An recent report on Gawker details the discovery of a security breach that has exposed the email addresses of over 100,000 iPad owners–among them high-ranking government and military officials and media moguls–along with corresponding iPad ICC-ID data that could potentially leave the devices open to spam and malware. The ICC-ID is a device-specific identifier used to authenticate each iPad’s SIM card on the AT&T network.
The breach was discovered by security research group Goatse Security, who successfully captured approximately 114,000 iPad owner email addresses and their corresponding ICC-IDs.
According to Gawker,
Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.
The group wrote a PHP script to automate the harvesting of data.
Even more shocking is the list of compromised iPad owners. Gawker reports that among the victims of the breach are:
- multiple devices registered to DARPA (US Dept. of Defense)
- House of Representatives, US Senate, Dept. of Homeland Security, FCC and NASA staff members
- a US Air Force Commander
- Diane Sawyer of ABC News
- New York City Mayor Michael Bloomberg
- New York Times CEO Janet Robinson
- high-level executives at Dow Jones, HBO, Viacom, and Time Warner
- White House Chief of Staff Rahm Emanuel
The security researchers who discovered the breach notified AT&T (who has since publicly confirmed the vulnerability) and the issue has been corrected.
Tags: apple, at&t, darpa, device security, iPad, mobile-security, security
