Apple's Worst Security Breach: 114,000 iPad Owners Exposed

Gawker ^ | 06/09/10

[KevinDavis]

Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking.

The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised.

[Star Traveler]

You were saying ...

Don’t tell the Macbots about this...they will somehow find a way to blame Microsoft.

Well..., I think when someone finishes reading the article that they'll find a way to blame AT&T ... :-)

[tacticalogic]

So I find it quite dismaying, how many FReepers are so blinded by their hatred of all things Apple, that they conflate Apple's business responsibility for the website breach, with the technical robustness of their products (that robustness is what lends OS-X its reputation for difficulty of hacking).

Computers are inanimate objects. They do not cultivate animosity. Something else is doing that.

[Star Traveler]

You were saying ...

I know what you mean.. So much for Apple being hack proof...

LOL ... who said Apple ran AT&T's cel phone network? ... :-) It would be like me blaming Apple for a security breach, since I use an Apple computer on Free Republic -- and Free Republic got "hacked into" and my information with Free Republic got exposed ...

So, what do I do? Well, of course, I blame Apple for Free Republic getting hacked ... LOL ...

---

AT&T closed the security hole in recent days, but the victims have been unaware, until now. For a device that has been shipping for barely two months, and in its cellular configuration for barely one, the compromise is a rattling development. The slip up appears to be AT&T's fault at the moment, and it will complicate the company's already fraught relationship with Apple.

[Star Traveler]

You were saying ...

As one would expect, not many details given.

By reading the article, it sounds like the breach could have just as easily been on the ATT side of things. By proclaiming it to be an ‘Apple Exploit’, it makes for better reading.

Well, enough details were given for me to know it was an AT&T problem. I mean, if it was an "Apple problem" -- then why is "AT&T fixing it"? ... LOL ...

---

AT&T closed the security hole in recent days, but the victims have been unaware, until now. For a device that has been shipping for barely two months, and in its cellular configuration for barely one, the compromise is a rattling development. The slip up appears to be AT&T's fault at the moment, and it will complicate the company's already fraught relationship with Apple.

[Star Traveler]

You were saying ...

Just that, seems. Those of us in the security world know better.

Yeah, you're right ... they "know" that Windows is a security nightmare ... LOL ...

[Swordmaker]

Don’t tell the Macbots about this...they will somehow find a way to blame Microsoft.

The blame is not Apple's or Microsoft's... it's AT&T's. They made an error.

[Swordmaker]

And for those saying Apple didn't cause it...ATT did. From the article:

" Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers — AT&T has an exclusive lock, at least for now. Given the lock-in and the tight coupling of the iPad with AT&T's cellular data network, Apple has a pronounced responsibility to patrol the network vendors it chooses to align and share customer data with.

Oh, BS, for-q-Clinton, Gawker's opinion is just that... opinion... and a biased one at that, considering Gawker is the owner of the Blog involved in a criminal and civil battle with Apple over it's purchase of the found/stolen iPhone prototype.

[Swordmaker]

Many Mac users have never, ever, in years of use suffered a virus or malware. Those of us who know about these things know they are out there, we know they exist, and we know they could infect a Mac, but...who could blame those ignorant Mac users for thinking they are invulnerable? Most have never purchased virus protection. (I use a Mac among other things, and purchased virus protection at some time, but ended up throwing it away.)

Please provide us with the names of the Mac OS X Viruses, the self-replicating, self-transmitting, self-installing viruses that infect OS X Macs IN THE WILD that are out there... the ones YOU KNOW ARE OUT THERE... please, we really want to know.

And, please, show us the Mac users who claim Macs are "hack proof." I have never seen them... just Windows fanboys claiming Mac users say it. Just before they attempt to shoot it down... a favorite straw man argument they use in anti-Mac diatribes.

Of course, ALL it takes is one viable Mac self-replicating, self-transmitting, self-installing Mac OS X virus in New England to demonstrate the point... but then one has yet to surface in almost 11 years of exposure of now almost 60 million OS X Macs... so when do you think one will appear???

[TheStickman]

AT&T is the party guilty of the screw-up. Naturally, since Apple is the company press love to poke fun at the headline is twisted around.

[Swordmaker]

By the way, rlmorel, I am agreeing with you...

[TheStickman]

Feel free to tell all hackers to attack my macs. I have a 2009 Mini and a 2007 macbook. Both stay connected to the net 24/7. When someone breaks into my machine I will happily acknowledge it here on FR with links to pictures to prove they did it.

Good luck with that, btw :)

[microgood]

The blame is not Apple's or Microsoft's... it's AT&T's. They made an error.

Before I concluded that, I would want to know who wrote the web service that did the lookup with the iPAD ID and returned the email address, and whether the call to the web service from the iPad had any security associated with it. It may be the call was a good one but the web service ignored a parameter which would have told them they were being called from an iPad (sounds like they depended on some wrapper and no encrypted key).

ATT has shut off the web service, which means the iPad call no longer returns the address, but somewhere the call to the web service and the service itself should have been more secure.

I imagine both companies are looking into what caused the call to not be secure (which end or both).

