Military, other fed iPad users compromised in AT&T hack

E-mail addresses exposed in recent white-hat attack

Civilian agency and military 3G Apple iPad users were among those whose e-mail addresses were exposed recently when a hacker group gained access to a list of users – including many high-profile people in industry, politics and the media – via AT&T’s Web site.

Gawker, which first reported the breach, said the compromised information also included users’ ICC numbers, which authenticate users on AT&T’s network. However, AT&T told the New York Times that those numbers only reveal the e-mail address for the iPad users.

A security expert told the Times that an ICC identification could, in theory, be used to determine a device’s location, but doing so would require gaining access to secure databases that are not usually connected to the Internet. Experts said little real harm is likely to come from the attack.

Despite the limited expected fallout, the breach does raise concerns for users of iPads and, perhaps, other wireless devices. The Times told its employees with iPads to turn off the 3G functions until it could investigate the matter.

According to Gawker, the group that first reported the breach to AT&T exploited a script on AT&T’s Web site to get the information on approximately 114,000 users. AT&T, which is Apple’s exclusive provider for the iPhone and iPad, said it was notified of the vulnerability Monday and has since closed the hole.

E-mail addresses revealed included those of New York City Mayor Michael Bloomberg, the chief executive officers of Dow Jones, the New York Times, Time magazine, Diane Sawyer of ABC News and film producer Harvey Weinstein. White House Chief of Staff Rahm Emanuel also was apparently on the list.

Among government users, the list included those with addresses at the Army, the Defense Advanced Research Projects Agency, the Federal Aviation Administration, the Federal Communications Commission, the Justice Department and NASA.

The script on AT&T’s Web site that allowed the data theft is available to anyone on the Internet, according to Gawker, which was shown the list of e-mail addresses. “When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an [Asynchronous JavaScript and Extensible Markup Language]-style le response within a Web application,” Gawker reported. “The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites.” They then wrote a PHP script to automate the collection of data, the report said.

 

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Mon, Jun 14, 2010 DT IA

The hack has nothing to do with the iPad. The hack was against ATT's 3G registration system. The registration ID for 3G access is your e-mail. For some people in Gov't that is the only e-mail they have. They weren't using the iPad for Government work or anything like that whatsoever.

Fri, Jun 11, 2010 Shawn Hendricks

Hard to read your pages through the ads that pop up. I don't trust them because of cross-site scripting and other Web2.0 vulnerabilities. You need to find something less offensive. I hate them. I hate them. Why would you inflict something that heinous on me?

Fri, Jun 11, 2010

Your wrong. The Ipad is a mini-computer with multi function capabilities. Just needs to be secured!!

Fri, Jun 11, 2010

The IPad is a toy. Why are military leaders using this with gov't email addresses?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above