AT&T Web site exposes data of 114,000 iPad users
A group of hackers exploited a hole in an AT&T Web site to get e-mail addresses of about 114,000 iPad users, including what appears to be top officials in government, finance, media, technology, and military.
The leak could have affected all iPad 3G subscribers in the U.S., according to Gawker, which broke the story on Wednesday. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.
A group that calls itself Goatse Security tricked the AT&T site into disclosing the e-mail addresses by sending HTTP (hyper text transport protocol) requests that included SIM card serial numbers for iPads, the report said. Because the serial numbers, called ICC-IDs (integrated circuit card identifiers), are generated sequentially, the researchers were able to guess thousands of them and then ran a program to extract the data by going down the list.
AT&T spokesman Mark Siegel confirmed the breach, saying the company turned off the feature that provided e-mail addresses on Tuesday, one day after learning of the problem from someone not affiliated with the hacker group.
“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device,” he said in a statement.
“We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained,” he added. “At this point, there is no evidence that any other customer information was shared.”
Jeffers said the attack could have allowed someone to take control of the iPad and that potentially every 3G iPad subscriber was affected. Although AT&T maintains that only e-mail addresses were compromised, Jeffers said “it will allow someone who does the proper research to possibly target iPad 3G users and take over their iPads, and they could sniff traffic, they could act as the user of the iPad.”
Jeffers also said the group had contacted AT&T and waited until the company fixed the hole before going public with it.
“Now everyone in the world knows these people have iPads, and here’s their serial number and here’s their e-mail address,” said Bill Pennington, chief strategy officer at White Hat Security. “This puts them in a more vulnerable state.”
There is also the possibility that a SIM serial number could be used to get other customer information through this or other vulnerabilities on the AT&T site, he said. And there’s a chance that not only iPad users were put at risk. “I believe this number could identify any 3G device on the AT&T network,” not just iPads, Pennington said.
“Obviously, AT&T is using the ICC-ID as some sort of authentication mechanism,” said Kevin Mahaffey, chief technology officer at mobile security firm Lookout.
We will keep you up to date on any possible updates to this issue as they arise.