AT&T 'dishonest' about iPad attack threat, say hackers
Goatse claims it has iPad exploit that others could have used to hijack tablets
Computerworld - The hackers who harvested more than 100,000 Apple iPad 3G owner e-mail addresses blasted AT&T as "dishonest" today, and said the group has an exploit it or others could have used against all iPad owners.
The hacking group Goatse Security obtained the e-mail addresses using an automated PHP script that collected iPad 3G owners' ICC-ID numbers and associated addresses from AT&T's servers using a publicly-available feature of the carrier's Web site. AT&T disabled the feature last week, a day before the Valleywag Web site first reported the story.
On Sunday, AT&T used e-mail to apologize to customers for the hack, said Goatse "maliciously exploited a function designed to make your iPad log-in faster" and claimed the group "went to great efforts" to scrape information from its servers.
One member of Goatse took exception to AT&T's words.
"AT&T is being dishonest about the potential for harm," said Escher Auernheimer in a post today to the Goatse blog.
Specifically, said Auernheimer, other hackers armed with an iPad exploit could have used owner e-mail addresses in a targeted attack -- based on messages posing as ones from AT&T or Apple -- to hijack their tablets. "A complete list of iPad 3G customers, which could have been generated from this vulnerability [Goatse uncovered], would have the ideal bit of data for those ... with zero-day Safari exploits," Auernheimer argued.
Such a vulnerability exists, Auernheimer continued, noting that he had posted information and attack code for a Safari bug March 23. Apple has patched the flaw in the desktop version of Safari, but has yet to close the hole in the stripped-down browser on the iPad, he added.
"We released this in March, mind you, and Apple still hasn't got around to patching this on the iPad!" said Auernheimer.
Last week, Apple patched 48 vulnerabilities in Safari for Mac OS X and Windows -- the first update since Auernheimer went public with his integer overflow bug. None of the 48 patched vulnerabilities, however, was credited to Auernheimer or Goatse.
Auernheimer did not reply to e-mail asking him to point out the specific patch that fixed the vulnerability he disclosed in March.
Apple has said it will update the iPad to iOS4 -- its next-generation operating system -- sometime this fall. Unless it ships a rush patch in the interim, the iOS4 upgrade would be the first opportunity for the company to quash the bug Auernheimer claims is in Safari on the tablet.
Auernheimer also said AT&T downplayed the ease with which someone other than Goatse could have beaten the group to the e-mail vulnerability. In the Sunday message to customers, AT&T said Goatse "deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses."
"I'll tell you this, the finder of the AT&T e-mail leak spent just over a single hour of labor total, not counting the time the script ran with no human intervention, to scrape the 114,000 e-mails," said Auernheimer. "If you see this as 'great efforts,' so be it. [But] at any given moment, whatever efforts us [sic] researchers are making are dwarfed by those in the thrall of evil. So get real."
In his blog post today, Auernheimer again defended Goatse's release of the e-mail addresses to ValleyWag last week. "We did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare," he said. "I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
For its part, AT&T said it would cooperate with any investigation by authorities, including the Federal Bureau of Investigation (FBI), which has opened a probe to determine whether Goatse broke any federal laws. "We will ... prosecute violators to the fullest extent of the law," AT&T said in its e-mail to iPad 3G customers.
Saying that AT&T was out to "crucify" Goatse, Auernheimer suggested the carrier take a different approach.
"You f***ed up, we helped you that figure out and informed the public. You should thank us, but you can keep on s***-talking if you want. We know what we did was right," Auernheimer said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Office for iPad apps ring up 27M downloads
- Apple plays hardball with iPad Mini reveal
- Apple breezes to PC sales' top spot as Windows share decays
- Analyst tallies perks of September launch of new iPhone, iPad
- Analyst predicts stellar iPad sales in next week's Apple earnings
- Nexus 7 holds up better than iPad in drop, water-dunk tests
- With iPad Mini, Apple would remain tablet king through '16, says IDC
- Apple demands ipad3.com domain
- Chrome for iOS snatches top spot on App Store
- iPad in the Enterprise: IT Must Stay Ahead of the Curve
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!