June 10, 2010, 11:41 AM — The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.
According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly-designed software.
"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog .
An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.
The script Praetorian made public was a "brute force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.
When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for an contact e-mail address. AT&T uses the e-mail address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.
That same e-mail address was what the script harvested. E-mail addresses apparently belonging to New York Mayor Michael Bloomberg, and top executives at Dow Jones, the New York Times Company and Time Warner, were among those collected.
AT&T has turned off access to the feature Tuesday, and apologized to customers in a statement it issued Wednesday. It also said that only e-mail addresses linked to each ICC-ID, not financial information or other personal data, has been snatched from its servers.
AT&T did not respond to a request for further comment late Wednesday.
The disclosure of iPad owners ' e-mail addresses was the second embarrassing story linked to Apple published by Gawker Media since April.