Hackers Nab iPad 3G Account List from AT&T [Updated]

| News

Hackers managed to find a way into AT&T’s servers and made off with the account info for thousands of iPad 3G owners. A copy of the list made its way to Gawker, the parent company of Gizmodo, who claims to have the names and email addresses of company CEOs, politicians and military officials.

Apparently the list of accounts includes some 114,000 names and was stolen with the help of a script that took advantage of a security vulnerability in AT&T’s servers. The hackers made off with account names, email addresses, and SIM card identifier numbers.

A group calling itself “Goatse Security” claims to be behind the data security breach and said it used a script that’s openly available on AT&T’s Web site to make off with the account information coupled with some PHP code they crafted.

While the stolen account information can be used to spam iPad users, so far it looks like the hackers won’t be able to use the data to gain access to individual iPads. According to University of Virginia Computer Science PhD, Harsten Nohl, “Data connections are typically well encrypted… the disclosure of ICC-ID [SIM card codes] has no direct security consequences.”

“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device,” AT&T spokesperson Mark Siegel told The Mac Observer. “This issue was escalated to the highest levels of the company and wascorrected by Tuesday; and we have essentially turned off the featurethat provided the e-mail addresses.”

He added that the “person or group who discovered this gap did not contact AT&T.”

While the security flaw the hackers took advantage of has been addressed, the company is still looking into the incident. “We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted,” Mr. Siegel said.

[This article has been updated with AT&T’s statement regarding the incident.]

Comments

Bosco (Brad Hutchings)

I think Nemo can remind us of one of the reasons Apple cited in it’s response to the FCC concerning Google Voice. If I remember correctly, and it’s been a long day, so perhaps I don’t quite have the story right, Apple was concerned about the data handling practices of Google and thus, the privacy of Apple’s customers. Ironic.

warlock

This just goes to prove that AT@T is a crappy company and that their management & IT people must have mush for brains or their collective heads crammed deeply into the dirt I would have said it a bit different, but this is a public venue.

Jeff Gamet

AT&T gave us a statement that I added to the article.

The upside: AT&T has already dealt with the security flaw. The downside: Users that are on the stolen data list didn’t find out until the information hit the media.

Lee Dronick

Is this them http://security.goatse.fr/

Jeff Gamet

Yes, Sir Harry, that’s the right site. I’m glad they at least went with the Illustrator graphic for their logo instead of the actual photo. That’s an image you can never un-see.

Bosco (Brad Hutchings)

That’s them. Good thing AT&T “closed that hole” quickly.

(OMG, Goatse is going to make it into mainstream media. This is an amazing moment for the Internet!)

Lee Dronick

Yes, Sir Harry, that?s the right site. I?m glad they at least went with the Illustrator graphic for their logo instead of the actual photo. That?s an image you can never un-see.

Well I am sorry to admit that I had never heard of goatse until today, but then I thought the person Jay Lowe was a guy (I need to get up to speed on pop culture). Now I am sorrier to say that I did a “deeper” web search on goatse. Searchers beware, that image as Jeff is said can never be un-seen. Anyway, from what I read during my search, the domain name was sold some time ago and I don’t think that these hackers are the original owners.

Tiger

I smell subpoenas and indictments coming. Made off with, hacked into, stolen data? How about criminal intent and felony charges?

Not to mention Gizmodo again in possession of KNOWN stolen data. Their chutzpa knows no bounds.

And instead of discovering the flaw and notifying AT&T, they instituted a script to rapidly steal information on 114,000 iPad users.  Let’s see them talk themselves out of THAT stupid hole they dug. Five or ten users information is one thing, but actively then STEALING 114,000? That demonstrates criminal intent.

Nemo

Dear Bosco:  You’ve a point.  The list of names was stolen from AT&T, while Google only provides and/or uses private information for profit, as set forth in its applicable Privacy Policies.  So I suppose, one must choose between either AT&T’s incompetence or Google’s corruption.  It is a difficult choice, but I will go with AT&T, because AT&T, at least on Apple’s iOS devices, is constrained by Apple’s Privacy Policy, Section 3.3.8, and can become competent on security tomorrow, while corruption is a defect in character and culture, which tends to be enduring. 

