AT&T 'dishonest' about iPad attack threat, say hackers
Goatse claims it has iPad exploit that others could have used to hijack tablets
Computerworld - The hackers who harvested more than 100,000 Apple iPad 3G owner e-mail addresses blasted AT&T as "dishonest" today, and said the group has an exploit it or others could have used against all iPad owners.
The hacking group Goatse Security obtained the e-mail addresses using an automated PHP script that collected iPad 3G owners' ICC-ID numbers and associated addresses from AT&T's servers using a publicly-available feature of the carrier's Web site. AT&T disabled the feature last week, a day before the Valleywag Web site first reported the story.
On Sunday, AT&T used e-mail to apologize to customers for the hack, said Goatse "maliciously exploited a function designed to make your iPad log-in faster" and claimed the group "went to great efforts" to scrape information from its servers.
One member of Goatse took exception to AT&T's words.
"AT&T is being dishonest about the potential for harm," said Escher Auernheimer in a post today to the Goatse blog.
Specifically, said Auernheimer, other hackers armed with an iPad exploit could have used owner e-mail addresses in a targeted attack -- based on messages posing as ones from AT&T or Apple -- to hijack their tablets. "A complete list of iPad 3G customers, which could have been generated from this vulnerability [Goatse uncovered], would have the ideal bit of data for those ... with zero-day Safari exploits," Auernheimer argued.
Such a vulnerability exists, Auernheimer continued, noting that he had posted information and attack code for a Safari bug March 23. Apple has patched the flaw in the desktop version of Safari, but has yet to close the hole in the stripped-down browser on the iPad, he added.
"We released this in March, mind you, and Apple still hasn't got around to patching this on the iPad!" said Auernheimer.
Last week, Apple patched 48 vulnerabilities in Safari for Mac OS X and Windows -- the first update since Auernheimer went public with his integer overflow bug. None of the 48 patched vulnerabilities, however, was credited to Auernheimer or Goatse.
Auernheimer did not reply to e-mail asking him to point out the specific patch that fixed the vulnerability he disclosed in March.
Apple has said it will update the iPad to iOS4 -- its next-generation operating system -- sometime this fall. Unless it ships a rush patch in the interim, the iOS4 upgrade would be the first opportunity for the company to quash the bug Auernheimer claims is in Safari on the tablet.
Auernheimer also said AT&T downplayed the ease with which someone other than Goatse could have beaten the group to the e-mail vulnerability. In the Sunday message to customers, AT&T said Goatse "deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses."
"I'll tell you this, the finder of the AT&T e-mail leak spent just over a single hour of labor total, not counting the time the script ran with no human intervention, to scrape the 114,000 e-mails," said Auernheimer. "If you see this as 'great efforts,' so be it. [But] at any given moment, whatever efforts us [sic] researchers are making are dwarfed by those in the thrall of evil. So get real."
In his blog post today, Auernheimer again defended Goatse's release of the e-mail addresses to ValleyWag last week. "We did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare," he said. "I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
For its part, AT&T said it would cooperate with any investigation by authorities, including the Federal Bureau of Investigation (FBI), which has opened a probe to determine whether Goatse broke any federal laws. "We will ... prosecute violators to the fullest extent of the law," AT&T said in its e-mail to iPad 3G customers.
Saying that AT&T was out to "crucify" Goatse, Auernheimer suggested the carrier take a different approach.
"You f***ed up, we helped you that figure out and informed the public. You should thank us, but you can keep on s***-talking if you want. We know what we did was right," Auernheimer said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Apple plays hardball with iPad Mini reveal
- Apple breezes to PC sales' top spot as Windows share decays
- Analyst tallies perks of September launch of new iPhone, iPad
- Analyst predicts stellar iPad sales in next week's Apple earnings
- Nexus 7 holds up better than iPad in drop, water-dunk tests
- With iPad Mini, Apple would remain tablet king through '16, says IDC
- Apple demands ipad3.com domain
- Chrome for iOS snatches top spot on App Store
- iPad in the Enterprise: IT Must Stay Ahead of the Curve
- Skepticism mounts over Windows RT's enterprise role
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts