AT&T's iPad data breach: Don't panic
My colleague Cecilia Kang wrote up a good post up about AT&T Wireless's inadvertent exposure of some account details of more than 114,000 Apple iPad 3G users. That breach, first reported by the gossip blog Gawker, sounds like scary stuff--these folks had their e-mail addresses and the ID numbers of the Subscriber Identity Module cards inside their tablet computers harvested by a hacking group.
The ruling classes appear to be well-represented among the 114,067 names on a list provided to Gawker. That site's Ryan Tate reported the victims included upper-level media-industry executives and senior staffers in all three branches of government, apparently including--to judge from the Gmail username--White House chief of staff Rahm Emanuel.
How did this happen? Tech-news blog Gizmodo, a sibling site of Gawker currently not on Steve Jobs' most-favored-reading list, posted an explainer last night. It boils down to the same factors behind many security breaches: a company wanted to make things easier for its customers, then forgot that there are people on the Internet, not all nice, who tinker with software.
AT&T set up its site to welcome iPad 3G users viewing their account from those devices: It recognized the "Integrated Circuit Card Identifier" wired into the iPad's micro-SIM card--also printed on the card's surface--before providing the e-mail address associated with that account, so that users only had to tap in their passwords. (You can see one such ICC ID in the photo above, showing an iPad 3G and its just-removed micro-SIM.)
Problem is, it's easy to make one Web browser impersonate another one. So if you know that ID numbers for iPad 3Gs follow a series, have a Web browser tell AT&T's site that it's Safari running on an iPad 3G and present an ICC number randomly picked from that series, and then script this brute-force attack--boom, you've got 114,067 names on a list.
But it's not so clear what harm could result from that exposure. Gawker melodramatically wrote that the 114,000-plus victims "could be vulnerable to spam marketing and malicious hacking." Well, you know what else can expose you to spam and hacking? Being on the Internet! It's a rare person who hasn't already had spam and virus e-mails land in their inbox. That's one reason why you don't use your primary e-mail account for most online commerce and instead let companies store a less valuable address in their databases.
The ICC number, in turn, doesn't seem to offer opportunities for mischief. The New York Times' story Thursday suggests that without breaking into far more secure databases, the number alone is useless.
So who suffers the most damage here? Easy: AT&T--which has already apologized and shut off the exploited feature--made itself look clumsy and careless. The term for that sort of thing is one you'll hear a lot over the next few weeks: an own goal.
June 10, 2010; 10:10 AM ET
Categories: Privacy , Security , Telecom
Save & Share: Previous: No HD for Strasburg: Pay TV as usual
Next: Google exhibits Bing envy with background-photo binge
Posted by: slar | June 10, 2010 8:19 PM | Report abuse
The comments to this entry are closed.