But I forgot about that breach of Google’s servers by what appears to have been the Chinese government that quite possible will result in the death or long and brutal imprisonment of Chinese dissidents, so Google is both corrupt and incompetent.  Therefore, I am definitely going with AT&T.

geoduck

And the sleezeballs that are Gawker say this is Apple’s worst security breach. It’s AT&T, not Apple. The only reason to put it that way is to try to throw some mud.
http://gawker.com/5559346/
I have never run across a more pathetic, weasely, slimy excuse for a ‘news’ outlet. They’re worse than Fox.

Lee Dronick

And the sleezeballs that are Gawker say this is Apple?s worst security breach. It?s AT&T, not Apple.

I am seeing on a number of news sites that it is Apple’s security breach, the talking head TV reporters will be saying the same thing tomorrow.

i followed the link to Gawker, they are getting reamed in the comments section.

security.goatse.fr is in Paris, I wonder if they broke any laws French laws with this break in.

Bosco (Brad Hutchings)

Well, actually, Apple is somewhat at fault for this breech. Note this description from the article:

To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.

This means that the script in question is intended to be run exclusively from an HTTP agent on the iPad. Since it can grab the ICC ID, that agent is probably not an HTML5 application running in the browser sandbox. It is most certainly related to the 3G sign-up process. Thus, the security of that communication is within the realm of responsibility of Apple.

But that’s not what’s really interesting to me. What’s really interesting is that you guys in the comments are going all “Gizmodo” on Gawker, questioning whether what was done here is criminal or whether they might be criminally responsible for acquiring that information. That is where they have you, and may even have Steve and his attorneys. Steve got lots of advice last time that the last thing he wanted to do was get in a pissing patch with these people. He would rather quit than back down, of course. Which means, he will likely over-REACT again and more people will realize what a nut job he has become. Bet on it.

Bosco (Brad Hutchings)

Ah yes, it turns out I was more than correct with my assumption about the utility of the script that got exploited. See this article on Gizmodo.

Nemo

Bosco:  I am beginning to be concerned for you.  I just read the article in Gizmodo that you cited, supra, and there is nothing there that even slightly suggest that Apple is responsible for AT&T’s security breach.  First, the AT&T representative makes it clear that AT&T implemented the feature for the convenience of logging into email on the iPad.  “That’s the feature GoatSec exploited, using a script that Amoroso describes as a “brute force attack,” trying ICC-IDs as part of an HTTP request until they gave up an email address.”  In other words, it was brute force attack against AT&T’s servers.  In answering whether AT&T could suffer another such breach of its security, he said:  “Could it happen again? Well, Amoroso says “as we innovate on the provisioning process, reinventing the way we provision service, there will be growing problems,” and “you can probably think of a lot of features because the community went through some sort of security issue that requried some hardening.” So: maybe. It’s the classic tradeoff between convenience and privacy.”  And it was AT&T that made the trade off, not Apple.  Nothing in the quotes, supra, or the rest of the article says or even hints that Apple is in any way responsible, and I defy you to find any language to the contrary. 

That not even Gizmodo draws the conclusion that Apple is at fault is pretty damn conclusive, given that Gizmodo, like the rest of the Gawker organization, wouldn’t miss an opportunity to kick Apple.

Were you simply counting on no one reading the article and taking your word, of all people’s words, that Apple was at fault for this security breach?  Or have you lost the ability to perceive things in a manner that correspond to reality, whenever Apple is mentioned, so that, whatever the facts, you will twist the facts to suit the shape of your latest Apple rant?  Even if what you say is true, that the HTTP code ran from an agent on the iPad, it is still AT&T that enabled that agent with the code on its website and is responsible for making sure that the log-in process operated securely—just as was AT&T that had the ability to quickly shut the feature off. 

Are you saying that Apple mandated that AT&T put the flawed code on its, AT&T’s, website?  And if you are saying that, what is your evidence?  For without evidence for such a statement, any such statement would be libelous.

Bosco, I’ve talked to a few developers about Apple’s recent policies.  Most don’t have any problem with Apple’s policies.  They just want to make money.  And they want their legal questions answered, and for certain controversial areas, they want advice.  Those who object find one or more of the policies only irritating.  It is a business decision:  They are either going to develop for Apple pursuant to its polices, or they aren’t.  End of story.  But you are unique in my experience in your hatred of Apple and Steve Jobs.  Your rage either has a personal basis, or you are a troll, or you are nuts.

