AT&T 'dishonest' about iPad attack threat, say hackers
Goatse claims it has iPad exploit that others could have used to hijack tablets
Computerworld - The hackers who harvested more than 100,000 Apple iPad 3G owner e-mail addresses blasted AT&T as "dishonest" today, and said the group has an exploit it or others could have used against all iPad owners.
The hacking group Goatse Security obtained the e-mail addresses using an automated PHP script that collected iPad 3G owners' ICC-ID numbers and associated addresses from AT&T's servers using a publicly-available feature of the carrier's Web site. AT&T disabled the feature last week, a day before the Valleywag Web site first reported the story.
On Sunday, AT&T used e-mail to apologize to customers for the hack, said Goatse "maliciously exploited a function designed to make your iPad log-in faster" and claimed the group "went to great efforts" to scrape information from its servers.
One member of Goatse took exception to AT&T's words.
"AT&T is being dishonest about the potential for harm," said Escher Auernheimer in a post today to the Goatse blog.
Specifically, said Auernheimer, other hackers armed with an iPad exploit could have used owner e-mail addresses in a targeted attack -- based on messages posing as ones from AT&T or Apple -- to hijack their tablets. "A complete list of iPad 3G customers, which could have been generated from this vulnerability [Goatse uncovered], would have the ideal bit of data for those ... with zero-day Safari exploits," Auernheimer argued.
Such a vulnerability exists, Auernheimer continued, noting that he had posted information and attack code for a Safari bug March 23. Apple has patched the flaw in the desktop version of Safari, but has yet to close the hole in the stripped-down browser on the iPad, he added.
"We released this in March, mind you, and Apple still hasn't got around to patching this on the iPad!" said Auernheimer.
Last week, Apple patched 48 vulnerabilities in Safari for Mac OS X and Windows -- the first update since Auernheimer went public with his integer overflow bug. None of the 48 patched vulnerabilities, however, was credited to Auernheimer or Goatse.
Auernheimer did not reply to e-mail asking him to point out the specific patch that fixed the vulnerability he disclosed in March.
Apple has said it will update the iPad to iOS4 -- its next-generation operating system -- sometime this fall. Unless it ships a rush patch in the interim, the iOS4 upgrade would be the first opportunity for the company to quash the bug Auernheimer claims is in Safari on the tablet.
Auernheimer also said AT&T downplayed the ease with which someone other than Goatse could have beaten the group to the e-mail vulnerability. In the Sunday message to customers, AT&T said Goatse "deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses."
"I'll tell you this, the finder of the AT&T e-mail leak spent just over a single hour of labor total, not counting the time the script ran with no human intervention, to scrape the 114,000 e-mails," said Auernheimer. "If you see this as 'great efforts,' so be it. [But] at any given moment, whatever efforts us [sic] researchers are making are dwarfed by those in the thrall of evil. So get real."
In his blog post today, Auernheimer again defended Goatse's release of the e-mail addresses to ValleyWag last week. "We did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare," he said. "I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
For its part, AT&T said it would cooperate with any investigation by authorities, including the Federal Bureau of Investigation (FBI), which has opened a probe to determine whether Goatse broke any federal laws. "We will ... prosecute violators to the fullest extent of the law," AT&T said in its e-mail to iPad 3G customers.
Saying that AT&T was out to "crucify" Goatse, Auernheimer suggested the carrier take a different approach.
"You f***ed up, we helped you that figure out and informed the public. You should thank us, but you can keep on s***-talking if you want. We know what we did was right," Auernheimer said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Office for iPad apps ring up 27M downloads
- Apple plays hardball with iPad Mini reveal
- Apple breezes to PC sales' top spot as Windows share decays
- Analyst tallies perks of September launch of new iPhone, iPad
- Analyst predicts stellar iPad sales in next week's Apple earnings
- Nexus 7 holds up better than iPad in drop, water-dunk tests
- With iPad Mini, Apple would remain tablet king through '16, says IDC
- Apple demands ipad3.com domain
- Chrome for iOS snatches top spot on App Store
- iPad in the Enterprise: IT Must Stay Ahead of the Curve
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!