AT&T's iPad 3G Security Breach: What it Means to You
If you haven't already heard about the massive iPad security breach that was revealed late last week in an exclusive report by Gawker.com, here's the lowdown: an online security group exploited a vulnerability in AT&T's 3G network and through doing so gained access to at least 114,000 e-mail addresses and ICC IDs (integrated circuit card identifier), a digital identifier that associates SIM cards with the device they represent on AT&T's network. Topping the list of the 114,000 iPad 3G owners that were revealed to have been compromised were powerful CEOs, military personnel, political figures, entertainment personalities and more.
While no one likes to hear about anyone's personal security and privacy being compromised, the first question on most iPad 3G owners' minds is: was I affected? Answering this question isn't as simple as finding out whether your name made the list of 114,000 -- as there's no conclusive indication that the list of 114k individuals is the limit of the breach. Reports suggest that it is possible that every iPad 3G owner may have had their personal information leaked.
That said, it seems likely that there will be no conclusive way to determine whether your iPad 3G's ICC ID and associated email address(es) were victim to the breach. Instead, the best you can likely do is understand the potential impacts the breach can have.
Who was affected?
Again, while we know some of the people who were affected, you're likely not going to see your name on a publicized list unless you're Diane Sawyer, Michael Bloomberg, Rahm Emmanuel, Harvey Weinstein, or the like. It may be best to just assume the answer to this question is everyone.
Has the breach been resolved?
Yes.
When AT&T came clean and verified the existence of the breach, they also indicated that they had "turned off" the "feature" that leaked the email addresses and ICC IDs.
Who revealed the breach, and what are they doing with the leaked information?
The breach was highlighted by an online security group, that calls itself GoatSec (or Goatse Security). According to the group, their actions were a public service and do not constitute a violation or an intrusion of any kind.
Moreover, the group indicates that all personal information obtained during the exposure of AT&T's security breach has since been destroyed. A statement by the group, publicized in a Gawker.com follow-up to their original article, reads
"This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don't. If you're potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you've been successfully exploited)....
All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word...
Your iPads are safer now because of us."
We'll leave it up to you to make your own judgements on the sincerity of GoatSec's statement.
Okay, so maybe they have my email and my ICC ID, what's the impact?
Alright, so maybe they have your email. Unless you're one of the lucky few out there, you're already getting junk mail and SPAM, which means plenty of seedy types already have your email. If not, maybe you'll start getting some. Passwords weren't compromised, so no one can read or otherwise access your email as a result of the breach. Worst case scenario? You'll need to get a better spam filter or change your email address.
As far as the ICC ID goes, there are varying reports on what someone with bad intentions could do with your ICC ID. The most likely answer seems to be nothing. The latest from Gawker indicated that in a certain scenario, knowledge of an iPad's ICC ID could lead to discovery of the devices physical location. Don't worry, as that certain scenario involved the hacking and exploit of internal AT&T databases with high levels of security and that are most likely not even connected to the internet.
Is law enforcement involved?
Yes, the FBI is investigating the event.
So is it safe to use my iPad 3G?
The New York Times has advised its employees to disable 3G access on their iPads. So should you do the same? We'll let you be the judge of that, but consider the following:
- AT&T pledges it has sealed the breach.
- The security group that exposed the breach, Goatse Security, indicated the leak was closed even before they revealed it.
- Apple has elected to remain silent, rather than urge owners to take action to protect their privacy.
Chances are, in the long run, this will end up being more of a black-eye to AT&T than a personal privacy nightmare for iPad owners. We'll keep updating all of you on the progression of this issue as new information and developments arise. Stay tuned.
If you have questions about the breach you'd like answered, pose them to the community in our forums. Visit the forum thread regarding the AT&T iPad 3G security breach.
Comments
June 13, 2010 Dear Valued AT&T Customer, Recently there was an issue that affected some of our customers wit
June 13, 2010
Dear Valued AT&T Customer,
Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.
Here’s some additional detail:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.
As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.
I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.
While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.
AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.
AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.
Sincerely,
Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T
Please do not reply to this email. This address is automated, unattended and cannot help with questions or requests.
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
psssh..this is a FREAKING JOKE! And people still want the damn thing. I bet AT&T is still hiding evidence of this
psssh..this is a FREAKING JOKE! And people still want the damn thing. I bet AT&T is still hiding evidence of this breach. A popular product that many a citizen will fall for.