The iPad Security Hole
by admin

On June 9th, 2010, Goatse Security released a list of 114,000 Apple accounts associated with the iPad.  They thoughtfully included the security ID that authorized each user to use AT&T’s 3G network.

The Leak

Much like the famous internet anarchist group Anonymous, Goatse Security is a loose affiliation of dubious security “experts” who decided to demonstrate just how insecure AT&T’s 3G network is.  In the process, the group exposed a list of early adopters that included everything from military generals to the CEO of the New York Times and the mayor of New York.  It also showed that DARPA had taken an interest in the devices.

The leak was not Apple’s fault; the problem lay with a script on AT&T’s website that should not have been accessible by the public.  It provided access to the ICC IDs that AT&T uses to identify 3G data users.  All Goatse Security needed to do was create a batch script that accessed the script many times to build a database of email addresses associated with their ICC ID.

The Response

Needless to say, the FBI took immediate interest.  Less than a day later the organization announced that it had opened an investigation on the event.  Two people were arrested for the leak before the investigation was wrapped up.

Ryan Tate of Gawker Media, who Goatse Security leaked the information to, claimed that it was Apple’s “worst security breach.”  He felt that, in the best case scenario, Apple loses credibility and AT&T, already much maligned, gets cast in an even worse light.  In the wost case scenario, however, he fears that the ICC IDs could be used to clone a device.  That would essentially let anyone with a minimum of hardware and the list of IDs could create a device that thinks it belongs to a military general.

Many experts, however, felt that the leak wasn’t too serious.  John Paczkowski of All Things Digital felt that, while the email addresses could be sold to spammers, the ICC IDs were of no real worry.  Philip Elmer-DeWitt of Fortune agreed, and reminded his readers that losing a list of email addresses doesn’t compare to losing a list of credit card details or social security numbers, leaks that other companies have suffered.

The Repercussions

While the hole that let the emails leak has since been patched, the whole debacle demonstrates the issue with tying all your information to one account.  Mobile operating systems tend to identify their users by their email address, tying all your information to a single point of failure.  Facebook offers a similar feature, with many popular sites letting you create an account from your Facebook information.  If that one account is compromised, every site you have authorized from within Facebook is now accessible.  And while most of those sites contain little that could hurt you, every scrap helps an identity thief get your identity.

Connecting all our accounts to one email or user name makes it very easy to manage our online life, but it also means that anyone who has access to that account has access to your entire life..  And as the iPad debacle shows, it doesn’t matter if the company with all that information has the best security in the world if one of their partners doesn’t.


No comments yet.

Name (required)
E-mail (required - never shown publicly)
Subscribe to comments via email
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

Trackback responses to this post