'Brute force' script snatched iPad e-mail addresses

'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software

The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.

According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly-designed software.

A nine-person hacking group known as Goatse Security claimed responsibility for the script, which amassed 114,000 e-mail addresses .

"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog .

An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.

AT&T confirmed the nature of the attack to technology blog Gizmodo. Gawker, Gizmodo's parent Web site, first reported the e-mail harvesting Wednesday.

The script Praetorian made public was a "brute force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.

When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for an contact e-mail address. AT&T uses the e-mail address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.

That same e-mail address was what the script harvested. E-mail addresses apparently belonging to New York Mayor Michael Bloomberg, and top executives at Dow Jones, the New York Times Company and Time Warner, were among those collected.

AT&T has turned off access to the feature Tuesday, and apologized to customers in a statement it issued Wednesday. It also said that only e-mail addresses linked to each ICC-ID, not financial information or other personal data, has been snatched from its servers.

AT&T did not respond to a request for further comment late Wednesday.

The disclosure of iPad owners ' e-mail addresses was the second embarrassing story linked to Apple published by Gawker Media since April.

Two months ago, Gizmodo published photographs and an analysis of an iPhone prototype that it had bought from a California man who found it in a bar. Gizmodo was later denied a press pass to Apple CEO Steve Jobs' keynote at the Worldwide Developers Conference (WWDC), where he introduced the already familiar-looking iPhone 4 on June 7.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2010 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon