search
Login   |   About  |   Haiti  |   Top 100 Stories of the Decade  |   Contact us  |   Glossary  |   Advertising  
« Public Safety: Show Us The Money
AdMob Vs iAds: Battle Royale »

AT&T Exposes iPad E-mail

A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians, reports Gawker. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking.

The GoatSec security group, which discovered and exploited the security hole, alerted various members of the mainstream press via email before granting Gawker an exclusive on the story. AT&T said late Wednesday that it has fixed the security hole.

The breach exposed a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg, as well as White House Chief of Staff Rahm Emanuel.

AT&T acknowledged the breach, reports the NY Times. It was first reported by Gawker late Wednesday, but AT&T sought to minimize its importance. The incident is likely to be a public relations black eye for AT&T, Apple’s partner, says the NY Times.

According to Gawker the web security group that exploited vulnerabilities on the AT&T network, exposed some 114,000 user accounts, although it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed. They contacted Apple for comment but have yet to hear back.

GoatSec was able to snag that info from at least 114,000 subscribers, using a convenience feature you probably never noticed, explains Gizmodo.

When you sign up for 3G service on iPad, AT&T looks at the SIM serial number, which “is not a secret, like the serial number on the dishwasher,” and asks for an email address you’d like to be contacted at. When you access the AT&T website to check your data account from your iPad, it pre-populates your email address using the ICC-ID, so you don’t have to type the email address every single time, but just your password.

That’s the feature GoatSec exploited, says Gawker. They used a script for a “brute force attack,” trying ICC-IDs as part of an HTTP request until they gave up an email address. And it’s why the damage appears to be limited to iPads’ ICC-IDs and the email addresses associated with them.

AT&T said it would notify affected customers. “We apologize to our customers who were impacted,” it said.

Be Sociable, Share!

Posted by Sam Churchill on Thursday, June 10th, 2010 at 6:03 am.

Something to say?

You must be logged in to post a comment.