A good hack can be seen in one of two ways:
1. It keeps a company on its toes and aware of what might come at it.
2. It’s less-than-wonderful news that makes you wonder how your information was exploited and makes a lot of people slam their heads against their desks in frustration.
Per Gawker, a group of black hat hackers have exploited a security flaw on AT&T’s web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users.
The breach described the event as “another embarrassment” for Apple and outlined a variety of high profile individuals whose email addresses were obtained by automated script attacks on AT&T’s web server based on their iPad 3G SIM addresses (ICC ID).
The publication claimed that the identifying information meant that thousands of iPad 3G users “could be vulnerable to spam marketing and malicious hacking,” while also pointing out that many users have actually already published their iPad ICC ID numbers in Flickr photos. Presumably, many of them also have public email addresses and therefore already receive spam like the rest of us.
The attack on AT&T’s web servers resulted in at least 114,000 iPad 3G users’ emails being leaked to the hackers, who were coy as to whether they were planning to enable others to access the data. The security leak, which returned a user’s email address when their ICC-ID was entered via a specially formatted HTTP request, has since been patched.
The group automated requests of the email address information for a wide swath of ICC-ID serial numbers using a script. No other information was discovered.
The report suggested that having known ICC IDs would leave iPad 3G users vulnerable to remote attacks, citing the attackers involved in the security breach as claiming that “recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID.”
In its report, Gawker cited telephony security experts who disputed that the ICC ID email breach was a serious issue. “Vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID […] as far as I know, there are no vulnerability or exploit methods involving the ICC ID, ” said Emmanuel Gadaix, a mobile security consultant.
The report also noted that Karsten Nohl, a “white hat GSM hacker and University of Virginia computer science PhD,” informed them “that while text-message and voice security in mobile phones is weak,” the “data connections are typically well encrypted […] the disclosure of the ICC-ID has no direct security consequences.”
At the same time, Nohl described AT&T’s lapse in publishing the email information as grossly incompetent, saying, “it’s horrendous how customer data, specifically e-mail addresses, are negligently leaked by a large telco provider.”
On Wednesday, AT&T issued the following statement regarding the breach:
“This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses… may have been obtained.”
Either way, be careful out there, beware the spam and the phishing efforts that never seem to let up and if an e-mail is offering something that seems too good to be true, it probably is.