Prince McLeanThe breach, profiled in a report by Gawker, described the event as "another embarrassment" for Apple and outlined a variety of high profile individuals whose email addresses were obtained by automated script attacks on AT&T's web server based on their iPad 3G SIM addresses (ICC ID).
The publication claimed that the identifying information meant that thousands of iPad 3G users "could be vulnerable to spam marketing and malicious hacking," while also pointing out that many users have actually already published their iPad ICC ID numbers in Flickr photos. Presumably, many of them also have public email addresses and therefore already receive spam like the rest of us.
The attack on AT&T's web servers resulted in at least 114,000 iPad 3G users' emails being leaked to the hackers, who were coy about wether or not they were planning to enable others to access the data. The security leak, which returned a user's email address when their ICC-ID was entered via a specially formatted HTTP request, has since been patched.
The group automated requests of the email address information for a wide swath of ICC-ID serial numbers using a script. No other information was discovered.
"No direct security consequences"
The report suggested that having known ICC IDs would leave iPad 3G users vulnerable to remote attacks, citing the attackers involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."
However, Gawker also talked to telephony security experts who disputed that the ICC ID email breach was a serious issue. It cited Emmanuel Gadaix, a "mobile security consultant and Nokia veteran" who said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID […] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."
The report also noted that Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," informed them "that while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted […] the disclosure of the ICC-ID has no direct security consequences."
At the same time, Nohl described AT&T's lapse in publishing the email information as grossly incompetent, saying, "it's horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider."
Update: AT&T issued the following statement Wednesday regarding the breach:
"This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."
Charles Martin
Marko Zivkovic
Wesley Hilliard
Andrew Orr
Malcolm Owen
David Schloss
81 Comments
Saw this on Drudge first. Well done, AT&T....you suck. Get off the stage, ho!
I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.
Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.
So I wonder how long it will be before I can collect my two Dollars of settlement money for this.
AT&T is not making any friends!
I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong.
Because they know they are going to lose the farm so they might as well try and do as much damage to Apple as possible.
I would enjoy getting back to how much AT&T sucks. Thank you.