June 10, 2010

Hackers Exploit iPad, AT&T Vulnerability

A Silicon Valley website reported on Wednesday that a hacking group obtained the email addresses of over 114,000 owners of Apple iPads by exploiting a vulnerability through AT&T's 3G plan.

Valleywag, a property of Gawker Media, reported that the hackers turned over the email list and it contained the email addresses of a number of high-profile iPad uses in the U.S., including business leaders, politicians and military officials.

Valleywag published the names of some on the list, including New York Times Co. chief executive Janet Robinson, New York Mayor Michael Bloomberg and White House chief of staff Rahm Emanual.

The iPad owners whose email addresses were compromised were subscribers to AT&T's 3G plan, which provides data connectivity to Apple's touchscreen computer.

Valleywag said the hackers, who go by the name of Goatse Security, obtained the numbers used to identify subscribers on AT&T's network known as the ICC IDS, which stands for integrated circuit card identifier.

The hack involved an insecure way that AT&T's website would prompt iPad users when they tried to log into their AT&T accounts through the devices.  The site would supply users' email addresses, to make logins easier, based on unique codes contained in the SIM cards inside their iPads. 

The hackers said they were able to trick AT&T's site into coughing up the email addresses.

AT&T acknowledged the security breach in a statement and issued an apology to customers who had been affected.

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS," AT&T said.

"The only information that can be derived from the ICC IDS is the email address attached to that device," it said.

"This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the email addresses," AT&T said.

"We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained," AT&T said. "At this point, there is no evidence that any other customer information was shared."

Valleyway said Goatse Security has previously revealed vulnerabilities in the Firefox and Safari Web browsers. 

The AT&T breach, according to Valleywag, revealed the email addresses of iPad owners in companies like Goldman Sachs, JP Morgan, Citigroup and Morgan Stanley and staffers in the Pentagon, Senate, House of Representatives, Department of Justice, NASA and Department of Homeland Security.

Gawker Media also runs Gizmodo, a technology blog that unveiled the first photos of the iPhone 4 before it was announced.


On the Net: