Under the Radar

How Serious is AT&T's iPad Security Leak?


Over the last 24 hours, the Internet has exploded with news about a "major security breach" for 114,000 owners of Apple's new iPad 3G tablet computer. A "online security" group delivered those owners' email addresses to Gawker.com, which promptly posted a story about the hackers' exploits.

A big part of the hysteria generated by the story is that the list gives the email addresses of a lot of high-ranking military and government officials, as well as executives from major corporations.

So how did this happen? The hackers exploited a feature offered subscribers to AT&T 3G wireless service. To sign up for an account, the user registered the iPad to an email address. Each iPad comes with a unique ICC-ID (integrated circuit card identifier) which ties that machine to the registered email address.

AT&T offers a service where users can check their wireless data usage over the course of a month. When someone opened the screen above, AT&T used the ICC-ID to autofill the user's email address.

The hackers did a "brute force" attack where they randomly plugged potential ICC-IDs into the AT&T computers and harvested whatever email addresses the good ICC-IDs returned.

Now that AT&T's security has been breached, they've plugged the hole. Users must manually enter their email address into the form and ICC-IDs no longer give access to email addresses.

I own a 3G iPad. When I checked my data usage, I was surprised that it remembered my email address but it didn't give me much pause. I wouldn't be surprised if my email is on the list delivered to Gawker.

That being said, it's my email address, the same one freely available to anyone who can see my Facebook page, the same one that's been out there for years in almost all of my professional email correspondence.

I suspect the same is true for most of the high-profile people on the list. Knowledge of an officer's .mil email address or a White House official's .gov address is hardly an issue of national security. AT&T made an error, but knowing someone's email address shouldn't give you access to their private information.

So why the overheated post at Gawker, the one that started the whole controversy? Maybe it has something to do with their parent company's war with Apple over the Gizmodo site's purchase of a lost or stolen prototype of the new iPhone 4. In fact, the original Gawker post talks about Apple's security breach when the details make it clear that the screw up was 100% caused by AT&T.

The worst that could have happened with this leak would have been the release of those email addresses to spammers and a corresponding increase in annoying emails for the iPad owners.

Of course, the mainstream media got all worked up without considering the politics or motives behind the original story. I'm not happy that AT&T may have leaked my email address to someone with bad motives, but I wouldn't really call it a breach of privacy.

Show Full Article