AT&T, Goatse Security Locked Over Blame In Apple iPad Breach

hacker authentication 3G e-mail

AT&T executives circulated an e-mail Monday blaming Goatse Security for the iPad breach, claiming the calculated attack was executed as a malicious publicity stunt for the nine-member group.

“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses," said Dorothy Attwood, AT&T chief privacy officer, in an e-mail to affected iPad customers Monday. "They then put together a list of these e-mails and distributed it for their own publicity."

Goatse Security made waves last week when they launched code designed to automate the iPad log-in process exploiting a feature on the AT&T authentication page with the e-mail address required by customers for registering their iPad to the 3G service.

The code randomly generated numbers that mimicked serial numbers of the AT&T SIM card for Apple iPad -- called the integrated circuit card identification (ICC-ID).

The exploit enabled the hackers to submit queries until a match was found for an e-mail address that correlated to the ICC-ID number. Once a match was found, login feature provided the hackers with the e-mail addresses of the users associated with the ICC-ID.

The Federal Bureau of Investigation launched a probe last week, in light of the fact that affected iPad customers included New York Times Chief Executive Officer Janet Robinson, New York Mayor Michael Bloomberg, President Obama's White House Chief of Staff Rahm Emanuel and a slew of high-profile military personnel.

Attwood downplayed the incident and AT&T's responsibility, but offered an apology to iPad 3G customers whose e-mail accounts were exposed during the security breach.

"I want to assure you that the e-mail address and ICC-ID were the only information that was accessible," Attwood said in the e-mail. "Your password, account information, the contents of your e-mail, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected."

In a blog post Monday, Goatse Security countered AT&T's remarks with claims that the company was lazy about response and "dishonest" with its customers about the ramifications of the breach.

The group said that AT&T delayed notifying their customers for two days after they were first contacted about the iPad breach June 7. Goatse contended that its members were doing the telecom giant -- and its customers -- a favor by exposing a potentially devastating flaw that could have exposed millions of iPad users to malicious attack.

"AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch disclosure should be immediate -- within the hour. Days afterward is not acceptable," said Goatse Security member Escher Auernheimer in the blog post. "It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."

Aurnheimer added that "there was not a hint of maliciousness," in the group's disclosure but instead contended that it was AT&T who was "being dishonest" to their customers about the potential damage created by the breach.

"When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this," he said. "We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."