What the AT&T breach means for iPad users (FAQ)

There is a lot of confusion surrounding Wednesday's news of a security breach at an AT&T Web site that exposed data of more than 100,000 iPad users.

Some reports have left the impression the breach was due to a security flaw with the iPad, which is untrue. And the initial facts were slightly unclear.

But the ramifications are serious enough that the FBI announced on Thursday an investigation into the situation after learning that numerous U.S. government officials were among the many executives and luminaries that had their e-mail addresses exposed.

The blog site that broke the story, Gawker Media, confirmed that it has been contacted by the FBI and asked to preserve documents in the case. (Gawker's Gizmodo is already in legal hot water over its purchase of and subsequent story leaking details of an allegedly lost iPhone prototype earlier this year.) And The New York Times also has advised its employees using iPads to turn off access to the 3G network.

Here is information to help people understand what happened and what the risks are.

What happened?
Hackers discovered a security vulnerability in an application on an AT&T Web site used by iPad customers. With some programming they were then able to trick the site into divulging e-mail addresses of other random iPad users.

What data was exposed?
E-mail addresses of about 114,000 iPad users were disclosed, and they were correlated to serial numbers for the SIM cards in the devices used by the e-mail account holders. No other data was compromised, according to AT&T. Names attached to the e-mail addresses included White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson. Exposed e-mail addresses also belonged to officials at the FBI, departments of Defense and Justice, federal courts, and NASA, and executives from Google, Microsoft, Amazon, Goldman Sachs, and JP Morgan, among many others.

What is the real threat?
People whose e-mail addresses were exposed were vulnerable to getting spammed with junk e-mail or phishing attempts designed to steal log-in and other sensitive information by masquerading as a legitimate site. So-called "spear phishing" e-mails are tailored to specific high-level officials or executives whose data is very attractive. The owners of the e-mail addresses also could be victimized by a targeted attack in which an attacker sends a customized e-mail with an attachment or a link in it that leads to malware specifically written for the iPad. Knowing both the e-mail address of an important person and the fact that that person owns an iPad increases the risk level, says Daniel Kennedy of Praetorian Security Group. For instance, attackers could send e-mails masquerading as coming from AT&T or Apple.

Am I still at risk?
It's unclear exactly who has had access to the uncensored customer data that was exposed and the tool created to gather it, but a representative from the group that discovered the flaw says there is no reason to believe that any information has fallen into the hands of people with less than noble intentions.

If I have an iPad what should I do?
You might want to change your e-mail address that is associated with the iPad, although AT&T says that is not necessary. Be wary of any unsolicited e-mails and be careful when clicking on links in e-mails and opening attachments, even if they appear to come from someone familiar or trusted. You might also consider using an e-mail address when registering for certain products that is different from your regular e-mail address.

Can my iPad be targeted directly?
There are potential, highly unlikely attacks in which more sensitive mobile-device identifiers could be inferred from the SIM serial ID and that information then be used to track the location of a specific device. However, the data that was exposed in this breach doesn't really provide any additional information or means by which such theoretical attacks could be accomplished, says Karsten Nohl, who showed earlier this year how to eavesdrop on mobile devices by cracking the encryption used with GSM-based (Global System for Mobile Communications) phones. With mobile phones "you could track someone down and camp out in their neighborhood and record their traffic, but the iPad is just a data device, not a phone and it is well-encrypted," he said.

Are devices other than the iPad affected?
AT&T says the breach did not affect any other devices that use its 3G network.

Who did it and why?
A group that calls itself Goatse Security is behind the breach. In an interview with CNET on Thursday, member Escher Auernheimer said the group went public with its findings to warn people about the risk. They did so only after AT&T was notified and had fixed the hole. The group did not directly contact AT&T but "made sure that someone else tipped them off," the group wrote in a blog post. The actions were legal and ultimately improved the security for iPad users, the group claims.

How was the breach accomplished?
The problem was on an AT&T site set up for customers to renew their wireless service plan on the device, according to AT&T. The Web application used the customer e-mail address to populate a log-in field in the screen so the user only needed to enter a password. A Goatse Security analyst noticed this when he visited the site and figured out how to trick the site into revealing other e-mail addresses associated with other iPad users by providing data pretending to come from other devices. He wrote a script that automated this process that sent plugged in numbers from a list of sequential SIM serial IDs, known technically as ICC-IDs (integrated circuit card identifiers).

Is what Goatse Security did legal?
Probably so. The group didn't break into the server, but merely took advantage of an unintentional entry way. "The criminal law does not prohibit doing something that the server owner doesn't want you to do or violating some preference or policy," said Jennifer Granick, civil liberties director at the Electronic Frontier Foundation. Exploiting "a mistake on the server does not translate to criminal behavior," she said.

What does AT&T say?
AT&T apologized for the security lapse and says it fixed it as soon as possible. "We apologize that this happened," AT&T spokesman Mark Siegel said. "Nothing is more important to us. It's the No. 1 priority, protecting customer privacy."

Is Apple at fault at all?
Apple representatives have not responded to requests for comment, but an AT&T spokesman said: "This is an AT&T issue...and people should feel comfortable using their iPads."

Updated June 11 at 11:45 a.m. PDT with legal comment.