Bosco (Brad Hutchings)

Nemo, you’re blind. Please look at this picture:

http://cache.gawkerassets.com/assets/images/4/2010/06/500x_attipad3g.jpg

Now, what “app” is that in? That app calls the script on the web site to do its magic. Who do you think wrote that app? Hint: it starts with “app” and ends with “le”.

If you had ever written an app that passes customer data to a web site, you would know without even thinking about it that there is a potential security hole and you need to tread carefully. Because any hacker with a sniffer will take a look at the data that goes up and comes back. Especially if your “app” is being used by millions of people.

Apple and AT&T didn’t tread carefully. Simple as that. It’s likely a similar problem for international carriers as well. You heard it from me first.

Bosco (Brad Hutchings)

Are you saying that Apple mandated that AT&T put the flawed code on its, AT&T?s, website?? And if you are saying that, what is your evidence?? For without evidence for such a statement, any such statement would be libelous.

Oh, and by the way, so sue me. Nemo, when it comes to how software works, you are such an ignorant [censored], it’s not even funny. There is obviously a “protocol” here between client app (Settings) and server (run by AT&T). Client app sends some data and expects something back. Server delivers it back. Client app is able to send an ICC-ID which should not be (and likely is not) available to any HTML5-based app. So you explain to me how non-vetted AT&T code on the client side does this. Please. I’m listening.

And to suggest that because a journalist who works for Gawker didn’t pick up on this point means that the point is invalid is just raping the concept of logic. Most tech journalists (like most lawyers) do not have knowledge or experience to comment on how things like communication protocols that end up leaking personal data on 114K people actually work.

Nemo

Bosco:  If AT&T didn’t want to permit, support, and approve the client side code that you complain of, assuming it is that code allowed access to AT&T’s servers, it wouldn’t have had any effect on AT&T’s website and certainly wouldn’t have revealed any customer’s name and/or email address, unless AT&T approved and supported it in the HTML code on its website.  And it is AT&T that is responsible for the operation and security of its network.  So, even if what you are suggesting—that Apple wrote the client side code on the iPad that allowed Goatse Security to misappropriate the victims’ name and email addresses on AT&T’s servers—is true, it was AT&T that supported that code in the HTML on its website.  Or sense you are being particularly dense on this point, run the code that you are complaining about against any other ISP’s website or now, even against AT&T’s website, and, unless that ISP is running on its website the same code that AT&T was running on its website, you will get nothing.  AT&T could have declined to support the iPad’s client app that you think is responsible, so nothing would have been called and, therefore, nothing would have been revealed.  It is that simple.

And, as far as can be determined from open-source intelligence, AT&T has not in its contractual relations with Apple ceded the control and operation of its network to Apple.  That is, while Apple and AT&T certainly cooperate to support Apple’s iOS devices on AT&T’s network, by all accounts, AT&T has never done anything more than negotiate the price and type of services available to Apple’s iOS devices, while maintaining full authority over how its network operates and what client side code and services that it, AT&T, will support on its network.  Thus, the security flaw is, based on the public information that I’ve seen, AT&T’s fault for approving and supporting that client side code on the iPad, assuming, of course that what you insinuate is even close to being accurate.  Unless you have some facts to the contrary, your baseless insinuation that Apple is a fault for this security flaw is a wrong and scurrilous libel.

Do you get it now?

Bosco (Brad Hutchings)

Nemo, funny how you so quickly reveal how you don’t know what you are talking about:

unless AT&T approved and supported it in the HTML code on its website. 

HTML is a web page presentation language, not a server-side scripting language. From there your argument just untangles. And no, you don’t get a “we know what you meant” Mulligan.

I thought that Apple’s developer terms strictly covered use of private information sent to servers. I thought that was the point of the whole approval system. Maybe it just doesn’t apply to big/favored partners included on all US shipped devices when they are hurrying it out the door. But that’s how Apple is selling the whole approval process—as protecting users from breaches like this. The client-side code that did this is app code, not web page code.

Does Apple QA not even hook these up to sniffers and look at what they are sending out—out of the box? Hell, Microsoft has been explicitly doing that for more than a decade. I once saw a bank of computers in Redmond dedicated to just that particular task.

