They thought they were among the lucky few: the "VIPs" who were the very first to get their hands on Apple's latest gadget. But those high-ranking military officials, media bosses and even White House staff might now be wishing they hadn't bothered, after an online security breach exposed the personal details of thousands of iPad users.
The email addresses of around 114,000 Apple iPad owners who subscribe via America’s second largest mobile phone provider AT&T were hacked by an internet security group.
Among those believed to have been affected are filmmaker Harvey Weinstein, Mayor of New York City Michael Bloomberg and White House Chief of Staff Rahm Emanuel. The New York Times Co. also told its staff to shut off iPad wireless access after learning of the breach, according to a memo confirmed by the company.
The attack, by a group of hackers named Goatse Security, exposed a weakness in a part of AT&T's website used to prompt users of their email addresses, making it easier for them to log-in via their iPad. It holds information on all iPad users subscribed through the telecoms company's 3G network.
Each of the accounts has an associated ICC code – an internal code used to link a subscriber with their SIM card. The hackers bombarded the AT&T website with fake ICC codes in the knowledge that, by chance, some would inevitably match genuine patterns. When they did, the website thought it was being contacted by a real iPad user and released the associated email addresses.
The breach is being interpreted as a major embarrassment for both Apple and AT&T and comes just weeks after a member of Apple staff lost a prototype of an iPhone in a bar, which was promptly taken apart, photographed and published online by a technology blog.
It also provoked fears that iPad users, subscribed via AT&T’s 3G network could be at risk from phishing scams. Armed with a valid email address and the knowledge that their target may be expecting emails from Apple or AT&T, criminals could send emails that plant malicious software on thier victims’ computers.
Internet security expert Graham Cluley wrote that targetting users would be possible. But he played down the significance of the attack. In a blog post, he pointed out that no further “information about the individuals appears to have been exposed – for instance, there are no passwords, real names, telephone numbers, dates of birth.” He added, however, that the breach would cause embarrassment.
A Goatse Security spokesman said the group contacted AT&T and waited until the vulnerability was fixed before going public with the information. It also released the information to media website Gawker Media.
AT&T admitted the breach and said that the problem had been fixed on Tuesday. But it claimed that it was alerted to it by a business customer. In a statement, an AT&T spokesman said: “The only information that can be derived from the ICC Ids is the e-mail address attached to that device.
“This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.
“The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.
“We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”
Apple has sold more than two million iPads since they went on sale two months ago. Some models of the iPad tablet work with AT&T's third-generation wireless network, and other versions only work on Wi-Fi networks. Wi-Fi-only models are not affected by the breach. It is believed only users within the United States have been affected.
Apple did not respond to requests for a comment.
Comments