or Connect
AppleInsider › Forums › Mobile › iPad › Two charged in exploit of AT&T website to obtain iPad user data
New Posts  All Forums:Forum Nav:

Two charged in exploit of AT&T website to obtain iPad user data

post #1 of 8
Thread Starter 
US prosecutors filed charges against two men in conjunction with the alleged hacking of AT&T's website last year, which resulted in a list of 120,000 users' names, email addresses, and serial numbers.

A report by Reuters detailed that one count of fraud and one count of conspiracy to access a computer without authorization were filed against both defendants, Daniel Spitler and Andrew Auernheimer.

The website attack was reported last summer, initially by Gawker, which described the event as "another embarrassment" for Apple.

Rather than being a sophisticated attack on iPads or AT&T's computer systems, as initial reports suggested, a group referring to itself as a security company simply discovered that AT&T had set up a website that allowed users to type in their iPad 3G's serial number and would then look up and automatically populated the users' email address in the web form.

A sensational hacker event

The "attackers" simply created a script that submitted HTTP requests for thousands of plausible serial numbers and collected the email addresses the server responded with. While AT&T's website deserved some criticism for defaulting to provide user convenience at the expense of a minor privacy threat, reports by Gawker and others trumpeted the data scraping trick as a serious attack with terrifying potential, leaving the suggestion that there was something insecure about the iPad itself.

The thousands of iPad 3G users involved "could be vulnerable to spam marketing and malicious hacking," the site stated. It also reported that affected iPad 3G users might be vulnerable to remote attacks based on the list of known SIM serial numbers (ICC IDs) it had obtained from those involved in the web site data harvesting operation.

It cited those involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."

Two other sources Gawker cited were less impressed. Emmanuel Gadaix, a "mobile security consultant and Nokia veteran," said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID [] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."

Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," added that "while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted [] the disclosure of the ICC-ID has no direct security consequences."

Don't try this at home

AT&T responded to the situation by releasing a statement saying, "this issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."

Reuters noted that the Federal Bureau of Investigation and the U.S. attorney for the District of New Jersey, Paul Fishman, plan to hold a press conference later this afternoon to discuss the charges.
post #2 of 8
A list of nobodies is one thing. A list with DoD, DARPA, and other government officials and sharing their info to tech blog (no matter how insignificant the data is) is something else and frowned upon by the government.
post #3 of 8
I agree that there was little security breached. But as one of the 120,000, I can say honestly that I have never received so much spam in my life up until this event.

I am POed about it. AT&T offered NOT ONE INCENTIVE for this breach. At least the opportunity to purchase unlimited data for life would have been reasonable for the inconvenience that I have suffered.

Who knew that there were so many Canadian pharmacies or dating sites for "mature adults" out there?
post #4 of 8
Off topic: Did anything ever happen with last year’s stolen iPhone? It seems that incident has quietly gone away. Some expected Chen would be shipped to China, put into a secret cell in an undisclosed subterranean level at a Foxconn factory and been kept alive so Jobs could harvest his organs at will. I felt that it Chen and Gixmodo would not be going to court. The truth is probably somewhere in-between.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #5 of 8
Seems to me AT&T is primarily to blame in this incident. An analogy is that they not only left their front door unlocked, but wide open. Granted, even if you do that, strangers shouldnt just walk into your house uninvited. But its common knowledge that there is a (very small) percentage of the population who will do just that (usually with malevolent intentions). That is why we put locks on our doors.

AT&T shouldnt have left the front door wide open. On the other hand, im not impressed by fools bragging about their exploits (if, indeed, that might have the case). But it does beg the question of how should one bring attention to the fact that a company entrusted with keeping confidential customer information is being so reckless with that information?
post #6 of 8
Quote:
Originally Posted by solipsism View Post

Off topic: Did anything ever happen with last years stolen iPhone? It seems that incident has quietly gone away. Some expected Chen would be shipped to China, put into a secret cell in an undisclosed subterranean level at a Foxconn factory and been kept alive so Jobs could harvest his organs at will. I felt that it Chen and Gixmodo would not be going to court. The truth is probably somewhere in-between.

The fact you havent heard anything about it certainly suggests the former.
post #7 of 8
Quote:
Originally Posted by _Hawkeye_ View Post

Seems to me AT&T is primarily to blame in this incident. An analogy is that they not only left their front door unlocked, but wide open. Granted, even if you do that, strangers shouldnt just walk into your house uninvited. But its common knowledge that there is a (very small) percentage of the population who will do just that (usually with malevolent intentions). That is why we put locks on our doors.

AT&T shouldnt have left the front door wide open. On the other hand, im not impressed by fools bragging about their exploits (if, indeed, that might have the case). But it does beg the question of how should one bring attention to the fact that a company entrusted with keeping confidential customer information is being so reckless with that information?

Yes, AT&T should not have. However, the initial blame falls on Apple who defined the specs for that website and how it would function. Apple required it work that way. That said, AT&T should have caught the vulnerability created by Apple's design and work something else out.
post #8 of 8
Quote:
Originally Posted by AppleInsider View Post

US prosecutors filed charges against two men in conjunction with the alleged hacking of AT&T's website last year, which resulted in a list of 120,000 users' names, email addresses, and serial numbers.

A report by Reuters detailed that one count of fraud and one count of conspiracy to access a computer without authorization were filed against both defendants, Daniel Spitler and Andrew Auernheimer.

The website attack was reported last summer, initially by Gawker, which described the event as "another embarrassment" for Apple.

Rather than being a sophisticated attack on iPads or AT&T's computer systems, as initial reports suggested, a group referring to itself as a security company simply discovered that AT&T had set up a website that allowed users to type in their iPad 3G's serial number and would then look up and automatically populated the users' email address in the web form.

A sensational hacker event

The "attackers" simply created a script that submitted HTTP requests for thousands of plausible serial numbers and collected the email addresses the server responded with. While AT&T's website deserved some criticism for defaulting to provide user convenience at the expense of a minor privacy threat, reports by Gawker and others trumpeted the data scraping trick as a serious attack with terrifying potential, leaving the suggestion that there was something insecure about the iPad itself.

The thousands of iPad 3G users involved "could be vulnerable to spam marketing and malicious hacking," the site stated. It also reported that affected iPad 3G users might be vulnerable to remote attacks based on the list of known SIM serial numbers (ICC IDs) it had obtained from those involved in the web site data harvesting operation.

It cited those involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."

Two other sources Gawker cited were less impressed. Emmanuel Gadaix, a "mobile security consultant and Nokia veteran," said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID [�] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."

Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," added that "while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted [�] the disclosure of the ICC-ID has no direct security consequences."

Don't try this at home

AT&T responded to the situation by releasing a statement saying, "this issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."

Reuters noted that the Federal Bureau of Investigation and the U.S. attorney for the District of New Jersey, Paul Fishman, plan to hold a press conference later this afternoon to discuss the charges.

I'm a beginner, I do not know what you're talking about, Can you explain it more clearly?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPad
AppleInsider › Forums › Mobile › iPad › Two charged in exploit of AT&T website to obtain iPad user data