The breach was first reported by Gawker--parent company of Gizmodo, who had acquired a lost iPhone prototype in April--, who said the "security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians."
The breach luckily--if we can say it like this--affects only users of an iPad with 3G connectivity, as the flaw is linked to the integrated circuit card identifier (ICC-ID) of the iPads, which identifies the SIM card that associates the device in question with the wireless subscriber. A group going by the name Goatse Security has been able to obtain the list through a script on the AT&T Web site. According to Gawker, "when provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application." With a PHP script to automate the harvesting of data, the group easily obtained the 2,000 pages long list.
Early adopters of the premium-priced 3G-equipped iPad models apparently include many high-profile individuals, and Gawker has picked a few interesting names off the list, while not their disclosing the email addresses. They have identified Janet Robinson, CEO of NY Times; Les Hinton, CEO of Dow Jones; Michael Bloomberg, founder of Bloomberg LP; and more.
Of course, the leak of so many iPad user email addresses is a concern for spam, malware distribution through social engineering, or else. But while Gawker is not too wordy about security and privacy concerns, an article by the New York Times includes comments from security consultants who worry about the accessibility of ICC-IDs.
"You could in theory find out where the device is," said Michael Kleeman, a communications network expert at the University of California, San Diego. Knowing a person's full name and current location, only from a publicly available--yet probably through an illegal way--ICC-ID, is indeed a serious concern towards privacy. However, he adds: "But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet." So odds are rather small, but competent and determined hackers apparently could access such personal data.
According to Goatse Security, AT&T did not respond to their claim that the wireless provider had a breach and subsequently handed the data to "third parties" such as Gawker. However, after the story got published, AT&T did make an announcement:"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted." Who to believe between AT&T and Goatse Security is rather unimportant, though, as the fact remains that AT&T may be losing credibility as sole iPad and iPhone 3G service provider in the United States. Customers should definitely be concerned about such private information leaks.
|