Nemo

Bosco:  The most prominent thing revealed here is how far you will go bend the truth to present a false argument.  As AT&T’s representative, Mr. Amoroso, revealed in the quotes, supra, AT&T controlled the HTML on its website and easily and quickly recoded its webpage to removed the code that allowed an iPad user to log-in to his mail account without typing in his email address.  That made whatever was on the iPad’s side useless.  That is what I said, and trying to distract with a quibble about server-side as opposed to HTML simply shows how powerless you are to address the argument:  AT&T was and is the master of its servers and its website; AT&T is the expert on its website and servers; AT&T had the technical ability to support or not support on its website whatever code on the iPad that may have allowed Goatse Security to access the victims’ email addresses on its, AT&T’s, servers.  Therefore, AT&T could have and should have refused to support the client code on the iPad, as it does with any other client, that could compromise the security of its servers.  That’s the argument, and you have nothing to rebut it.

Apple’s privacy policy clearly does not apply here and is not even relevant to the instant security breach.  First, as Mr. Amoroso made clear, the information that Goatse Security used was not private information.  “When you sign up for 3G service on iPad, AT&T looks at the SIM serial number, which Amoroso says “is not a secret, like the serial number on the dishwasher, . . .”  Therefore, it does not come within the scope of Section 3.3.8.  Second,  Apple’s Privacy Policy deals with the information that third parties acquired from users of Apple’s iOS devices by use of the third party’s software.  By your own statements that is not what happened here, since the user is voluntarily sending non-private information to AT&T’s website.  Thus, Section 3.3.8 does not deal with circumstances presented here.  So your thought that Apple’s privacy policy gives it some authority and, thus, responsibility for the data sent to AT&T’s website is, like so many of your thoughts, in error. 

And your statement that Apple is selling its approval process as protecting users from the type of situation here is nothing more than errant nonsense, because Apple has never done any such thing.  Apple’s privacy policy deals with third parties taking private information from customers without their consent.  That didn’t happen here.  Here the information that AT&T got was provided with consent; it wasn’t private information, and it was Goatse Security, not AT&T, that misappropriated the information and misused it.  Goatse Security has no contractual relationship with Apple, and, therefore, can’t possibly be bound by Apple’s privacy policy.

As for you comments about Microsoft sniffing what its mobile devices send to third party vendors, that sounds like a load of bull to me, and I don’t believe it.  Now, Microsoft might sniff what its mobile devices send to its servers, but sniffing what’s sent to third party servers is both practically impossible and would be, I think, if done without the customer’s consent, a severe violation of privacy.

Bosco, we’ve come to the end of the line.  The Bible, I believe, has a saying:  He, who disputeth with a fool, is himself a fool.  With this closing missive, I end the folly of disputing with you.

geoduck

Nemo
I sent you Private Message via the TMO Forum Mail

Lee Dronick

As I predicted the talking heads on TV news are reporting this as an iPad problem. This morning on MSNBC Tamron Hall got it incorrect.

Bosco (Brad Hutchings)

Forest through the trees, Nemo… In the US, there is one carrier that iPad 3G works on. It’s connection and sign-up software ships in the iPad. And Apple bears no responsibility at all for ensuring that the process doesn’t expose private data.

If you say so.

In the next couple of months, I will probably have to fulfill the obligations of a wager and write a serious essay extolling the “one widget” philosophy behind the iPad. If I’m gonna do that, it would be nice if you guys still believed in it.

Bosco (Brad Hutchings)

As for you comments about Microsoft sniffing what its mobile devices send to third party vendors, that sounds like a load of bull to me, and I don?t believe it.? Now, Microsoft might sniff what its mobile devices send to its servers, but sniffing what?s sent to third party servers is both practically impossible and would be, I think, if done without the customer?s consent, a severe violation of privacy.

Reading comprehension problem much? I was talking about what Microsoft and Apple ship out, not arbitrary third party software. Third party software that is part of the installed, shipping product counts though. Even back in the mid 90s, Apple had the sense to actually audit even clickable URLs in third party software it considered including pre-installed on Macs—requiring that they remain active for several years. Went through that process, then Steve “killed” OpenDoc.

Nox

Log-in to comment