[CodeToad]

“You and I both know that any computer hooked up to a network and not maintained by someone who is highly knowledgeable and proficient at what they do, can be rendered useless by someone who knows what they are doing regardless of the platform.
“

Yep, which is why I don’t go running to Apple for servers when Windows based servers do just fine. Most hacks don’t even go after the servers, they go after the routers and switches in DOS attacks.

[KoRn]

That’s EXACTLY my point!

My question was WHY does the headline call it Apple’s security breach, when it was CLEARLY ATT’s security breach?

[dayglored]

> Computers are inanimate objects. They do not cultivate animosity. Something else is doing that.

Apple draws fire for a few reasons.

1. They make technically superior products in certain regards, especially security, using good design practices, and by leveraging proven robust technologies (e.g. BSD Unix). This triggers envy in the rest of the tech world, who react by trashing Apple.

2. Their products, and their corporate culture, are much "cooler" than Microsoft's, or Sun's, or Linux's, or anyone else's. This triggers insecurities in the rest of the tech world, who react by trashing Apple.

3. They're making great margins and selling products in markets that Microsoft and the rest can't seem to get traction in. This triggers fear in the rest of the tech world, who react by trashing Apple.

4. Steve Jobs is acknowledged as the most successful CEO in the tech world, despite his being personally difficult and some ways very off-putting. He dresses, talks, acts, and manages differently. The differences trigger cognitive dissonance in the rest of the tech world, who react by trashing Apple.

...

[Swordmaker]

Gizmodo apparently is not holding a grudge. They have just posted this article that sets the record somewhat straight:

---

The Little Feature That Led to AT&T's iPad Security Breach

The second question about the AT&T iPad security breach, after "Should I be freaking out?" is "How the hell did it happen?" Well, AT&T was just trying to make your life easier.

You probably know the basics at this point. Goatse Security, clever rascals that they are, wrote a script that harvested iPad 3G owners' ICC-IDs and email addresses by exploiting a security hole in an AT&T website. (An ICC-ID, again, is an integrated circuit card identifier and it's used to identify the SIM cards that associate a mobile device with a particular subscriber.)

I asked AT&T's chief security officer Ed Amoroso how GoatSec were able to snag that info from at least 114,000 subscribers. Turns out, it's from a tiny convenience feature you probably never noticed. When you sign up for 3G service on iPad, AT&T looks at the SIM serial number, which Amoroso says "is not a secret, like the serial number on the dishwasher," and asks for an email address you'd like to be contacted at. When you access the AT&T website to check your data account from your iPad (Settings -> Cellular Data -> View Account), it pre-populates your email address using the ICC-ID, so you don't have to type the email address every single time, but just your password.

That's the feature GoatSec exploited, using a script that Amoroso describes as a "brute force attack," trying ICC-IDs as part of an HTTP request until they gave up an email address. And it's why the damage really does appear to be limited to iPads' ICC-IDs and the email addresses associated with them. How many accounts were exposed, precisely, is still an open question, since AT&T is "doing the forensics as we speak" and until they're completed, there's "no way of validating the number of addresses," says Amoroso. Because Goatse didn't follow a "responsible disclosure process," says Amoroso, AT&T's had to do their own detective work. AT&T will be contacting each and every customer affected, and "shed some more light" on the issue once they're done with the investigation.

AT&T has already turned off the feature. If you to go your iPad's 3G account settings, you'll notice your email is no longer already completed, so you have to type the whole thing out. I hope you don't have a terribly long email address.

What about the future, though? Could it happen again? Well, Amoroso says "as we innovate on the provisioning process, reinventing the way we provision service, there will be growing problems," and "you can probably think of a lot of features because the community went through some sort of security issue that requried some hardening." So: maybe. It's the classic tradeoff between convenience and privacy.

The entire episode is a bit ironic in the context of a talk AT&T CEO Randall Stephenson gave at an IBM conference yesterday that was focused heavily on privacy and security: "If you lose the customers' confidence once on a privacy...it would be a hard issue to recover from." I guess we'll see.

[dayglored]

> My question was WHY does the headline call it Apple’s security breach, when it was CLEARLY ATT’s security breach?

Because Gawker is owned by Gizmodo, who has a bone to pick with Apple. And "Apple Security Breach" in a headline is a guaranteed read for any tech press.

[Star Traveler]

You got that right ... :-)

[KoRn]

""Apple Security Breach" in a headline is a guaranteed read for any tech press."

That was ALSO another point I made, yet for whatever reason, I caught some hell for it. The damn day is only one day old, and it's already off to a bad start! lol

I've already reached my tolerance for BS tonight/this morning. I get a call about an hour ago from one of my co-workers. There was some sort of error a user was getting(some .NET runtime error or some such thing). My co-worker made the mistake of mentioning to the app support person that the server is virtualized. Suddenly, some form of superstition kicks in, and the fact it's a VM is the problem, regardless of the fact the server has been running fine like that for MONTHS, and they supposedly support VMs. As if the server has a soul, or some form of conciseness, and says.. "Noooo I can't be VM'd... put me back into my body!!!!". Were people superstitiously 'afraid' of RAID5 like this when it first caught on? How long does it take before people aren't stupid about it? /rant off

[Mind-numbed Robot]

... for years I’ve been hearing for a long time ...

Huh?