Goatse analyst explains AT&T data breach (podcast)

CBS News speaks with Goatse Security analyst Jim Jeffers about how his group was able to obtain information on iPad users by exploiting a hole in AT&T Web site.

As CNET's Elinor Mills reported , a group of security specialists called Goatse Security was able to trick an AT&T Web site into disclosing e-mail addresses of iPad users, including what Gawker described as "thousands of A-listers in finance, politics, and media."

In an interview with CBS News, Goatse analyst Jim Jeffers said, "There is this identifier--it's called an ICC-ID [Integrated Circuit Card Identifier]--and it's present on every SIM card on every cellular phone, and it's used as an authentication token. That means it would be sent to [the] AT&T Web site, and that's how AT&T recognized you as who you were, and it would spit out your personal information in the form of your e-mail address. One of the members of our organization figured out, well, why not just step through these, and with the help of some additional data that was recovered, they were able to successfully predict these identifiers from the iPad 3G and retrieve a very large chunk of personal information."

Although AT&T said only e-mail addresses were compromised, Jeffers said, "it will allow someone who does the proper research to possibly target iPad 3G users and take over their iPads, and they could sniff traffic, they could act as the user of the iPad."

The exploit, said Jeffers, "was almost discovered by accident. One of our employees is an iPad 3G subscriber, and he noticed it in the process of the normal user experience of this device. It was something he just noticed as he was using it."

Click below to listen to the podcast

Podcast


Subscribe now: iTunes (audio) | RSS (audio)

About the author

Larry Magid is a technology journalist and an Internet safety advocate. He's been writing and speaking about Internet safety since he wrote Internet safety guide "Child Safety on the Information Highway" in 1994. He is co-director of ConnectSafely.org, founder of SafeKids.com and SafeTeens.com, and a board member of the National Center for Missing & Exploited Children. Larry's technology analysis and commentary can be heard on CBS News and CBS affiliates, and read on CBSNews.com. He also writes a personal-tech column for the San Jose Mercury News. You can e-mail Larry.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Delete your photos by mistake?

Whether you've deleted everything on your memory card or there's been a data corruption, here's a way to recover those photos.