One of the hottest security news story today revolves around the news that a weakness on AT&T’s website allowed outsiders to grab the email addresses of early adopters of the Apple iPad – at least those who had chosen to subscribe via AT&T.
The news was broken as an “exclusive” by Gawker in a story entitled “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”.
As my fellow blogger Paul Ducklin points out, it’s Gawker’s lead story right now – alongside continuing coverage of Debrahlee Lorenzana, the so-called “Hottie Banker” who alleges that she was sacked from her job at Citibank because she was too sexily distracting for her male co-workers.
If you can divert yourself away from Debrahlee Lorenzana’s charms for a second to read the Gawker story you’ll find that it has some very scary things indeed to tell you:
"dozens of CEOs, military officials, and top politicians. They - and every other buyer of the cellular-enabled tablet - could be vulnerable to spam marketing and malicious hacking"
"the most exclusive email list on the planet"
"the breach will also likely unnerve customers thinking of buying iPads that connect to AT&T's cellular network"
"One affected individual was William Eldredge, 'who commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force'"
and so it goes on..
Reading on in the report it appears that a group called Goatse (don’t Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (that’s an internal code used to associate a SIM card with a particular subscriber).
The hacking group deluged the website with so many made-up requests that some were bound to reflect genuine ICC-ID codes, and effectively “stick”. When this happened the website believed them to be a genuine iPad user and revealed the associated email address.
Ok. So I can see how this embarrassing, and it shouldn’t have happened. But, as Paul Ducklin underlines, it’s just an email address and you reveal your email address every time you send an email.
My guess is that this story is making the headlines mainly because of the iPad angle rather than because of the true level of the threat. Yes, the email addresses shouldn’t have been exposed, and I don’t want to belittle that it was wrong that they were accessible – but as far as we know they have not been revealed to anyone who has the intention of using them for malicious purposes.
Although iPad-related email addresses could be useful for those who wish to specifically target iPad owners with spam or phishing attacks, there’s no serious reason to believe that any actual hacking is likely to take place. After all, it’s not as though any more information about the individuals appears to have been exposed – for instance, there are no passwords, real names, telephone numbers, dates of birth, etc etc.
Still, it’s embarrassing and bad, and is important to fix even if it’s not the end of the world as we know it. Which is why I was pleased to find this statement from AT&T, who claim to have now patched the problem, reads:
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
Further reading: Apple’s worst security breach, or a great big hyperbole?.