AT&T emailed its customer base over the weekend to apologize for last week's embarrassing iPad hack. They described the hackers, Goatse, as "malicious," and Goatse has just responded angrily.
AT&T's letter starts as bland and smooth as any corporate blather possibly could be: "Dear Valued AT&T Customer, Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know no other information was exposed and the matter has been closed." The letter does go on, however, to describe the "unauthorized 'hackers'" who "maliciously exploited" a function that was supposed to simplify the AT&T authentication process.
This bit is where things get odd, because AT&T did indeed have a large vulnerability in their process. Any hacker, anywhere, could've exploited these holes for far more serious and nefarious gains than Goatse Security did. This is the thrust of today's response from Goatse. You can read the whole text of the angry open letter (available here), but we'll digest it down to the main important points for you:
- AT&T was too slow to inform the public after Goatse revealed the leak. "It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."
- AT&T is being dishonest about the degree of harm that may have been possible. Goatse believes that unsophisticated hackers could have even worked out iPad locations, and more skilled hacks could've exploited it to "takeover" an iPad, or grab personal data from it. Given the list of high-ranking people revealed in the original hack, this could be extremely serious.
- To drive this point home, Goatse knows of a Safari loophole that could still expose much user data, and alerted people to it months ago. The Safari loophole that permits this kind of attack is still open.
- AT&T is trying to portray the hack as difficult, to allay customer fears that much damage was done, or that future hacks aren't likely. This is false, says Goatse, as the hack attempt took just a single hour of effort by a single person. With huge hackers networks known to be in existence, who knows what these coders "in the thrall of evil" would get up to?
So who's right? Goatse's staff defend themselves by saying they did the right thing as "a service to our nation" because they "love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare." The company's stance is that AT&T first had a security loophole, and then lied about it afterward, leaving customers exposed to yet more harm. AT&T's stance is that some bad guys broke into its system and it's all okay now, and that it's slightly sorry this fuss happened. It's a classic white-hat (we assume) hacker versus corporate America stand-off, and the matter seems far from closed--especially now the FBI is involved. The only thing we can say for sure is that as more and more of us carry more sophisticated connected devices around all the time, this sort of news article is going to be more prevalent.