Ryan Tate at Gawker:
Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking.
The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised.
It doesn’t stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed. We contacted Apple for comment but have yet to hear back. We also reached out to AT&T for comment. [Update: AT&T has confirmed the breach and the FBI has opened an investigation. Updates below.] A call to Rahm Emanuel’s office at the White House has not been returned.
Taylor Buley at Forbes:
Gawker contributor Ryan Tate set the Web ablaze on Wednesday with a blog post detailing the alleged breach of 114,000 iPad users’ email addresses. The post named names: among them, executives at News Corp, The New York Times Company and Dow Jones.
According to “Weev,” a well known Internet “activist” who we likened to Shakespeare’s Puck after a baffling Amazon.com security incident last year, the “Goatse” security group alerted various members of the mainstream press via email before granting Gawker’s Tate an exclusive on the data.
“i disclosed this to other press organizations first (ones who had ipad users affected by the breach, lol) and was ignored,” writes Weev in an email. “gawker found out and ran with it immediately.”
To prove it, Weev sent Forbes copies of emails sent to press at Reuters, News Corp, The Washington Post and The San Francisco Chronicle. The veracity of the emails has not been confirmed, but each has a timestamp dating back to Sunday night.
Asked if Gawker paid for the scoop, Weev said the publication did not provide remuneration. “we did a benefit analysis and decided they could take our story viral the fastest,” he writes in an email.
An information leak on AT&T’s network allows severe privacy violations to iPad 3G users. Your iPad’s unique network identifiers were pulled straight out of AT&T’s database.
Every GSM device (including 3G iPads), has an ICC-ID on its SIM card. This ICC-ID is a unique identifier to the cellular network that is used by the carrier to route calls to your cellphone. If this ICC-ID is compromised an attacker could theoretically (thanks to recent cryptanalysis that cracked GSM’s hash and stream functions) clone your SIM card to act as you on the AT&T network.
Devin, the iPad you registered to your email has the ICC-ID of 8901xxxxxxxxxxxxxx94.
Shannon, yours is 8901xxxxxxxxxxxxxx73.
James, yours is 8901xxxxxxxxxxxxxx74.
Carl, yours is 8901xxxxxxxxxxxxxx72.
David, yours is 8901xxxxxxxxxxxxxx71.
Neil, yours is 8901xxxxxxxxxxxxxx05.
Rob, yours is 8901xxxxxxxxxxxxxx03.
Joseph, yours is 8901xxxxxxxxxxxxxx11.
Mike, yours is 8901xxxxxxxxxxxxxx57.
You can locate your ICC-ID number of your iPad and verify this information by using the following item from Apple’s FAQ:
There is nothing in Apple’s SDK APIs that would allow an application to have this identifier– it is a shared secret that should indicate physical proximity to the iPad. In addition, by harvesting ICC-IDs, an attacker can build a complete list of contact information for all iPad 3G customers. All these Thomson Reuters employees were revealed in a short data harvest by my working group along with hundreds of thousands of other iPad 3G customers.
If anyone in your organization would like to discuss this particular issue for publication I would be absolutely happy to describe the method of theft in more detail.
Have a good evening.
John Hudson at The Atlantic
David Coldewey at Crunch Gear:
he hackers, a group known as Goatse Security (I’ll let you work out the reasoning for the name yourself), organized a brute-force attack in which they pummeled a public AT&T script with semirandom ICC-ID numbers, which would return nothing if invalid but an email address if valid. A few hours later, they had the ICC-IDs and email addresses of everyone from Michael Bloomberg and Diane Sawyer to a Mr. Eldredge, who commands a fleet of B-1 bombers.As is occasionally the case with grey-hat hacker actions like this, the hack seems to have been executed first and AT&T notified shortly afterward — though not before an unknown number of third parties had access to the script. AT&T closed the hole immediately (it was as simple as turning off the script), and apologized as follows:
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.
Impacted. Like wisdom teeth. Why not “affected?” Anyway, I notice they say they were not contacted by the group but by some business customer. The timing isn’t clear from the Gawker article, but I wonder if there’s a little more to this than anyone cares to admit. Groups like Goatse often warn their targets beforehand, but it seems like one or the other would have mentioned that if it happened. You’d think a company as exposed as AT&T would have bells on its scripts that would ring if suddenly requests increased by 1000%, but practices like that are perhaps too much to be expected.
Jason O’Grady at ZDNet:
Even worse is the potential security threat this could expose to members of the military that adopted the iPad. On the list are several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, including William Eldredge, who “commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.”
Um, yeah. It’s that bad.
Media moguls and celebrities are one thing, but I’m guessing that the government and military users are taking this one pretty seriously too.I’m guessing that Al Qaeda would pay big bucks to have access to Eldridge’s iPad 3G?
According to data furnished to Gawker by the Web security group that exploited vulnerabilities on the AT&T network at least 114,000 user accounts have been compromised, although it’s possible that confidential information about every U.S. iPad 3G owner in the U.S. has been exposed.
Tony Bradley at PC World:
In truth, there was nothing elite (or ‘l33t’ in hacker speak) about the iPad 3G data leak. In fact, according to an interview on CBS News by Larry Magid with Goatse Security analyst Jim Jeffers, the security researchers more or less stumbled upon the authentication glitch. Jeffers said the exploit “was almost discovered by accident. One of our employees is an iPad 3G subscriber, and he noticed it in the process of the normal user experience of this device. It was something he just noticed as he was using it.”
Sort of like how finding and taking a car with the driver’s door open, keys in the ignition, and engine on does not make one an elite car thief. The lesson for IT administrators is to be more vigilant about closing these holes and making sure that the car door isn’t open, with the keys in the ignition, and the engine on–especially for Web-facing servers.
There is an entire genre of hacking dedicated to finding sensitive or confidential data inadvertently exposed to the Web. The book Google Hacking by Johnny Long, and the accompanying online Google Hacking Database, list hundreds of search queries that can be used to ferret out juicy information not meant for public consumption. It is actually not unique to Google. It should be called “Web search hacking”, but Google is essentially synonymous with Web search and “Google hacking” has a better ring to it.
George Kurtz, McAfee CTO and proud owner of not one, but two iPads, provides a detailed analysis of the iPad 3G data leak in which he ponders, “why is there such a dust storm over the recent AT&T/Apple iPad disclosure of 114,000 iPad owners and is it warranted?”
Kara Swisher at All Things Digital:
Now the Federal Bureau of Investigation is looking into the AT&T breach, according to an article in The Wall Street Journal, in what seems to be an early probe.
Oooh, the Feds are involved now.
I wish I could say it will make a difference. Because it won’t.
In fact, coming on the heels of privacy controversies at Facebook and Google (GOOG), it’s just another log on the digital fire that has been burning up privacy for a very long time now.
And now more than ever, it is part of a massive confluence of trends, including:
Consumers more interested than ever in sharing information about themselves in order to make ever better social networking connections online; a plethora of innovative devices–mostly mobile–and Internet tools available to seamlessly and easily allow those consumers to do so; and, perhaps most of all, Internet companies intent on hoovering up as much information as possible, in order to garner more consumers and sell it to advertisers.
In large part, this is all well and good, creating a range of valuable and entertaining services at little or no cost and making the computing experience more personal and relevant.
Because of that, I have to admit I was less tweaked than I thought I would be, although I wish I were not.
New York City Mayor Michael Bloomberg, whose email was also compromised, expressed the feeling best.
“It shouldn’t be pretty hard to figure out my email address,” he was quoted saying in the Journal article. “To me, it wasn’t that big a deal.”
That’s because all of us are thinking less that such information is private or will remain that way for long.