Security Leak Leaves Apple Ipad Owners At Risk

[Raistlin]

The White House chief of staff is believed to be among 114,000 iPad owners, including chief executives and military officials, whose personal details have been exposed through a breach of the website of the US phone network AT&T.

AT&T acknowledged the leak but said the risk was limited to the subscriber's email address and that the issue had been "escalated to the highest levels of the company". UK customers are vulnerable to the same attack.

The names and email addresses of those involved apparently includes Rahm Emanuel, the White House chief of staff, members of the US Senate and House of Representatives, staff at Nasa and the department of homeland security, the New York Times, Viacom, Time Warner, bankers and venture capitalists.

It will be an embarrassment to Apple, which has sold more than two million of the tablet computers since they went on sale at the start of April, and late last month internationally.

The iPad comes in two main versions, one with 3G and one without. The news that the 3G version could have been liable to hacking could depress sales of the more profitable version.

It will also increase friction between Apple and AT&T, which has had the exclusive rights to sell the iPhone since 2007, and now the 3G-enabled iPad in the US.

The Gawker website, which says it has seen details of the email addresses provided in a foot-high printout suggests that the flaw makes any of those people vulnerable to spam marketing and malicious hacking. The breach was demonstrated by a team of hackers calling themselves Goatse Security, who have previously pointed to weaknesses in web browsers.

They were able to use a flaw in the AT&T website to get the email address of any AT&T subscriber by providing a piece of data called an ICC-IDS, used to identify the SIM card belonging to that subscriber.

The team sent data to the site pretending to be each of a huge sequence of ICC-IDS devices, and requested the email address.

They say they also shared the knowledge of the hack with others, until AT&T closed the breach a few days ago.

An AT&T spokesman said: "AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC-IDS.

The only information that can be derived from the ICC-IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature [on the website] that provided the e-mail addresses.

"The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC-IDS may have been obtained."

"We take customer privacy very seriously and while we have fixed this problem, we apologise to our customers who were impacted."

Apple did not have any statement...

[hertsnminds]

They were able to use a flaw in the AT&T website to get the email address of any AT&T subscriber

Why isn't the headline for this article "Security Leak Leaves AT & T Subscribers at Risk" as it does not seem to be exclusive to iPad owners but all those using the AT & T network.

[Raistlin]

Update: AT&T has confirmed the breach and the FBI has opened an investigation.

They were able to establish the authenticity of Goatse Security's data through two people who were listed among the 114,000 names.

They sent these people the ICC ID contained in the document—and associated with the person's iPad 3G account—and asked them to verify in an iPad control panel that this was the correct ICC ID.

It was.