Apple's worst security breach, or a great big hyperbole?

Filed Under: Apple, Privacy, Vulnerability

According to aptly-named shock-gossip site gawker.com, Apple has just suffered its worst security breach. Alongside a headlined article entitled "Hottie Banker's Boob Implant Video: 'I Want to Be Tits on a Stick'", you can read how this "worst security breach" involves "114,000 iPad Owners Exposed".

The article goes on to suggest that "White House Chief of Staff Rahm Emanuel's information was compromised", and offers the opinion that "we believe 114,000 user accounts have been compromised, although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed."

Wiser minds – in this case, fellow Sophos technoblogger Chet Wisniewski, in a briefing he just gave me – have a much more circumspect view.

Apparently, the breach was the result of a web application vulnerability on an AT&T site. This allowed a malcontent to guess at an AT&T SIM card identifier (the so-called ICC-ID) and – if the ICC-ID was issued to an iPad – to use it to retrieve the email address of the iTunes account associated with the device.

This is not good. Flawed web applications which allow data leakage are wrong, and need to be fixed. (Apparently AT&T did just this. This bug can no longer be exploited.) Email addresses do constitute personally identifiable information, and deserve to be treated with the same deference as information you don't routinely use on the open internet, such as your home address.

But your email address is revealed on the internet every time you use it to send email. It appears in the MAIL FROM: part of the SMTP envelope in which your message is transmitted, and in the header section of the DATA part of the SMTP conversation. The email client you are using may be revealed in the headers too, which often strongly suggests what hardware you sent it from. You can suppress or spoof your email address, of course. But expect to be blocked by spam filters if you do, and don't expect any replies.

So this story is a great big hyperbole, and misleading to boot.

Firstly, though Apple are inextricably involved in the issue, since they chose to partner with AT&T for iPad SIMs, the security breach is not inside Apple itself, or in the iPad.

Secondly, the claim that confidential information about every US iPad owner may have been exposed is sensationalistic, since it is unlikely, yet time-wastingly hard to disprove.

Thirdly, email addresses are revealed publicly whenever they are used, so whilst this breach is serious for having occurred, there does not seem to be any national security risk arising as a result, whether White House staffers were involved or not.

Fourthly, the self-styled "hackers" who recovered the data claim to have done so by deliberately and repeatedly triggering the AT&T website bug in order to retrieve data they knew they ought not to be seeing. Repeatedly, it seems, to the tune of 114,000 times. If so, that makes them cybercriminals, not hackers.

The problem with overblown shock-gossip security news like this is exactly the problem posed by The Boy Who Cried Wolf. It gives the security industry a bad name, and makes readers sceptical when issues of genuine concern arise.

This is not TEOTWAWKI [*].

Yours sincerely,

VORIWOGOM [†].

*: TEOTWAWKI. The end of the world as we know it. [tay-oh-twow'-key].

†: VORIWOGOM. Voice of reason in world gone mad. [vorry-wogg'-um].

, , , , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog