A group of hackers exploited a hole in an AT&T Web site to get e-mail addresses of about 114,000 iPad users, including what appears to be top officials in government, finance, media, technology, and military.
The leak could have affected all iPad 3G subscribers in the U.S., according to Gawker, which broke the story on Wednesday. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.
A group that calls itself Goatse Security tricked the AT&T site into disclosing the e-mail addresses by sending HTTP (hyper text transport protocol) requests that included SIM card serial numbers for iPads, the report said. Because the serial numbers, called ICC-IDs (integrated circuit card identifiers), are generated sequentially, the researchers were able to guess thousands of them and then ran a program to extract the data by going down the list.
AT&T spokesman Mark Siegel confirmed the breach to CNET, saying the company turned off the feature that provided e-mail addresses on Tuesday, one day after learning of the problem from someone not affiliated with the hacker group.
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device," he said in a statement.
"We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained," he said. "At this point, there is no evidence that any other customer information was shared." Representatives from Goatse Security did not respond to an e-mail or phone call seeking comment, but Goatse analyst Jim Jeffers gave an interview to CNET blogger Larry Magid. The group, whose name references an Internet shock Web site, looks for security holes in software, including browsers.
Representatives from Apple did not respond to a request for comment. The problem is solely related to security on AT&T's Web site and not Apple's tablet, security experts stressed.
Meanwhile, the type of weakness discovered in the AT&T site is fairly common, they said.
"It is an authentication error to not require user authentication before returning private data," said Chris Wysopal, chief technology officer at Veracode. "This is the type of vulnerability that would be found with a very basic Web application assessment. Apple should require its service providers to show proof of an assessment of its Web apps if sensitive Apple customer is stored there."
Neither e-mail addresses nor SIM serial numbers are considered to be sensitive information, experts said.
"Doesn't seem like a huge deal to me," said Charlie Miller of Independent Security Evaluators. "It's not like peoples' Social Security or credit card numbers were compromised."
But try telling that to Rahm Emanuel or any of the officials in the Defense Department, federal court system, or Goldman Sachs whose e-mail addresses could be targeted for phishing and other attacks.
"Now everyone in the world knows these people have iPads, and here's their serial number and here's their e-mail address," said Bill Pennington, chief strategy officer at White Hat Security. "This puts them in a more vulnerable state."
There is also the possibility that a SIM serial number could be used to get other customer information through this or other vulnerabilities on the AT&T site, he said. And there's a chance that it's not just iPad users who were at risk. "I believe this number could identify any 3G device on the AT&T network," not just iPads, Pennington said.
"Obviously, AT&T is using the ICC-ID as some sort of authentication mechanism," said Kevin Mahaffey, chief technology officer at mobile security firm Lookout. "The question is in the back-end are there other systems that are using the number as an identifier for other things?" There is a trend to use identifiers associated with devices as a way to trigger billing or interact with the account. There is some trust associated with these numbers."
According to Gawker, Goatse Security shared the exploit it wrote for the AT&T site with others. But Pennington said it seemed like the hackers were more interested in shaming AT&T over lax security than making money off the situation.
"I don't think the data would have a lot of value in the underground," Pennington said. "I think their primary motivation is shame and guilt."
Return to security news headlines
View Security News Archive