AT&T Could Have Avoided iPad E-mail Breach, Experts Say

3G e-mail

A black hat hacker group calling themselves "Goatse Security" published the e-mail accounts of more than 114,000 Apple iPad 3G customers, obtained through an automated brute force attack exploiting a flaw in an AT&T Web application, which enabled the hackers to acquire individual e-mail addresses in exchange for an integrated circuit card identifier, or ICC-ID number.

An ICC-ID is the unique number provided for each iPad SIM card, which identifies the specific customer to the mobile carrier.

AT&T said Wednesday in a statement that the company had repaired the Web application flaw by Tuesday.

New York based-Praetorian Security Group published the script that was used to obtain iPad customers' e-mail addresses in a blog post Wednesday. "There's no hack, no infiltration, and no breach, just a really poorly designed Web application that returns email address when ICC-ID is passed to it," Praetorian said in the blog.

id
unit-1659132512259
type
Sponsored post

Many security experts agree that while the "Goatse Security" group might have made headlines, their method of disclosing the flaw was irresponsible, and would likely harm affected iPad customers in future malware attacks down the road.

"It was completely irresponsible! There is no reason why the 'Goatse Security' group needed to write a PHP script to automate the harvesting of data," said Sean Sullivan, F-Secure security advisor for the North American Labs in an email. "Once the vulnerability was confirmed, it should have been reported to AT&T. Continuing to harvest the data should be considered criminal. They only did it to sensationalize the issue and they are guilty of violating personal privacy."

Security experts say that while the hackers were not able to obtain users' personal data from the 114,000 published e-mail accounts, phishers will almost definitely use the e-mail addresses to launch spam campaigns and to deliver phishing attacks via e-mail.

"If someone is able to get their hands on the list of e-mail addresses, [they're going to use it for] phishing or its going to be spam, whether it's going to be a targeted attack or a particular e-mail address," said Jamz Yaneza, threat research manager for Trend Micro. "There is some bot out there that is collecting this information and its selling it in the underground."

Had the Goatse group reported the flaw to AT&T, Apple would have been responsible for alerting their customers to potential spear phishing attacks and other threats, Sullivan added.

However, there were some things that users could have done to protect themselves from this kind of breach, experts said.

Sullivan suggested that users provide an e-mail address that doesn't include their real name. Most Web mail providers offer aliases to customers' e-mail addresses that obfuscate their full name, he said.

For example, [email protected] could be changed to [email protected]. In the event of an iTunes breach, the user's identity would be protected, Sullivan said. In addition, users should have refrained from using their military addresses for any commercial account, such as iPad or iTunes, he added.

Yaneza said that this kind of data breach will likely happen again, in light of the fact that other Web applications have design flaws similar to that of AT&T's. Subsequently, Yaneza emphasized that users should continually use strong passwords, and regularly change them every three months or so.

"You get a password and change it. It should be once every three months," he said. "It's like owning a car. You pay for the service. Its' just something you've got to do."