AT&T: We will prosecute hacker that found iPad security hole
Mobile network operator AT&T sent a message out to all 3G iPad owners yesterday which attempted to explain and apologize for a major security breach which disclosed every 3G iPad owner's email address. The company said no other information was exposed, and the matter has been resolved.
Last week, a group going by the name Goatse Security took credit for discovering the exploit, which exposed an estimated 114,000 subscribers' email addresses, and ICC-IDs. ICC-IDs are "integrated circuit card identifiers" which identify SIM cards and relate them to the subscriber's phone number.
"We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker," the group said in a statement on June 10. "This is as 'nice guy' as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it."
AT&T's message yesterday didn't exactly paint Goatse Security as such "nice guys."
"On June 7 we learned that unauthorized computer 'hackers' maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service," the note said. "The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad -- called the integrated circuit card identification (ICC-ID) -- and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen."
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity," AT&T said.
The Federal Bureau of Investigation began looking at the case last Thursday, and the hacker who found the security flaw could face prosecution.
Indeed, in its message yesterday, AT&T confirmed that it will "cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law."
The security group's Escher Auernheimer responded to AT&T's statements this morning with a blog post:
"AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers. If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn't already.)"
"AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate -- within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability…We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."