or Connect
AppleInsider › Forums › Mobile › iPad › AT&T website hack leaks iPad 3G user emails
New Posts  All Forums:Forum Nav:

AT&T website hack leaks iPad 3G user emails

post #1 of 82
Thread Starter 
Black hat hackers have exploited a security flaw on AT&T's web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users. (Updated with statement from AT&T)

The breach, profiled in a report by Gawker, described the event as "another embarrassment" for Apple and outlined a variety of high profile individuals whose email addresses were obtained by automated script attacks on AT&T's web server based on their iPad 3G SIM addresses (ICC ID).

The publication claimed that the identifying information meant that thousands of iPad 3G users "could be vulnerable to spam marketing and malicious hacking," while also pointing out that many users have actually already published their iPad ICC ID numbers in Flickr photos. Presumably, many of them also have public email addresses and therefore already receive spam like the rest of us.

The attack on AT&T's web servers resulted in at least 114,000 iPad 3G users' emails being leaked to the hackers, who were coy about wether or not they were planning to enable others to access the data. The security leak, which returned a user's email address when their ICC-ID was entered via a specially formatted HTTP request, has since been patched.

The group automated requests of the email address information for a wide swath of ICC-ID serial numbers using a script. No other information was discovered.

"No direct security consequences"

The report suggested that having known ICC IDs would leave iPad 3G users vulnerable to remote attacks, citing the attackers involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."

However, Gawker also talked to telephony security experts who disputed that the ICC ID email breach was a serious issue. It cited Emmanuel Gadaix, a "mobile security consultant and Nokia veteran" who said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID [] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."

The report also noted that Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," informed them "that while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted [] the disclosure of the ICC-ID has no direct security consequences."

At the same time, Nohl described AT&T's lapse in publishing the email information as grossly incompetent, saying, "it's horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider."

Update: AT&T issued the following statement Wednesday regarding the breach:

"This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."
post #2 of 82
Saw this on Drudge first. Well done, AT&T....you suck. Get off the stage, ho!
I can only please one person per day.  Today is not your day.  Tomorrow doesn't look good either.  
Reply
I can only please one person per day.  Today is not your day.  Tomorrow doesn't look good either.  
Reply
post #3 of 82
I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.

Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.
post #4 of 82
So I wonder how long it will be before I can collect my two Dollars of settlement money for this.

AT&T is not making any friends!
post #5 of 82
Quote:
Originally Posted by Sevenfeet View Post

I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong.

Because they know they are going to lose the farm so they might as well try and do as much damage to Apple as possible.
post #6 of 82
I would enjoy getting back to how much AT&T sucks. Thank you.
I can only please one person per day.  Today is not your day.  Tomorrow doesn't look good either.  
Reply
I can only please one person per day.  Today is not your day.  Tomorrow doesn't look good either.  
Reply
post #7 of 82
AT&T does suck, but I really do think that the "hackers" responsible for the breach in security, if caught and convicted, should be publicly executed...burning at the stake would be quite satisfying.
post #8 of 82
If this is true, then the biggest issue to me is the lack of disclosure by ATT.
post #9 of 82
post #10 of 82
Why must we continue with AT&T. They just continue to bring down great apple products. Let me know when someone other than AT&T is the service provider for the iPad and iPhone. I want to get in line.
post #11 of 82
How is it an embarrassment for Apple? It wasn't their servers that were hacked.
post #12 of 82
"...another embarrassment for Apple."

Certainly this impacts Apple customers, but wouldn't this more rightly be regarded as an embarrassment for AT&T?
post #13 of 82
Quote:
Originally Posted by Sevenfeet View Post

I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.

Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.

LOL you really should have a look at gizmodo once a while, it's basically dedicated to ripping the iPhone apart now.
post #14 of 82
Guys, guys. Gawker Media are turds.

They claim that it's a "black eye" for Apple to get more pageviews, despite the fact (as many mentioned above) that this appears to strictly be an AT&T security issue.

Also, this is a minor infantile retort since Apple shut out Gizmodo editors from the WWDC keynote. Gawker Media are a bunch of crybabies.
post #15 of 82
The only embarrassment for Apple is that they're stuck with AT&T (for reasons I definitely don't understand). Did you catch Jon Stewart slamming AT&T last night on The Daily Show? It kills me that I have to switch to an inferior network in order to have an iPhone.

The pairing of Apple and AT&T really is odd.
post #16 of 82
Unfortunate. I don't really do the bash AT&T. But... from personal experience you would think with all of the piles of processes and approvals required at AT&T this would not happen. Ah Cingular days....
post #17 of 82
post #18 of 82
Quote:
Originally Posted by Sevenfeet View Post

I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.

exactly. Hit fodder and sour grapes. On the one hand who can blame them. Apple cut all ads from them, Apple is complying with the DA on the iphone thing and then Apple wouldn't let the Giz guys come to WWDC and forced them to second hand report everything. They probably won't get invites to anything Apple ever and no more review copies of stuff. Forget that they did it themselves.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #19 of 82
Quote:
Originally Posted by Sevenfeet View Post

I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.

Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.


It's all post WWDC/we got caught stealing your iPhone spin. If iPad info was accessed so was Android and Blackberry users.

If some group broke into AT&T, arrest them, prosecute and recover damages to fix the window glass & door locks that they broke. It's not like AT&T gave them the data... not talking about Google here.
post #20 of 82
AI left out the best part. The group responsible for uncovering this hole is called Goatse Security
post #21 of 82
Quote:
Originally Posted by 2oh1 View Post

The pairing of Apple and AT&T really is odd.

About 70% of the planet uses GSM. The Apple iPhone is a GSM handset, there is no CDMA model.

There are two GSM carriers in the United States: AT&T and T-Mobile. AT&T is far larger.

Doesn't sound that odd to me.

Note that in a Consumer Reports study of U.S. mobile operators, Verizon beat out AT&T, T-Mobile, and Sprint by a few points, just above the threshold of statistical significance (according to CR). I recall all the scores were bunched in the mid 70s. That essentially means that Verizon is a 37" giant in a kingdom of three-foot midgets.

AT&T isn't much of a step down from Verizon unless you happen to live in an area that AT&T services poorly.
post #22 of 82
Quote:
Originally Posted by Mazda 3s View Post

AI left out the best part. The group responsible for uncovering this hole is called Goatse Security

That actually could be a good thing. Because they are said to be a security watchgroup. They don't 'crack' to actual steal stuff, but 'hack' to exploit faults that nasty folks could exploit. And then they give the info to the targets. Much like the guys that have the competitions to find holes in OS's, browsers etc.

had it be some unknown group I would be more worried, because they would be more likely to be up to no good in any way shape or form

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #23 of 82
Quote:
Originally Posted by charlituna View Post

That actually could be a good thing. Because they are said to be a security watchgroup. They don't 'crack' to actual steal stuff, but 'hack' to exploit faults that nasty folks could exploit. And then they give the info to the targets. Much like the guys that have the competitions to find holes in OS's, browsers etc.

had it be some unknown group I would be more worried, because they would be more likely to be up to no good in any way shape or form

I wouldn't be so sure... from the original story:

Quote:
Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.
post #24 of 82
Quote:
Originally Posted by charlituna View Post

That actually could be a good thing. Because they are said to be a security watchgroup. They don't 'crack' to actual steal stuff, but 'hack' to exploit faults that nasty folks could exploit. And then they give the info to the targets. Much like the guys that have the competitions to find holes in OS's, browsers etc.

had it be some unknown group I would be more worried, because they would be more likely to be up to no good in any way shape or form

True, I hope this is the case.

Quote:
Originally Posted by cvaldes1831 View Post

About 70% of the planet uses GSM. The Apple iPhone is a GSM handset, there is no CDMA model.

There are two GSM carriers in the United States: AT&T and T-Mobile. AT&T is far larger.

Doesn't sound that odd to me.

Note that in a Consumer Reports study of U.S. mobile operators, Verizon beat out AT&T, T-Mobile, and Sprint by a few points, just above the threshold of statistical significance (according to CR). I recall all the scores were bunched in the mid 70s. That essentially means that Verizon is a 37" giant in a kingdom of three-foot midgets.

AT&T isn't much of a step down from Verizon unless you happen to live in an area that AT&T services poorly.

Good point

Quote:
Originally Posted by oxygenhose View Post

It's all post WWDC/we got caught stealing your iPhone spin. If iPad info was accessed so was Android and Blackberry users.

If some group broke into AT&T, arrest them, prosecute and recover damages to fix the window glass & door locks that they broke. It's not like AT&T gave them the data... not talking about Google here.

Another good point.
post #25 of 82
Quote:
Originally Posted by 2oh1 View Post

The only embarrassment for Apple is that they're stuck with AT&T (for reasons I definitely don't understand). Did you catch Jon Stewart slamming AT&T last night on The Daily Show? It kills me that I have to switch to an inferior network in order to have an iPhone.

The pairing of Apple and AT&T really is odd.

No. I have state of the art consumer electronics technology... why in hell would I follow a comedian in a business suit's jokes as actual substance of anything, much less how well my cell phone works?

Don't let the format fool you into mistaking entertainment for news, you can buy a suit anywhere, and you can visit the Laugh Factory every night for just as insightful tech reporting. I don't think Gawker backed by Jon Stewart make the kind of awesome tech team that some might allude to.

I seriously doubt AT&T is 'embarrassing' for Apple. Have you seen their bank account and customer satisfaction ratings? If anything they seem to be a very profitable and important business partner. I am curious about the technology used to access the other planet's where these kind of nonsensical opinions originate.
post #26 of 82
Quote:
Originally Posted by Mazda 3s View Post

AI left out the best part. The group responsible for uncovering this hole is called Goatse Security

Seriously? I wondered why they kept out the most hilarious part of this story.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #27 of 82
Everyone seems to hate at&t. If the iPhone was exclusive to VZW, they would have experience the same problems according to Steve jobs. But I agree, at&t needs to hurry and get their act together.
post #28 of 82
Quote:
Originally Posted by solipsism View Post

Seriously? I wondered why they kept out the most hilarious part of this story.

