AT&T Web site exposes data of 114,000 iPad users

A group of hackers exploited a hole in an AT&T Web site to get e-mail addresses of about 114,000 iPad users, including what appears to be top officials in government, finance, media, technology, and military.

The leak could have affected all iPad 3G subscribers in the U.S., according to Gawker, which broke the story on Wednesday. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson.

A group that calls itself Goatse Security tricked the AT&T site into disclosing the e-mail addresses by sending HTTP (hyper text transport protocol) requests that included SIM card serial numbers for iPads, the report said. Because the serial numbers, called ICC-IDs (integrated circuit card identifiers), are generated sequentially, the researchers were able to guess thousands of them and then ran a program to extract the data by going down the list.

AT&T spokesman Mark Siegel confirmed the breach to CNET, saying the company turned off the feature that provided e-mail addresses on Tuesday, one day after learning of the problem from someone not affiliated with the hacker group.

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device," he said in a statement.

"We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained," he added. "At this point, there is no evidence that any other customer information was shared."

Representatives from Goatse Security did not respond to an e-mail or phone call seeking comment, but Goatse analyst Jim Jeffers gave an interview to CBS News. The group, whose name references an Internet shock Web site, looks for security holes in software, including browsers.

Click below to listen to the podcast

Jeffers said the attack could have allowed someone to take control of the iPad and that potentially every 3G iPad subscriber was affected. Although AT&T maintains that only e-mail addresses were compromised, Jeffers said "it will allow someone who does the proper research to possibly target iPad 3G users and take over their iPads, and they could sniff traffic, they could act as the user of the iPad."

Jeffers also said the group had contacted AT&T and waited until the company fixed the hole before going public with it.

Representatives from Apple did not respond to a request for comment.

A Web site issue
The problem is solely related to security on AT&T's Web site and not Apple's tablet, security experts stressed. Meanwhile, the type of weakness discovered in the AT&T site is fairly common, they said.

"It is an authentication error to not require user authentication before returning private data," said Chris Wysopal, chief technology officer at Veracode. "This is the type of vulnerability that would be found with a very basic Web application assessment. Apple should require its service providers to show proof of an assessment of its Web apps if sensitive Apple customer is stored there."

Neither e-mail addresses nor SIM serial numbers are considered to be sensitive information, experts said.

"Doesn't seem like a huge deal to me," said Charlie Miller of Independent Security Evaluators. "It's not like peoples' Social Security or credit card numbers were compromised."

But try telling that to Rahm Emanuel or any of the officials in the Defense Department, federal court system, or Goldman Sachs whose e-mail addresses could be targeted for phishing and other attacks.

"Now everyone in the world knows these people have iPads, and here's their serial number and here's their e-mail address," said Bill Pennington, chief strategy officer at White Hat Security. "This puts them in a more vulnerable state."

There is also the possibility that a SIM serial number could be used to get other customer information through this or other vulnerabilities on the AT&T site, he said. And there's a chance that not only iPad users were put at risk. "I believe this number could identify any 3G device on the AT&T network," not just iPads, Pennington said.

"Obviously, AT&T is using the ICC-ID as some sort of authentication mechanism," said Kevin Mahaffey, chief technology officer at mobile security firm Lookout.

"The question is: in the back-end are there other systems that are using the number as an identifier for other things?" he said. "There is a trend to use identifiers associated with devices as a way to trigger billing or interact with the account. There is some trust associated with these numbers."

Another security expert said the breach revealed enough information that a determined attacker could use to target the specific device.

"At least in the United States, some major GSM providers are known to use ICCID values that contain the lower nine digits of the International Mobile Subscriber Identity (IMSI), which is considered to be a protected value. The other digits that make up an IMSI are either known or can be easily guessed by an attacker," said Don Bailey, a security consultant at iSEC Partners.

"Knowing a subscriber's IMSI allows a potential attacker to target that specific subscriber's GSM handsets or devices using an IMSI catcher, which itself is a device that can intercept or manipulate GSM traffic," Bailey said. "An attacker with access to an IMSI catcher can intercept the traffic of high-profile targets potentially leading to a loss of privacy. With the lowering cost of IMSI catching equipment, the ability for an attacker to correlate ICCIDs with high-profile individuals, then derive the IMSI from each ICCID, is a substantial threat to both corporate and personal privacy."

According to Gawker, Goatse Security shared the exploit it wrote for the AT&T site with others. But Pennington said it seemed like the hackers were more interested in shaming AT&T over lax security than making money off the situation.

"I don't think the data would have a lot of value in the underground," Pennington said. "I think their primary motivation is shame and guilt."

Updated June 10 at 7:30 a.m. PDT: Added comment from Don Bailey at iSEC Partners and additional comments from Goatse analyst Jim Jeffers.

CNET's Erica Ogg contributed to this report.