Thursday, June 10, 2010

Should AT&T-iPad 3G security breach worry you?



If you were an early adopter of the 3G-embedded version of the iPad — as in, you bought it on Day One — there's a chance that your e-mail address and your iPad's ICC-ID number were exposed by a group of hackers who exploited a weakness on AT&T's website. How bad is the breach, and should you be worried? Read on.
First, a little background. Gawker broke the news late Wednesday that a group of hackers going by the name of Goatse Security managed to grab the information of more than 114,000 iPad 3G owners — including, as it turns out, such high-profile early adopters as New York City Mayor Michael Bloomberg and maybe even White House Chief of Staff Rahm Emanuel — by exploiting a wonky script on the AT&T website. Basically, by hitting the script with an ICC-ID number (the unique identifier of an iPad 3G's SIM card), the hackers were able to harvest the e-mail address associated with the account, according to Gawker. By methodically firing off one ICC-ID after another, the Goatse Security hackers managed to dredge up the e-mail addresses of one early iPad 3G adopter after another, including the CEOs of the New York Times, Time magazine and Dow Jones, as well as staffers at NASA and the Department of Defense. Not good, right? Lucky for us, the hackers at Goatse Security seem more interested in revealing security holes than in exploiting them, and the group shopped around its findings to a variety of news organizations Sunday, according to Forbes, and Gawker bit. (Gawker, by the way is owned by Gawker Media, the same company that owns Gizmodo and paid for Gizmodo's iPhone leak. Gawker says it didn't pay for the iPad security breach story.)

In a statement to Gawker, AT&T said it learned of the security hole Monday (from a "business customer," not Goatse Security) and had plugged it by Tuesday (a day before Gawker published its post). "We take customer privacy very seriously, and while we have fixed this problem, we apologize to our customers who were impacted," AT&T said, adding that it would be contacting any and all customers whose e-mail and ICC-ID numbers were exposed. Apple has yet to issue a statement.So, how did the e-mail addresses and ICC-ID numbers of iPad 3G owners end up on a publicly accessible website? As Matt Buchanan at Gizmodo explains, the problem was a "tiny convenience feature" on the iPad 3G that fills (or filled, as of Tuesday) in your e-mail address automatically when you're checking your AT&T account from the iPad's Settings menu. Now that AT&T has plugged the security hole, you'll have to tap in your e-mail address every time you want to check the status of your 3G account.So if your iPad 3G info was exposed, how worried should you be? According to Gawker, the only data that were scooped up by the hackers were e-mail addresses at the ICC-ID numbers associated with them — no phone numbers, street addresses, credit card numbers or any other personal information. The New York Times also checked with some security experts, who note that there's only so much someone could do with your e-mail address — hit you with a phishing attack (you know, a fake message from, say, PayPal, asking for your username and password), or flood your inbox with junk mail. That said, "in the right hands," your iPad 3G's ICC-ID number could be used to track your iPad's location, one expert told the Times, although another downplayed the threat, noting that an attacker would need "access to very secure databases that are not generally connected to the public Internet."Still, even if the damage to actual iPad 3G users is relatively limited (we hope), the breach is acutely embarrassing for Apple and especially AT&T, which managed to leave personal information about its customers vulnerable on a public website. The snafu also raises the question: What other AT&T security holes are still out there, waiting to be exposed — or exploited?