'Brute force' script snatched iPad e-mail addresses

'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software

By , Computerworld |  Security, AT&T, hackers

The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a hack or a classic data breach, but a brute force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.

According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape e-mail addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly-designed software.

A nine-person hacking group known as Goatse Security claimed responsibility for the script, which amassed 114,000 e-mail addresses .

"There's no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog .

An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.

AT&T confirmed the nature of the attack to technology blog Gizmodo. Gawker, Gizmodo's parent Web site, first reported the e-mail harvesting Wednesday.

The script Praetorian made public was a "brute force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.

When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for an contact e-mail address. AT&T uses the e-mail address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.

That same e-mail address was what the script harvested. E-mail addresses apparently belonging to New York Mayor Michael Bloomberg, and top executives at Dow Jones, the New York Times Company and Time Warner, were among those collected.

AT&T has turned off access to the feature Tuesday, and apologized to customers in a statement it issued Wednesday. It also said that only e-mail addresses linked to each ICC-ID, not financial information or other personal data, has been snatched from its servers.

AT&T did not respond to a request for further comment late Wednesday.

The disclosure of iPad owners ' e-mail addresses was the second embarrassing story linked to Apple published by Gawker Media since April.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question