'Brute force' script snatched iPad e-mail addresses
'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software
Computerworld - The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute-force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.
According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly designed software.
"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog.
An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.
The script Praetorian made public was a "brute-force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.
When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for a contact e-mail address. AT&T uses the e-mail address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.
That same e-mail address was what the script harvested. E-mail addresses apparently belonging to New York Mayor Michael Bloomberg and top executives at Dow Jones, The New York Times Co. and Time Warner were among those collected.
AT&T turned off access to the feature Tuesday and apologized to customers in a statement it issued Wednesday. It also said that only e-mail addresses linked to each ICC-ID, not financial information or other personal data, was snatched from its servers.
AT&T did not respond to a request for further comment late Wednesday.
The disclosure of iPad owners' e-mail addresses was the second embarrassing story linked to Apple published by Gawker Media since April.
Two months ago, Gizmodo published photographs and an analysis of an iPhone prototype that it had bought from a California man who found it in a bar. Gizmodo was later denied a press pass to Apple CEO Steve Jobs' keynote at the Worldwide Developers Conference, where he introduced the already familiar-looking iPhone 4 on June 7.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!