco,'s attorney. Many of the accounts that were hacked via the spoofing service belonged to well-known celebrities, including Lohan, he said. has not actually accused Hilton of hacking sp
ecifically into Lohan's voice mail. But celebrity gossip sheets, already abuzz with the rivalry between the two divas, jumped on the story. The New York Post reported last month that someone had stolen the password to Lohan's BlackBerry and sent her friends "disgusting and very mean messages that everyone thought were coming from Lindsay." Lohan's representatives hinted that Hilton may have been behind the hack, the Post said. Hilton could not be reached for comment, but her spokesman Elliot Mintz told E! Online that the alleged hacking "just didn't happen" and suggested that someone else may have opened the account in Hilton's name.

Both the Cingular Wireless LLC and T-Mobile USA Inc. telephone networks use Caller ID to identify voice-mail users without requiring passwords. So users on either network could have been vulnerable to the misuse alleged by, said Lance James, chief scientist at security vendor Secure Science Corp. The scandal illustrates how the telephone industry has been affected by inexpensive telephony software, like the open-source Asterisk telephone system. Recently, phishers have been using this software to set up inexpensive phone networks that give their fake e-mails an added air of authenticity, for example. And with less than 10 employees, was able to use Asterisk and Linux to create a line of business that would have been far too expensive just 10 years ago. The fake-Caller ID vendor sells 60-minute calling cards for $10 that let users call a toll-free number and type in whatever Caller ID number they want their call to display.

While maintains that there are legitimate uses for Caller ID spoofing -- allowing remote employees to appear as though they are dialing from their company's phone system, for example -- the latest incident indicates that this technology has created new opportunities for misuse as well. One year ago, U.S. Rep. Tim Murphy (R-Pa.) claimed that he was the victim of someone who used fake Caller ID to leave inappropriate messages that appeared to come from his own office. Earlier this year, the U.S. Federal Communications Commission launched an investigation into Caller ID spoofing sites, but according to James, these voice mail break-ins could be stopped if all mobile carriers simply required passwords. "The fix is on the communications side," he said. "They just need to lock [their voice-mail systems] down like Verizon does."

No comments: