Cathode Tan - Games, Media and Geek Stuff
logo design by man bytes blog

Wednesday, June 09, 2010

The Great AT&T iPad Security Breach

Sweet Jeebus.

Then we began poring through the 114,067 entries and were stunned at the names we found. The iPad 3G, released less than two months ago, has clearly been snapped up by an elite array of early adopters.

Within the military, we saw several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, along with the major service branches. To wit: One affected individual was William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."
-- Apple's Worst Security Breach: 114,000 iPad Owners Exposed [Gawker]

So, here's the short version: AT&T had an open web service for an AJAX process which would deliver a valid email address if you gave it a valid ICC-ID. And ICC-ID is what phone SIMs, like the one in the iPad, use to identify the unique device (and hence, user).

Note that this was an open web service. So anyone on the net could hit it. Anyone was free to keep trying ICC-ID's until they get an email back. ICC-ID's aren't particularly secure, Gawker points out that they show up on Flickr as part of photo tags.

According to Gawker, AT&T has not informed users of the presumably now fixed breach and it isn't clear if they've contact Apple.

From a security point of view, this could be worse. There's no passwords involved, though emails could be considered usernames in some situations. ICC-ID's themselves are relatively benign - though I don't think I want a black hat hacker having both my email address and device ID. It is a nightmare for a portal where people trust their private data though, and a real red flag for the kind of protocols and practices AT&T has in place. I've always thought their site was somewhat miserable, this is beyond bad.

No comments: