This won’t end well for anyone. Today Gawker revealed that a 4chan-esque group calling itself Goatse Security was able to skirt AT&T security (or lack of it) and obtain the email addresses of over 114,000 3G iPad users. And even though they informed AT&T of this security hole, still more addresses may have been compromised as the group shared the PHP script used to harvest the addresses with third parties beforehand. Even worse: AT&T didn’t tell iPad owners about this breach, even though they’ve known for a couple of days.
That’s the icing on FailCake.
The security hole is now closed, but much damage has been done. It unclear if the hackers behind Goatse Security had any intention of actually using the data, but the unnamed third-parties might. And if a group of people can find this relatively easy to exploit hole in AT&T’s fences, I wouldn’t blame users for having little confidence in their ability to protect data from hackers with more malicious intent.
Granted, the data collected by this exploit was just email addresses, not passwords or other sensitive information. But it seems a lot of government officials, military officers, and high-ranking business executives use the 3G iPad and now several people know that and have their addresses. I’d like to be able to ping Rahm Emanuel with some advice for the President at any time, but I doubt that he’d appreciate it.
The thing that strikes me is that many of the domains are clearly military and government — why are military and government officials using their work email addresses on the iPad? Isn’t there a lot of sensitive information that goes through those accounts? Considering the back and forth last year over whether the president could have a BlackBerry, I’m a little surprised that the iPad is considered secure enough for this. And hey, maybe it’s not.
The other bits of information revealed in this sweep are the ICC IDs of the iPad owners. From Gawker: “ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.” Can having this ID give hackers access to the data transmitted over 3G? Security experts interviewed by Gawker say no, but I doubt that’s going to make 3G iPad owners rest any easier.
So far there’s been no word from Apple on this (AT&T responded to Gizmodo here), but it will be fun to guess who blames who in the coming days. And as Gizmodo’s John Herrman points out, the biggest thing you might have to worry about from this particular incident is more spam. (At least it’s likely to be targeted spam. Here’s a flood of iPad cases!) But this highlights a serious problem regarding security and customer privacy.
Skipping AT&T’s data plan and getting the Wi-Fi version iPad plus a MiFi or other mobile hotspot is looking better and better.
Image Credit: Gawker