Wow. Just wow. Brings a whole new meaning to the song "Brown-eyed girl" now, doesn't it?
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
Pity the agnostic dyslectic. They spend all their time contemplating the existence of dog.
Reply
post #29 of 82
This is likely the reason why, espionage.

http://www.washingtonpost.com/wp-dyn...060701140.html



and I'm partial to TubGirl myself
post #30 of 82
Quote:
Originally Posted by justflybob View Post

Wow. Just wow. Brings a whole new meaning to the song "Brown-eyed girl" now, doesn't it?

Cute, but definitely questions the integrity of this 'news' and if this group is even legit, well as legit as breaking into someone's network can be.

If it's real AT&T will own up to it in the next week or so, but it seems like they are questioning the validity of this off the bat.
post #31 of 82
Quote:
Originally Posted by mactoid View Post

I really do think that the "hackers" responsible for the breach in security, if caught and convicted, should be publicly executed...burning at the stake would be quite satisfying.


Thank Goodness you have no power.
post #32 of 82
Quote:
Originally Posted by SDW2001 View Post

I would enjoy getting back to how much AT&T sucks. Thank you.

Not as much as Verizon

"Apple people have no objectivity when it comes to criticism of Apple.." Lenovo X1 Carbon is out..bye bye MBAir

Reply

"Apple people have no objectivity when it comes to criticism of Apple.." Lenovo X1 Carbon is out..bye bye MBAir

Reply
post #33 of 82
Quote:
Originally Posted by cvaldes1831 View Post

About 70% of the planet uses GSM. The Apple iPhone is a GSM handset, there is no CDMA model.

There are two GSM carriers in the United States: AT&T and T-Mobile. AT&T is far larger.

Doesn't sound that odd to me.

Note that in a Consumer Reports study of U.S. mobile operators, Verizon beat out AT&T, T-Mobile, and Sprint by a few points, just above the threshold of statistical significance (according to CR). I recall all the scores were bunched in the mid 70s. That essentially means that Verizon is a 37" giant in a kingdom of three-foot midgets.

AT&T isn't much of a step down from Verizon unless you happen to live in an area that AT&T services poorly.

Well put.

Quote:
Originally Posted by justflybob View Post

Wow. Just wow. Brings a whole new meaning to the song "Brown-eyed girl" now, doesn't it?

LMAO
post #34 of 82
Quote:
Originally Posted by charlituna View Post

That actually could be a good thing. Because they are said to be a security watchgroup. They don't 'crack' to actual steal stuff, but 'hack' to exploit faults that nasty folks could exploit. And then they give the info to the targets. Much like the guys that have the competitions to find holes in OS's, browsers etc.

had it be some unknown group I would be more worried, because they would be more likely to be up to no good in any way shape or form

AT&T's official response included, "...The person or group who discovered this gap did not contact AT&T."
Blindness is a condition as well as a state of mind.

Reply
Blindness is a condition as well as a state of mind.

Reply
post #35 of 82
Quote:
Originally Posted by charlituna View Post

That actually could be a good thing. Because they are said to be a security watchgroup. They don't 'crack' to actual steal stuff, but 'hack' to exploit faults that nasty folks could exploit. And then they give the info to the targets. Much like the guys that have the competitions to find holes in OS's, browsers etc.

had it be some unknown group I would be more worried, because they would be more likely to be up to no good in any way shape or form

Please see urbandictionary or wikipedia for goatse. Doing so will show you it probably isn't good.
post #36 of 82
Quote:
Originally Posted by SDW2001 View Post

I would enjoy getting back to how much AT&T sucks. Thank you.

I love the baseless claims that VZN would be any better than ATT.
post #37 of 82
Quote:
Originally Posted by technohermit View Post

Please see urbandictionary or wikipedia for goatse. Doing so will show you it probably isn't good.



Tells me they are likely some top notch adults. NOT.
post #38 of 82
Quote:
Originally Posted by stevegmu View Post

How is it an embarrassment for Apple? It wasn't their servers that were hacked.

It's an embarrassment because Apple married themselves to an also-ran provider.

It's an embarrassment because people expect better overall experience from Apple products. As a customer, I'd have zero patience for "It's not our fault".

The only question here is how the other telcos will respond. Will they say "Steve, now are you ready to talk?", or will they say "Ha! F-you!" ?
post #39 of 82
Quote:
Originally Posted by sippincider View Post

It's an embarrassment because Apple married themselves to an also-ran provider.

It's an embarrassment because people expect better overall experience from Apple products. As a customer, I'd have zero patience for "It's not our fault".

The only question here is how the other telcos will respond. Will they say "Steve, now are you ready to talk?", or will they say "Ha! F-you!" ?


What makes you think Steve Jobs has such a desire to move to another carrier?
post #40 of 82
That's why you gotta register for everything using a dedicated spam email address. But even then you are not guaranteed any security.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPad
AppleInsider › Forums › Mobile › iPad › AT&T website hack leaks iPad 3G user emails