AT&T Said to Expose iPad Users’ Addresses
By MIGUEL HELFT
Copyright by The New York Times
Published: June 9, 2010
A group of hackers said Wednesday that it had obtained the e-mail addresses of 114,000 owners of 3G Apple iPads, including those of military personnel, business executives and public figures, by exploiting a security hole on AT&T’s Web site.
The group, which calls itself Goatse Security and says it specializes in exposing security vulnerabilities, also obtained the identification number that those iPads use when they communicate over AT&T’s network, known as an ICC-ID, according to a member of the group who agreed to speak on condition of anonymity.
AT&T acknowledged the breach, which was first reported by Gawker late Wednesday, but the company sought to minimize its importance.
“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC-IDs,” AT&T said in a statement. “The only information that can be derived from the ICC-IDs is the e-mail address attached to that device.”
AT&T said that by Tuesday it had turned off the feature on its Web site that allowed the group to find the e-mail addresses.
Apple did not respond to a request for comment.
The incident is likely to be a public relations black eye for AT&T, which is Apple’s partner for wireless service on the iPhone and iPad in the United States. But security experts said it was not clear whether the breach would have serious consequences for those whose information was obtained.
Even in the wrong hands, e-mail addresses are of limited use beyond sending junk e-mail or attempting to pull people in with so-called phishing attacks, security experts said. What is more, e-mail addresses can be easy to guess. Members of the military are permitted to use only unclassified addresses on devices like the iPad.
But experts said that ICC-ID numbers could, in the right hands, be used to get other information, like an iPad’s location.
The breach “should be worrying people a lot,” said Nick DePetrillo, an independent security consultant.
Michael Kleeman, a communications network expert at the University of California, San Diego, said that AT&T should never have stored the information on a publicly accessible Web site. But he added that the damage was likely to be limited.
“You could in theory find out where the device is,” Mr. Kleeman said. “But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet.”
The list of e-mail addresses included military personnel, staff members in the Senate and the House, and people at the Justice Department, NASA and the Department of Homeland Security, said the group member. Private-sector addresses that were exposed include those of executives at The New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, the News Corporation, and HBO, the person said.
AT&T said it would notify affected customers. “We apologize to our customers who were impacted,” it said.
Nick Bilton contributed reporting.