'Brute force' script snatched iPad e-mail addresses
'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software
Computerworld - The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute-force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.
According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly designed software.
"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog.
An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.
The script Praetorian made public was a "brute-force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.
When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for a contact e-mail address. AT&T uses the e-mail address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.
That same e-mail address was what the script harvested. E-mail addresses apparently belonging to New York Mayor Michael Bloomberg and top executives at Dow Jones, The New York Times Co. and Time Warner were among those collected.
AT&T turned off access to the feature Tuesday and apologized to customers in a statement it issued Wednesday. It also said that only e-mail addresses linked to each ICC-ID, not financial information or other personal data, was snatched from its servers.
AT&T did not respond to a request for further comment late Wednesday.
The disclosure of iPad owners' e-mail addresses was the second embarrassing story linked to Apple published by Gawker Media since April.
Two months ago, Gizmodo published photographs and an analysis of an iPhone prototype that it had bought from a California man who found it in a bar. Gizmodo was later denied a press pass to Apple CEO Steve Jobs' keynote at the Worldwide Developers Conference, where he introduced the already familiar-looking iPhone 4 on June 7.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts