About | ACP | Buy | Industry Watch | Learning Curve | Search | Test Drive
Home » Industry Watch

114,067+ iPad Accounts Breached

Flaw in AT&T web code.

Get It

Try It

Over 114,000 iPad accounts have been compromised. The list of the hacked accounts reads like a who's who of Hollywood, the media, and most significantly the US federal government.

Gawker currently have the most detailed report. It also turns out that the story was first presented to the mainstream media (including Reuters) who ignored it.

Taylor Buley of Forbes reveals how the story of the story went down.

According to 'Weev', a well known Internet 'activist' who we likened to Shakespeare's Puck after a baffling Amazon.com security incident last year, the 'Goatse' security group alerted various members of the mainstream press via email before granting Gawker's [Ryan] Tate an exclusive on the data.

'i disclosed this to other press organisations first (ones who had ipad users affected by the breach, lol) and was ignored', writes Weev in an email. 'gawker found out and ran with it immediately.'

To prove it, Weev sent Forbes copies of emails sent to press at Reuters, News Corp, The Washington Post, and The San Francisco Chronicle. The veracity of the emails has not been confirmed but each has a timestamp dating back to Sunday night.

Weev contacted no less than 11 (eleven) Reuters addresses.

Hello Reuters!

An information leak on AT&T's network allows severe privacy violations to iPad 3G users. Your iPad's unique network identifiers were pulled straight out of AT&T's database.

Every GSM device (including 3G iPads), has an ICC-ID on its SIM card. This ICC-ID is a unique identifier to the cellular network that is used by the carrier to route calls to your cellphone. If this ICC-ID is compromised an attacker could theoretically (thanks to recent cryptanalysis that cracked GSM's hash and stream functions) clone your SIM card to act as you on the AT&T network.

Devin, the iPad you registered to your email has the ICC-ID of 8901xxxxxxxxxxxxxx94.
Shannon, yours is 8901xxxxxxxxxxxxxx73.
James, yours is 8901xxxxxxxxxxxxxx74.
Carl, yours is 8901xxxxxxxxxxxxxx72.
David, yours is 8901xxxxxxxxxxxxxx71.
Neil, yours is 8901xxxxxxxxxxxxxx05.
Rob, yours is 8901xxxxxxxxxxxxxx03.
Joseph, yours is 8901xxxxxxxxxxxxxx11.
Mike, yours is 8901xxxxxxxxxxxxxx57.

You can locate your ICC-ID number of your iPad and verify this information by using the following item from Apple's FAQ:
There is nothing in Apple's SDK APIs that would allow an application to have this identifier-- it is a shared secret that should indicate physical proximity to the iPad. In addition, by harvesting ICC-IDs, an attacker can build a complete list of contact information for all iPad 3G customers. All these Thomson Reuters employees were revealed in a short data harvest by my working group along with hundreds of thousands of other iPad 3G customers.

If anyone in your organization would like to discuss this particular issue for publication I would be absolutely happy to describe the method of theft in more detail.

Have a good evening.

No one at Reuters responded. Weev (or someone from his organisation) also contacted AT&T but AT&T are denying this, claiming a 'business client' alerted them to the breach, although it remains a mystery how any such client could have found it.

The Story

Ryan Tate at Gawker tells the story excellently. His article is the definitive source for information on the breach.

√ Someone discovered that by sending the iPad user agent and ICC-ID to an AT&T web address, the AT&T website would return (without authentication) rather thorough personal data on the iPad owner.

Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10

√ All they did at that point was create a script that bumped the ICC-ID each time and harvested the data returned by the AT&T server.

√ Celebs known to be compromised include the CEOs of Dow Jones, the NY Times, and Time; Diane Sawyer of ABC News; film mogul Harvey Weinstein; NY mayor Michael Bloomberg; White House chief of staff Rahm Emanuel; a number of Pentagon brass that found room in their tight budgets; and B-1 bomber squadron commander Colonel William Eldridge.

The security researchers were able to guess a large swath of ICC-IDs by looking at known iPad 3G ICC-IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites.

The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.

Two iPad owners amongst the 114,000 verified their listed ICC-IDs were correct.

The who's who list of early iPad adopters includes those listed below as well as people at Google, Amazon, Microsoft, AOL, Goldman Sachs, JP Morgan, Citigroup, Morgan Stanley; staff in the US senate, the house of representatives, the department of justice; NASA, the Department of Homeland Security, the Federal Aviation Authority, the Federal Communications Commission, the National Institute of Health; and staff in the US federal court system. [Recession? Record budget deficit? Where? Ed.]

Two days after the discovery, AT&T still hadn't alerted their iPad clients to the breach.

See Also
InformationWeek: 114,000+ 3G iPad User Emails Exposed
Gawker: Apple's Worst Security Breach: 114,000 iPad Owners Exposed
Forbes: AT&T's iPad Hackers 'Ignored' By Reuters, Other Mainstream Press

About | ACP | Buy | Industry Watch | Learning Curve | Search | Test Drive
Copyright © Rixstep. All rights reserved.