AT&T's iPad 3G Security Breach: What it Means to You

If you haven't already heard about the massive iPad security breach that was revealed late last week in an exclusive report by Gawker.com, here's the lowdown: an online security group exploited a vulnerability in AT&T's 3G network and through doing so gained access to at least 114,000 e-mail addresses and ICC IDs (integrated circuit card identifier), a digital identifier that associates SIM cards with the device they represent on AT&T's network. Topping the list of the 114,000 iPad 3G owners that were revealed to have been compromised were powerful CEOs, military personnel, political figures, entertainment personalities and more.

iPad 3G AT&T security breach
Seen above: The list of 114,000 email addresses leaked via the AT&T breach, printed out by Gawker.com.

While no one likes to hear about anyone's personal security and privacy being compromised, the first question on most iPad 3G owners' minds is: was I affected? Answering this question isn't as simple as finding out whether your name made the list of 114,000 -- as there's no conclusive indication that the list of 114k individuals is the limit of the breach. Reports suggest that it is possible that every iPad 3G owner may have had their personal information leaked.

That said, it seems likely that there will be no conclusive way to determine whether your iPad 3G's ICC ID and associated email address(es) were victim to the breach. Instead, the best you can likely do is understand the potential impacts the breach can have.

Who was affected?

Again, while we know some of the people who were affected, you're likely not going to see your name on a publicized list unless you're Diane Sawyer, Michael Bloomberg, Rahm Emmanuel, Harvey Weinstein, or the like. It may be best to just assume the answer to this question is everyone.

Has the breach been resolved?

Yes.

When AT&T came clean and verified the existence of the breach, they also indicated that they had "turned off" the "feature" that leaked the email addresses and ICC IDs.

Who revealed the breach, and what are they doing with the leaked information?

The breach was highlighted by an online security group, that calls itself GoatSec (or Goatse Security). According to the group, their actions were a public service and do not constitute a violation or an intrusion of any kind.

Moreover, the group indicates that all personal information obtained during the exposure of AT&T's security breach has since been destroyed. A statement by the group, publicized in a Gawker.com follow-up to their original article, reads

"This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don't. If you're potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you've been successfully exploited)....

All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word...

Your iPads are safer now because of us."

We'll leave it up to you to make your own judgements on the sincerity of GoatSec's statement.

Okay, so maybe they have my email and my ICC ID, what's the impact?

Alright, so maybe they have your email. Unless you're one of the lucky few out there, you're already getting junk mail and SPAM, which means plenty of seedy types already have your email. If not, maybe you'll start getting some. Passwords weren't compromised, so no one can read or otherwise access your email as a result of the breach. Worst case scenario? You'll need to get a better spam filter or change your email address.

As far as the ICC ID goes, there are varying reports on what someone with bad intentions could do with your ICC ID. The most likely answer seems to be nothing. The latest from Gawker indicated that in a certain scenario, knowledge of an iPad's ICC ID could lead to discovery of the devices physical location. Don't worry, as that certain scenario involved the hacking and exploit of internal AT&T databases with high levels of security and that are most likely not even connected to the internet.

Is law enforcement involved?

Yes, the FBI is investigating the event.

So is it safe to use my iPad 3G?

The New York Times has advised its employees to disable 3G access on their iPads. So should you do the same? We'll let you be the judge of that, but consider the following:

  1. AT&T pledges it has sealed the breach.
  2. The security group that exposed the breach, Goatse Security, indicated the leak was closed even before they revealed it.
  3. Apple has elected to remain silent, rather than urge owners to take action to protect their privacy.

Chances are, in the long run, this will end up being more of a black-eye to AT&T than a personal privacy nightmare for iPad owners. We'll keep updating all of you on the progression of this issue as new information and developments arise. Stay tuned.

If you have questions about the breach you'd like answered, pose them to the community in our forums. Visit the forum thread regarding the AT&T iPad 3G security breach.

Add new comment