AT&T vulnerability exposes 114,000 iPad 3G owners’ information

[begood]

Well, AT&T’s already diminished public opinion just got much worse. On the heels of PR disasters such as a legal threat made from AT&T CEO Randall Stephenson’s office to a customer making an inquiry directly to the CEO, and the replacement of AT&T’s unlimited 3G data plans with plans that have a 2GB cap and a slightly lower price, something much more serious has happened.

Reports have surfaced stating that quite possibly 114,000 iPad 3G owners — including high-ranking politicians, public figures, and top businessmen/media professionals — have had their private information compromised thanks to a security hole on AT&T’s end.

Some of the high-profile names on the leaked email list. Image courtesy: Gawker Media.

At this point, AT&T has recently patched the exploit. However, it is unknown as to who may have gotten their hands on this script as the discoverer of the exploit, a group dedicated to hacking and discovering exploits named Goatse Security discovered the exploit and have shared the script with third-parties.

Turns out, the information exposed with this breach was AT&T subscribers’ email address along with their ICC-ID. The ICC-ID (integrated circuit card identifier) is essentially used to identify the SIM cards within a subscriber’s device.

How was this exploit discovered? Goatse Security apparently were able to get their hands on this information through a script on AT&T’s website, which, upon being provided with an ICC-ID, will return the person’s email address. They still needed to know about each person’s ICC-ID for this to work, right? Wrong. The security group managed to guess most of the ICC-IDs based off of pictures of iPad 3Gs, and currently known ICC-IDs.

They wrote a PHP script that automated the retrieval process, and this in turn returned them a very lengthy list of early iPad 3G adopters, including some rather high profile names. AT&T has commented on this disaster in the form of usual PR babble, stating:

“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”

Asides from the privacy issue of these emails getting out, question is, can any other harm be done with the ICC-IDs leaked out? According to Valleywag, Goatse Security team members have told them that they’re concerned about the possibility of intercepting traffic. However, other security experts are skeptical.

This surely won’t help AT&T’s case, especially if other exploits asides from the leaked emails are possible with this security hole. Could this be the incident that finally pushes Apple to make the switch to Verizon at last, after much rumors and speculation about such a move that don’t seem to go away?

AT&T vulnerability exposes 114,000 iPad 3G owners’ information | GeekSmack

[zYztem]

Nu aveti cumva lista acea cu emailurile ?