Network News

X My Profile
View More Activity

AT&T's iPad data breach: Don't panic

My colleague Cecilia Kang wrote up a good post up about AT&T Wireless's inadvertent exposure of some account details of more than 114,000 Apple iPad 3G users. That breach, first reported by the gossip blog Gawker, sounds like scary stuff--these folks had their e-mail addresses and the ID numbers of the Subscriber Identity Module cards inside their tablet computers harvested by a hacking group.

ipad_sim_icc_id.jpg

The ruling classes appear to be well-represented among the 114,067 names on a list provided to Gawker. That site's Ryan Tate reported the victims included upper-level media-industry executives and senior staffers in all three branches of government, apparently including--to judge from the Gmail username--White House chief of staff Rahm Emanuel.

How did this happen? Tech-news blog Gizmodo, a sibling site of Gawker currently not on Steve Jobs' most-favored-reading list, posted an explainer last night. It boils down to the same factors behind many security breaches: a company wanted to make things easier for its customers, then forgot that there are people on the Internet, not all nice, who tinker with software.

AT&T set up its site to welcome iPad 3G users viewing their account from those devices: It recognized the "Integrated Circuit Card Identifier" wired into the iPad's micro-SIM card--also printed on the card's surface--before providing the e-mail address associated with that account, so that users only had to tap in their passwords. (You can see one such ICC ID in the photo above, showing an iPad 3G and its just-removed micro-SIM.)

Problem is, it's easy to make one Web browser impersonate another one. So if you know that ID numbers for iPad 3Gs follow a series, have a Web browser tell AT&T's site that it's Safari running on an iPad 3G and present an ICC number randomly picked from that series, and then script this brute-force attack--boom, you've got 114,067 names on a list.

But it's not so clear what harm could result from that exposure. Gawker melodramatically wrote that the 114,000-plus victims "could be vulnerable to spam marketing and malicious hacking." Well, you know what else can expose you to spam and hacking? Being on the Internet! It's a rare person who hasn't already had spam and virus e-mails land in their inbox. That's one reason why you don't use your primary e-mail account for most online commerce and instead let companies store a less valuable address in their databases.

The ICC number, in turn, doesn't seem to offer opportunities for mischief. The New York Times' story Thursday suggests that without breaking into far more secure databases, the number alone is useless.

So who suffers the most damage here? Easy: AT&T--which has already apologized and shut off the exploited feature--made itself look clumsy and careless. The term for that sort of thing is one you'll hear a lot over the next few weeks: an own goal.

By Rob Pegoraro  |  June 10, 2010; 10:10 AM ET
Categories:  Privacy , Security , Telecom  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: No HD for Strasburg: Pay TV as usual
Next: Google exhibits Bing envy with background-photo binge

Comments

To me this just qualifies as amusing, though people who try to keep their e-mail addresses private might not think so.

As an aside I find the idea of using multiple e-mail addresses to avoid spam a bit ridiculous at this point. I've had my primary e-mail address for over a decade and there is no way I'm going to change it. I've been on every spam list known to man, but to be honest, Yahoo is getting pretty darned good at filtering it out. Occasionally clicking the "spam" button or scanning the spam filter for false positives is no more annoying than monitoring a secondary e-mail address for stuff I might or might not want to see.

Posted by: slar | June 10, 2010 8:19 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company