Analysis: Enough blame to go around in iPad security breach
By Marco Tabini
The leader of a security research firm and AT&T traded angry words Monday in the wake of last week’s data breach that exposed the e-mail addresses of 114,000 iPad 3G users. The carrier called the behavior of Goatse Security “malicious,” while the security firm countered that AT&T was “being dishonest about the potential for harm.” But both sides have plenty to answer for in how they’ve handled this security situation.
Last week, Gawker published an article describing how Goatse—named after one of the Web’s most infamous Websites—had been able to extract the e-mail addresses of some 114,000 iPad users by piggybacking on a Web-based service provided by AT&T.
Designed to simplify the sign-up process for adding a 3G data plan to an iPad, the service accepted the unique ID associated with the SIM card in a iPad Wi-Fi + 3G and returned the e-mail address of the corresponding customer (presumably based on data collected at activation). By guessing a large number of IDs, Goatse was able to capture the e-mails addresses of tens of thousands of users, including celebrities and high-ranking political and military officials.
Goatse claims to have disclosed the information to AT&T through an unnamed third party so that the company couldn’t take any legal measures aimed at silencing them. The cellular provider, for its part, has lashed out at the security group, stating—both in a press release and in a letter to affected customers—that the security group behaved unethically and pointing out that the only information the exploit yielded were the e-mail address of each user and the unique ID associated with users’ iPads. Separately, the FBI has opened an official investigation into possible criminal activity connected with the security breach.
But the story doesn’t end there. In the latest salvo in this saga, Goatse leader Escher Auernheimer has hit back at AT&T on the group’s blog, claiming that AT&T failed to disclose the issue until Goatse went public, and that its response downplays the real security implications of the security breach.
Auernheimer goes on to say that the group has found a flaw in all versions of Safari that has, as of yet, gone unpatched on Apple’s mobile devices and that there are likely other attack vectors that could be used to take over an iPad, making the device inherently insecure.
Auernheimer also claims that one of these vulnerabilities could be used in conjunction with the leaked data to take over iPads in the attacker’s physical vicinity by scanning for a device’s unique ID. Of course, the level of knowledge and resources needed for this exploit don’t make it a likely concern for most users, but it could be a significant issue for high-profile targets.
With all the accusations flying back and forth and little, if any, objectively reliable information, it’s difficult to tell who’s at fault in this story, but one thing is certain: there is plenty of blame to go around.
The real problem with AT&T’s disclosure is that it wasn’t caused by an inadvertent fault in their programs. Technically speaking, the Goatse researchers didn’t have to “hack” or breach any systems, because the system was designed to work in an insecure way.
Rather than an embarrassing one-time occurrence, this episode appears to reveal a fundamental lack of regard for security in the company’s development practices; this, in a way, is much scarier than finding out that a skilled security expert has been able to circumvent a sophisticated but flawed security mechanism.
It’s the equivalent of walking by your bank on a Sunday and finding out that the door to the vault is being held in place by Scotch tape: it doesn’t take great expertise to breach something that is not secure in the first place. The company’s slow response and its refusal to take responsibility for what has happened in a timely manner and reassure its customers by performing an internal review of its security practices is also unlikely to raise its profile.
For its part, Goatse also has some questions to answer—such as, for example, why it needed to download 114,000 e-mails to satisfy itself that the security disclosure was real, and why it decided to disclose all 114,000 to third parties. A few selected e-mail addresses should have been sufficient to convince anyone that the security issue was real and that AT&T should be alerted and given an opportunity to correct its mistake.
In addition, the group’s communiqués have been, at times, so belligerent that one cannot help but wonder whether a better approach could have helped them make this serious issue public without giving AT&T public-relations ammo with which to fight back.