'Brute force' script snatched iPad e-mail addresses
'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software
Computerworld - The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute-force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.
According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly designed software.
A nine-person hacking group known as Goatse Security claimed responsibility for the script, which amassed 114,000 e-mail addresses.
"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog.
An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.
AT&T confirmed the nature of the attack to technology blog Gizmodo. Gawker, Gizmodo's parent Web site, first reported the e-mail harvesting Wednesday.
The script Praetorian made public was a "brute-force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.
When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for a contact e-mail address. AT&T uses the e-mail address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.
That same e-mail address was what the script harvested. E-mail addresses apparently belonging to New York Mayor Michael Bloomberg and top executives at Dow Jones, The New York Times Co. and Time Warner were among those collected.
AT&T turned off access to the feature Tuesday and apologized to customers in a statement it issued Wednesday. It also said that only e-mail addresses linked to each ICC-ID, not financial information or other personal data, was snatched from its servers.
AT&T did not respond to a request for further comment late Wednesday.
The disclosure of iPad owners' e-mail addresses was the second embarrassing story linked to Apple published by Gawker Media since April.
Two months ago, Gizmodo published photographs and an analysis of an iPhone prototype that it had bought from a California man who found it in a bar. Gizmodo was later denied a press pass to Apple CEO Steve Jobs' keynote at the Worldwide Developers Conference, where he introduced the already familiar-looking iPhone 4 on June 7.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at
@gkeizer, or subscribe to Gregg's RSS feed
. His e-mail address is gkeizer@ix.netcom.com.
Read more about Security in Computerworld's Security Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts