First and breathlessly reported by Gawker, the iPad security gap was originally uncovered by a group called Goatse Security. Goatse, named after an old internet meme to which I will not provide a link, out of respect for you fine readers, is a loose group of do-good hackers who find security loopholes and report them to the software’s maker. They’ve previously found holes in browsers like Firefox and Safari, but this looks like their biggest yet.
Goatse figured out a way to have AT&T provide email addresses for subscribers, using what’s called an ICC-ID. The ICC-ID identifies a SIM card, thus linking a customer with a device. Each AT&T customer has an individual ICC-ID. Without going into too much hackery language, AT&T has a script on its website that will return an email address if the ICC-ID is provided. Goatse managed to trick it into revealing subscriber email addresses by guessing a huge swath of ICC-IDs based on a few real ones–they all have similar patterns–and feeding them into the script.
That left them with over 114,000 email addresses of iPad 3G subscribers. Gawker thoughtfully pored over them (poor Ryan Tate!) and picked out some interesting ones. iPad 3G subscribers include the heads of most media companies (including the Times Company, Viacom, and Time Warner), the tech industry (Microsoft, Google, Amazon), and government (Rahm Emanuel, and several Darpa employees).
Goatse contacted AT&T, and the hole was promptly closed.
So what’s the real danger here? Gawker’s certainly playing up the scandal, but they did their research–ICC-IDs can’t really be used for any kind of data snatching. A security expert says “as far as I know, there are no vulnerability or exploit methods
involving the ICC ID.” So all that’s really happened is that a whole bunch of email addresses were available, if you wanted to scan through over a hundred thousand names.
But really, you can guess pretty much any professional email address if you have the naming convention. Knowing that NYT staff email addresses end in “@nytimes.com” is enough to guess pretty much any employee email address, and it’d certainly be easier to try a couple permutations than to use this time-consuming hack.
I don’t want to downplay AT&T’s screwup here; it’s a dumb security hole–and Apple seems to be innocent here. It’s good that Goatse figured it out and notified the carrier before it could be exploited. The breach itself is not a big deal–I suspect no harm will come to any iPad 3G subscriber–but that AT&T left open some presumably private personal information is certainly troubling. But let’s not pretend this is the end of the world: the very worst thing that could happen is some spam. It’s a sexy story, since it involves celebrities, the iPad, and security leaks, but it’s really a very minor one as far as those go. So, the takeaway? Be pissed at AT&T, but don’t make this into something it’s not. Oh, and probably get a secondary email address.
Update: More information on the breach has come out. First, Forbes says the Goatse group contacted several other publications, including Reuters and The New York Times, to see if they’d be interested in running the story. All of them declined, except Gawker. The source says Gawker did not pay for the story; they were given an exclusive due to their ability to get the story viral, an ability they proved they have today.
AT&T has also responded briefly, making one correction. The carrier says it was not Goatse who contacted them about the breach, but a “business customer.” AT&T continues to say, as was stated in Gawker’s original piece, that “The only information that can be derived from the ICC IDS is the e-mail address attached to that device.” AT&T concluded with an apology, saying:
We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”