The good news is that the security breach on the iPad isn’t serious; it’s highly unlikely that information other than users’ e-mail addresses was exposed. The bad news, at least for AT&T, is the flaw in its system that allowed the breach was easily avoidable.
So say mobile security researchers in the wake of the incident, which reportedly exposed the e-mail addresses and ICC IDs of more than 100,000 iPad 3G users, including employees at Homeland Security, the FCC and other high-level government offices.
“AT&T is definitely being cavalier with security,” says Chenxi Wang, a security and risk management analyst at Forrester Research. “It’s the integrity of their application: If they had done a better job securing and testing their application, then this wouldn’t have happened.”
The hack on AT&T’s Web-based application for iPad support exposed users’ information by entering random ICC IDs into the application until a valid match was found. Goatse Security, the self-proclaimed Internet watchdog group that discovered the breach, was then able to use the valid ICC ID to find the e-mail address connected to the code.
“It appears to be a parameter traversal attack, which is pretty low on the sophistication scale,” Wang says.
Josh Phillips, senior malware researcher at Kaspersky Lab, says the exposure of a user’s e-mail address is “not very serious” in and of itself because e-mail addresses can be harvested from the Web in many different ways but it raises concerns over the security of AT&T’s Web applications.
“I think that the more serious issue is that based on this leak of information, AT&T most likely does not have a security team reviewing their customer-facing Web apps prior to deployment,” he conjectured. “That is a much bigger issue.”
Although the breach has attracted the attention of both the FCC and the FBI, it appears that no information beyond user’s e-mail addresses and ICC IDs was comprised by the flaw in AT&T’s Web application, as claimed by AT&T.
“[ICC ID] is just a security number and that information by itself isn’t enough to do much; you have to put it together with a couple of different things for it to be a serious threat,” says Jamz Yaneza, a threat research manager at Trend Micro.
Yaneza says the main issue with having an e-mail address exposed is it opens up users to become targets for spam and phishing. It also could compromise the security of online accounts where e-mail addresses are used in log-ins, including social networking sites and some online banking.
“At many websites, at least in the United States, you log in with your e-mail address and a random password. That’s the other piece of this threat,” he says. “Your e-mail is really rich… users should be concerned but I give kudos to AT&T for being able to patch this particular problem.”
Charlie Miller, a security researcher at Independent Security Evaluators, says the breach was “really not that serious.”
“No data on the iPads were compromised, no serious information was lost. If you compare this to the numerous leaks of credit card information and Social Security numbers that seem to happen to various companies on a weekly basis, it’s not that big of a deal,” he says. “However, it does raise questions about AT&T’s Web applications and the security of them.”
AT&T said it had closed the security hole Tuesday after being informed by a “business customer” of the problem but declined to comment further on the matter. The breach became public when Goatse Security leaked the story to Gawker.com.
Reputable security researchers typically approach a vendor first to solve security flaws before going to the media and it is not clear whether Goatse contacted AT&T before going to the press. AT&T said yesterday that the “person or group who discovered this gap did not contact AT&T,” but the Associated Press reported that Goatse said it had notified AT&T and waited until the breach was closed before going public. Goatse could not be reached for comment.