AT&T website hack leaks iPad 3G user emails

Posted:
in iPad edited January 2014
Black hat hackers have exploited a security flaw on AT&T's web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users. (Updated with statement from AT&T)



The breach, profiled in a report by Gawker, described the event as "another embarrassment" for Apple and outlined a variety of high profile individuals whose email addresses were obtained by automated script attacks on AT&T's web server based on their iPad 3G SIM addresses (ICC ID).



The publication claimed that the identifying information meant that thousands of iPad 3G users "could be vulnerable to spam marketing and malicious hacking," while also pointing out that many users have actually already published their iPad ICC ID numbers in Flickr photos. Presumably, many of them also have public email addresses and therefore already receive spam like the rest of us.



The attack on AT&T's web servers resulted in at least 114,000 iPad 3G users' emails being leaked to the hackers, who were coy about wether or not they were planning to enable others to access the data. The security leak, which returned a user's email address when their ICC-ID was entered via a specially formatted HTTP request, has since been patched.



The group automated requests of the email address information for a wide swath of ICC-ID serial numbers using a script. No other information was discovered.



"No direct security consequences"



The report suggested that having known ICC IDs would leave iPad 3G users vulnerable to remote attacks, citing the attackers involved in the security breach as claiming that "recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID."



However, Gawker also talked to telephony security experts who disputed that the ICC ID email breach was a serious issue. It cited Emmanuel Gadaix, a "mobile security consultant and Nokia veteran" who said that while there have been "vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID [?] as far as I know, there are no vulnerability or exploit methods involving the ICC ID."



The report also noted that Karsten Nohl, a "white hat GSM hacker and University of Virginia computer science PhD," informed them "that while text-message and voice security in mobile phones is weak," the "data connections are typically well encrypted [?] the disclosure of the ICC-ID has no direct security consequences."



At the same time, Nohl described AT&T's lapse in publishing the email information as grossly incompetent, saying, "it's horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider."



Update: AT&T issued the following statement Wednesday regarding the breach:



"This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained."
«1345

Comments

  • Reply 1 of 81
    sdw2001sdw2001 Posts: 17,035member
    Saw this on Drudge first. Well done, AT&T....you suck. Get off the stage, ho!
  • Reply 2 of 81
    sevenfeetsevenfeet Posts: 398member
    I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.



    Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.
  • Reply 3 of 81
    rod76rod76 Posts: 21member
    So I wonder how long it will be before I can collect my two Dollars of settlement money for this.



    AT&T is not making any friends!
  • Reply 4 of 81
    patranuspatranus Posts: 366member
    Quote:
    Originally Posted by Sevenfeet View Post


    I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong.



    Because they know they are going to lose the farm so they might as well try and do as much damage to Apple as possible.
  • Reply 5 of 81
    sdw2001sdw2001 Posts: 17,035member
    I would enjoy getting back to how much AT&T sucks. Thank you.
  • Reply 6 of 81
    mactoidmactoid Posts: 112member
    AT&T does suck, but I really do think that the "hackers" responsible for the breach in security, if caught and convicted, should be publicly executed...burning at the stake would be quite satisfying.
  • Reply 7 of 81
    stevetimstevetim Posts: 482member
    If this is true, then the biggest issue to me is the lack of disclosure by ATT.
  • Reply 8 of 81
    spotonspoton Posts: 645member
  • Reply 9 of 81
    jdavyjdavy Posts: 66member
    Why must we continue with AT&T. They just continue to bring down great apple products. Let me know when someone other than AT&T is the service provider for the iPad and iPhone. I want to get in line.
  • Reply 10 of 81
    stevegmustevegmu Posts: 539member
    How is it an embarrassment for Apple? It wasn't their servers that were hacked.
  • Reply 11 of 81
    rbryanhrbryanh Posts: 263member
    "...another embarrassment for Apple."



    Certainly this impacts Apple customers, but wouldn't this more rightly be regarded as an embarrassment for AT&T?
  • Reply 12 of 81
    ihxoihxo Posts: 562member
    Quote:
    Originally Posted by Sevenfeet View Post


    I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.



    Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.



    LOL you really should have a look at gizmodo once a while, it's basically dedicated to ripping the iPhone apart now.
  • Reply 13 of 81
    cvaldes1831cvaldes1831 Posts: 1,832member
    Guys, guys. Gawker Media are turds.



    They claim that it's a "black eye" for Apple to get more pageviews, despite the fact (as many mentioned above) that this appears to strictly be an AT&T security issue.



    Also, this is a minor infantile retort since Apple shut out Gizmodo editors from the WWDC keynote. Gawker Media are a bunch of crybabies.
  • Reply 14 of 81
    2oh12oh1 Posts: 501member
    The only embarrassment for Apple is that they're stuck with AT&T (for reasons I definitely don't understand). Did you catch Jon Stewart slamming AT&T last night on The Daily Show? It kills me that I have to switch to an inferior network in order to have an iPhone.



    The pairing of Apple and AT&T really is odd.
  • Reply 15 of 81
    shobizshobiz Posts: 207member
    Unfortunate. I don't really do the bash AT&T. But... from personal experience you would think with all of the piles of processes and approvals required at AT&T this would not happen. Ah Cingular days....
  • Reply 16 of 81
    ghostface147ghostface147 Posts: 1,629member
  • Reply 17 of 81
    charlitunacharlituna Posts: 7,215member
    Quote:
    Originally Posted by Sevenfeet View Post


    I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.



    exactly. Hit fodder and sour grapes. On the one hand who can blame them. Apple cut all ads from them, Apple is complying with the DA on the iphone thing and then Apple wouldn't let the Giz guys come to WWDC and forced them to second hand report everything. They probably won't get invites to anything Apple ever and no more review copies of stuff. Forget that they did it themselves.
  • Reply 18 of 81
    oxygenhoseoxygenhose Posts: 236member
    Quote:
    Originally Posted by Sevenfeet View Post


    I read the Gawker article and nowhere in there does it indicate that Apple did anything wrong. This all seems to be AT&T's security breach. Why did Gawker implicate Apple in the title? First, the generate clicks and second, they are still pissed that Apple is pissed at them for calling the cops on them for the whole iPhone 4 brouhaha.



    Whatever journalistic integrity that Gawker had left (and that was very little), you'd think they'd get a headline right. Sadly, they don't have the integrity to even get that right.





    It's all post WWDC/we got caught stealing your iPhone spin. If iPad info was accessed so was Android and Blackberry users.



    If some group broke into AT&T, arrest them, prosecute and recover damages to fix the window glass & door locks that they broke. It's not like AT&T gave them the data... not talking about Google here.
  • Reply 19 of 81
    mazda 3smazda 3s Posts: 1,571member
    AI left out the best part. The group responsible for uncovering this hole is called Goatse Security
  • Reply 20 of 81
    cvaldes1831cvaldes1831 Posts: 1,832member
    Quote:
    Originally Posted by 2oh1 View Post


    The pairing of Apple and AT&T really is odd.



    About 70% of the planet uses GSM. The Apple iPhone is a GSM handset, there is no CDMA model.



    There are two GSM carriers in the United States: AT&T and T-Mobile. AT&T is far larger.



    Doesn't sound that odd to me.



    Note that in a Consumer Reports study of U.S. mobile operators, Verizon beat out AT&T, T-Mobile, and Sprint by a few points, just above the threshold of statistical significance (according to CR). I recall all the scores were bunched in the mid 70s. That essentially means that Verizon is a 37" giant in a kingdom of three-foot midgets.



    AT&T isn't much of a step down from Verizon unless you happen to live in an area that AT&T services poorly.
Sign In or Register to comment.