Black hat hackers have exploited a security flaw on AT&T's web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users. (Updated with statement from AT&T)
The breach, profiled in a report by Gawker, described the event as "another embarrassment" for Apple and outlined a variety of high profile individuals whose email addresses were obtained by automated script attacks on AT&T's web server based on their iPad 3G SIM addresses (ICC ID).
The publication claimed that the identifying information meant that thousands of iPad 3G users "could be vulnerable to spam marketing and malicious hacking," while also pointing out that many users have actually already published their iPad ICC ID numbers in Flickr photos. Presumably, many of them also have public email addresses and therefore already receive spam like the rest of us.
The attack on AT&T's web servers resulted in at least 114,000 iPad 3G users' emails being leaked to the hackers, who were coy about wether or not they were planning to enable others to access the data. The security leak, which returned a user's email address when their ICC-ID was entered via a specially formatted HTTP request, has since been patched.
The group automated requests of the email address information for a wide swath of ICC-ID serial numbers using a script. No other information was discovered.
"No direct security consequences"
The report suggested that having known ICC IDs would leave iPad 3G users vulnerable to remote attacks, citing the attackers involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."
However, Gawker also talked to telephony security experts who disputed that the ICC ID email breach was a serious issue. It cited Emmanuel Gadaix, a "mobile security consultant and Nokia veteran" who said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID [â¦] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."
The report also noted that Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," informed them "that while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted [â¦] the disclosure of the ICC-ID has no direct security consequences."
At the same time, Nohl described AT&T's lapse in publishing the email information as grossly incompetent, saying, "it's horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider."
Update: AT&T issued the following statement Wednesday regarding the breach:
"This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."