AT&T hacked, iPad 3G owners email addresses harvested
Hackers found a way in to AT&T's iPad 3G registry and, using a brute-force attack based on unique ICC-ID numbers, managed to pull down corresponding email addresses for those users -- who include members of the US military, executive branch, and media companies.
AT&T has since closed the vulnerability and issued the following statement:
"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.
This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
The person or group who discovered this gap did not contact AT&T.
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."
So once again it's the convenience of the cloud vs. the security of customer information. Increasingly we're trusting online accounts and services with our personal and financial information, and high-profile incidents like this, if nothing else, force everyone to re-examine what we trust and with whom.
How serious is this loss of data to you? Does it make you hesitant to signup online or on-device?
[Gawker, who curiously call it an Apple security breach in the headline.]
Editor-in-Chief of iMore, Executive Producer at Mobile Nations, co-host of Iterate and ZEN and TECH, cook, grappler, photon wrangler.
| Tweet |
|
|
← Previously
Skype bringing video chat to iPhone 4?Leave a Reply
Note: Comments must be civil, respectful, and on-topic. If a comment does not add to the conversation, if it contains spam advertising, or inappropriate language or content, it will be removed. Insulting the topic, author, staff, site, network, or other commenters will result in the comment being marked as spam and potential prevent future comments from appearing on the site. Do not post as a business or your comment will likely be confused with spam. Comments containing links may be held for moderation. Relax, enjoy, and share in the discussion.
Your finished AT&T
"When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address" such a newbish mistake really
AT&T drops the ball again! Which makes me worry because I have to reup for another two years to get the phone I want. Lame!
To answer the question posed by the article, no, I won't change any "online habits" because of this, or Google's "China issue", to name another example.
This can happen to almost any company who has any half-way significant online presence. Facebook, Twitter, and all the so-called "social networking" services, I do not trust, as the Terms of Conditions of all the intertwined services that ask you to "allow" the establishment of a permanent exchange of information with another similar sites, are bound to have conflicts of interest.
i think it's time that apple setup it's own phone network for us iphone and ipad user's
meh...
Gawker=gizmodo They have been trashing apple for a week now. Ever since they didn't get that invite to wwdc.
@Macboy15 I 100% agree Gawker is acting like a little 10 yr old child. All of their articles have been nothing but bias'd garbage.
It wasn't even really hacked. The security flaw was basically a public web page that gave out email addresses associated with the ICC-ID and was used as a convenience tool for iPad owners. I guess they didn't think that ICC-ID numbers would be guessed en mass...
Besides not thinking through the security implications of someone doing just this, didn't they notice a particular user making a few too many requests to this page and making many invalid requests?
*****THIS JUST IN, IMPORTANT NEWS*****
I Stop going to gizmodo.com from now on.
Haha....clowns.
i see my email on list, yes? i have ipad but no mail from hacker. i not scared. many fake email about my ipad from hacker will be sent but i ignore. some may be tricked with a stick and pushed in pond. i still get new phone. we take risk. get life lock and man help you if someone steal you. i be your friend online. you trust me, yes?
All I can say is, "Wow, it's a great time to be a government employee." New iPad's for all. How much do you think those will set us back? I wonder what they use them for?
at least it wasnt personal emails.
Doesn't it seem like a massively stupid idea to be hacking MILITARY accounts? Great move, hackers, you should have stolen financial data - instead of getting the most well funded and dangerous branch of the government on your butts
This is something that really shouldn't have happened in the first place. "the convenience of the cloud vs. the security of customer information"; no it was a plain old incompetence to leave such vulnerabilities open. It's no different than OSes and software which are not ready for primetime yet still released to the market and in less than a month security patches are issued after users easily find and complain about those same security issues first. Companies will continue to act in a reactive manor instead of a proactive responsible manor until something or someone puts there business in real jeopardy. These things happen all to often for my taste.
@Rene
Calling this "hacking" lets AT&T off the hook way too easily. As MrC pointed out, this was not hacking; this was AT&T leaving sensitive information out in the open, unprotected.
@OmariJames/ChrisJ
The email address is not the target; it is the ID, which exposes the user to increased risk of spying and real hacking. Say, for example, you dislike the current US administration and want to dig up some dirt on Rahm Emanuel (Obama's Chief of Staff, and a big iPad enthusiast), and his email address/ICC-ID pair was in the compromised list. If you can determine his ICC-ID from one of the emails in the compromised list, you can sniff traffic near his physical location, look for his ICC-ID, and you can track his network usage and habits pretty easily, and it potentially opens up avenues for some real individual hacking.
That, and not the email address itself, is why this is a serious gaffed on AT&T's part.
Gawker calls this an Apple security issue for the same reason Rene calls this "hacking" - it is not strictly true, but it is close enough to avoid a lawsuit and a lazy shorthand that will draw people to read.
(In Jobsian "One More Thing" voice)
Convenience of the cloud vs customer security? Rene, I am beginning to think you are as much of a shill for AT&T as you are for Apple.
There was (and is) NO customer convenience to be had in keeping this information in a public, unencrypted area. None. The only benefit was to AT&T, who got to skip the steps involved in securing data to be transferred between specific, and, one hopes, internal, systems over the Internet. Thus also has nothing to do with cloud storage of data, since THIS WAS NOT DATA CUSTOMERS CHOSE TO STORE.
An accurate line would have been "once again, it is corporate laziness versus the security of customer data."
As far as Gizmodo having some vendetta against Apple, that clearly shows you are just reading the apple stories. Gizmodo, and the entire Gawker network for that matter, is predicated on presenting the news in a snarky, humorous way. When they make a joke about that Apple's new glass claims are BS, they would do it for any company.
Really Toph?
Then show me one of their RECENT Android Articles then bashing Android.
The disclosure was Absolutely an AT&T problem.
But I have to ask....
Why did Apple supply AT&T with a customer's email address?
AT&T doesn't ask for or require an Email address when you set up a new device, phone, net-card, Kindle, Nook, etc.
So where did At&T get the email address, and who gave it to them?
AT&T does require an email address to subscribe to their cellular data service for the iPad a well as a Credit Card. At&T will not tell you anything about your account relative to this hacking. They arrogantly say if you did not get an email you were not affected. That did not create any confidence for me. I would think they would email all subscribers to their cellular data service for the iPad and tell them either their info was not compromised, what it was and if they were not compromised tell them that via an email.The lack of communication is inexcusable.
ATT suck ok
I got an email..... It was obvious spam...
Somehow it had a craigslist email address from a post I just made, my email, and the email address of a friend that is in my contact list...
I don't doubt it was just aimed at the ipad....
everyone calm down this isn't a big deal. nobody important/smart uses apple products anyway.
Hello Viewer,
BORROWERS INFORMATION: Names:_________ Address:________ Age:_____________ Fax Number:________ phone Number:______ Number:__________ Occupation:__________ Company:__________________ Country:_______________ Sex:_______________________ Monthly Income:______________ Amount Needed:______________ Loan Duration:________________ Email Address:________________ Brief Description of Individual..............................
God Bless You; Prof. Leonard Dicaprio
yo
The heart of your writing whilst appearing reasonable in the beginning, did not sit well with me after some time. Someplace throughout the paragraphs you actually were able to make me a believer unfortunately only for a very short while. I nevertheless have got a problem with your leaps in logic and you would do well to help fill in those gaps. In the event you can accomplish that, I would definitely end up being fascinated.