Thousands of Apple iPad owners' information leaked
|
Date Reported:
6/9/10
Organization:
Apple Inc.
Contractor/Consultant/Branch:
AT&T
Location:
Unknown/Online
Victims:
Apple/AT&T iPad 3G subscribers
Number Affected:
114,067*
*The actual number may be much higher
Types of Data:
"subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID"
Breach Description:
"A security breach has exposed 114,000 email addresses and ICC-IDs of various Apple iPad owners, including some big names, AT&T has acknowledged."
Reference URL:
Gawker
Telegraph.co.uk
PCMag.com
Report Credit:
Ryan Tate, Gawker
Response:
From the online sources cited above:
Gawker.com received a tip from Goatse Security (Savvy Web denizens will know what that name implies, and shy away from Googling it) which provided the data from the alleged leak, as well as the culprit: AT&T.
[Evan] It is a good idea that you not go to the web site, especially from work (you might get in trouble).
Goatse told Gawker that it was able to obtain the emails via a script on the AT&T Web site, which returned the email when the ICC-ID was entered as part of a script address.
The ICC-ID refers to the unique ID assigned to each SIM card. iPad owners exposed in the breach include Harvey Weinstein and Michael Bloomberg.
[Evan] If you check out the Gawker story, there is detail on some of the high profile iPad owners involved.
AT&T also acknowledged the breach, apologizing, and saying that it would notify customers. AT&T said it learned of the problem on Monday and has since corrected the flaw, Reuters reported .
"This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the email addresses," spokesman Mark Siegel said in an email statement.
Within the PCMag.com analyst community, the consensus seems to be that this is an embarrassment to AT&T, which already faces criticism because of its network issues
[Evan] AT&T doesn't only face criticism over their network issues. They face criticism over their billing, customer service, and general business practices as well. Personally, I am an AT&T customer myself and I have been less than impressed.
But even Gawker's story can't come up with any source (yet) that ties the ICC-ID to anything more serious than an email address.
So far, the breach hasn't been used to access AT&T account data, and Gawker's sources seemed to think that the ID couldn't be used as a key to unlock and sniff a user's data to and from the iPad.
[Evan] I agree with what is being implied here. This breach is limited to the exposure of ICC-IDs and email addresses. ICC-IDs aren't going to very useful in gaining any additional information. Email addresses can be used for phishing, spam, and other nefarious purposes, but the additional risk posed by this breach is debatable.
"I'm distrustful of 'Goatse Security' due to the profoundly offensive stuff on their web site," Security Watch's Larry Seltzer said in an email. "Even 'respectable' security analysts exaggerate the impact of their findings all the time, and I wouldn't be surprised if that happened here."
[Evan] I can understand a general distrust for Goatse Security, but we can't judge their skill levels or analysis based on "profoundly offensive stuff on their web site".
It's likely that this story will explode as a PR blunder providing more pressure on Apple to ditch AT&T. But, barring further evidence, the actual security significance of this story remains minor for now.
[Evan] I agree.
Commentary:
This breach is embarrassing more than anything else. The risk posed to customers appears to be relatively small given what we currently assume to be true. There were two pieces of information exposed; the ICC-IDs and email addresses of iPad owners. The ICC-ID can't be used for much (if anything) without additional information and access. The email address can be used, but email addresses are used and disclosed in many places. The only real impact that I see for the subscribers involved is possibly an increase in spear phishing attacks and/or spam.
Past Breaches:
Apple:
Unknown
AT&T:
Numerous, most recent being "AT&T Wireless customer records found by good Samaritan"
Posts Atom 1.0
Comments