FBI investigates iPad-AT&T breach as blame game plays out

Security experts have begun parsing the blame for the iPad-AT&T security breach that exposed the email address of some high-profile users.

Meanwhile, the FBI has launched an official investigation of a caper in which the perpetrators — greyhat researchers calling themselves Goatse Security –  freely claim responsibility for the attack.

“We believe what we did was ethical,” Goatse member Escher Auernheimer told PC World’s Greg Keizer in a telephone interview. “What we did was right.”

Auerheimer notes that  Goatse waited until AT&T had closed the hole before  outing the e-mail addresses it had grabbed. This, he contends, amounts to  “responsible disclosure.”

Going public with the discovery of a fresh security hole is one thing. But actually taking advantage of the vulnerability to steal data is another. Pierce the privacy of high-powered, well-connected iPad users, and you wake the sleeping giant: the FBI.

“The disclosure was completely irresponsible,” says Sean Sullivan, Security Advisor, at antiviurus company F-Secure. “There is no reason why the Goatse Security group needed to harvest data. They only did it to sensationalize the issue and they are guilty of violating personal privacy.”

Celebrity quotient


Goatse researchers claim to have extracted 114,000 e-mail addresses, including many high profile celebrities, athletes and politicos, New York City Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel, and movie producer Harvey Weinstein, among them.

They did this by tricking AT&T’s servers into divulging the correct unique identifier for the iPad and associated e-mail addresses. The incident, no doubt, has worsened the already strained relationship between AT&T and Apple, says Rick Munarriz, senior analyst at The Motley Fool. iPhone and iPad users have complained about dropped calls, poor signals and expensive usage rates, notes Munarriz.

Jon Heimerl, Director of Strategic Security at Solutionary, a data security consulting company, believes AT&T is largely at fault for this latest stumble. “In no way is this an ‘iPad breach,’ ” says Heimerl. ” This was someone grabbing information off of an AT&T server that was accidentally left exposed to the Internet.”

Hemanshu Nigam, founder of security consultancy SSP Blue, says Apple bears the largest share of culpabibility since it set the authentication requirements ATT was required to follow.

“This is exactly where the flaw existed,” says Nigam, former security chief at MySpace. “Apple needs to start putting user security ahead of user convenience. The hacker community is obviously gearing up to dethrone the king and this is just another warning shot.”

More iPad attacks likely

Heimerl and Nigam do agree on this point: wider use of iPads, especially among movers and shakers, portends intensified hacks — by professional cybercriminals, not just security researchers looking to grab headlines.


“The iPad is a new product, and as such likely has unintended (security weaknesses) built in.” says Heimerl. “Odds are that someone will find something to hack in the device operating system, or in one of the primary applications that the iPad runs, like the Safari browser.”

Although email addresses in and of themselves may seem low value, “knowing these addresses opens them up to a large number of spammers and would-be social engineers that will now be checking every login field on the internet for accounts belonging to them,” says Jason Haddix, Security Engineer at Redspin.

Sam Diaz, senior editor at ZDNet, calls out Mayor Bloomberg and  Chief of Staff  Emanuel, for owning iPads in the first place.

” What I would really want to know – given the volume of government officials whose official work e-mail addresses were found . . . is exactly who paid for all of these iPads that are reportedly in the hands of so many people in Washington, Diaz writes in this post. “Last time I checked, the iPad was a pretty expensive device, especially for government agencies that probably have better uses for government dollars other than to buy iPads.”

iPad best security practices

In wake of the breach, Rescuecom CEO David A. Milman suggests these precautions for iPad users:

  • Turn off the 3G Network. AT&T has stated that there is no more threat to customers. However, turning off 3G wireless Internet service, at least temporarily, will protect an individual’s personal data from any further attack.
  • Request a new SIM from AT&T. The ICC-ID number that the hackers breached is attached to each user’s SIM, the card linking an individual iPad to its user. Changing the SIM card would change the ICC-ID as well, rendering that information useless.
  • Change your iPad e-mail address. The simplest solution is to stop using the compromised e-mail address. AT&T states the only information illicitly obtained was user’s e-mail addresses. Changing your address would eliminate this threat.
  • Limit iPad usage. Using the iPad is, most likely, still safe. However, to best protect personal data, users should be careful what they use the iPad for. Avoid tasks such as mobile banking or anything that transmits personal information, especially when on a 3G network.

For those consumers who have not yet purchased an iPad, but were considering it, Milman recommends waiting at least six months for the manufacturer to work the major bugs out of the system.

“While most everyone is aware that security is important, very few of us understand what goes into securing the software, hardware, and networks that contain our most valuable asset, our identity,” says Milman. “AT&T’s breach is a perfect example of how at risk we are.”

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone