AT&T's Apple iPad security breach: Is Goatse the bad guy?

AT&T's Apple iPad security breach: Is Goatse the bad guy?

Summary: AT&T has fleshed out its response about an Apple iPad flaw that exposed customer email addresses and may just make matters worse.

SHARE:

AT&T has fleshed out its response about an Apple iPad flaw that exposed customer email addresses and may just make matters worse.

Last week, Goatse Security said it obtained the email addresses of 114,000 Apple iPad users, including a few in the White House. AT&T in a letter to customers, apologized to customers---including our own Michael Krigsman--- but then painted Goatse as the bad guy in a move that could backfire. Why? The apology just looks hollow when you try and throw Goatse under the bus. AT&T wrote:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

Goatse, which initially gave its findings to Gawker, wasn't pleased. In a blog post, Goatse said:

AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers. If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn’t already).

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable.

Often, researchers that find vulnerabilities go to the company first so that's where AT&T gets its malicious hacker charge. Goatse said that it didn't go to great efforts to exploit vulnerabilities and that its disclosure was "a service to our nation." "We disclosed only to a single journalist and destroyed the data afterward. We did the right thing," said Goatse.

As Dancho Danchev noted, the security risk to iPad users is generally small. But the incident reveals how third parties are often the front door for vulnerabilities.

In any case, AT&T's attempt to paint Goatse as the bad guy may backfire in the perception game.

Also:

Topics: Apple, Collaboration, iPad, Mobility, Security, AT&T

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

    Ya. AT&T and Apple should both be thanking the goatse guys. End of story.
    putty.master
    • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

      @putty.master Dude, really? You are purposely missing the point. The issue is that AT&T had a security problem, what a REAL white hat would have done is reported back to AT&T and said hey we found a problem , blah blah blah. Rather than address the issue they went to the press. Its reminiscent of people that witness a crime in progress, but rather than calling the authorities to have the issue actually resolved, they call the press saying, hey guess what we saw!

      But the more serious issue is that it was an actual attack by them on a live production system, wherein they didn't just complete intrusion tests, they completed intrusion activities, and then shared the results with a 3rd party. In layman terms, I walk by your car, try the door, door opens, rather than telling you, i go inside your car, grab the contents of your car, then go to another person that has nothing to do with you, and rather then them telling you that your car door was open, they post a sign on the interstate saying YOUR car was open and here are the contents. If that happened to you, would you say that they were justified?

      How does that help anyone exactly? Plain and simple, the personal/professional ethics of the perpetrators are lacking, if not, completely non-existent. They deserve any and all negative repercussions they experience.
      mrgoodall
      • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

        @mrgoodall
        Your allegories and layman's terms really only detail your personal opinion of the event, not the event itself.
        The event itself details how ATT, in an effort to say "we are fastest" circumvented security protocols.

        The general public doesn't know, and doesn't want to know the details of how their magic boxes work. This event bring it home on a personal level, and causes the outrage that such lack of regard for one's privacy and security should entail.
        CaptOska
      • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

        @mrgoodall @mrgoodall Sorry, but your analogy is flawed. The "car" isn't privately owned and it's not just transporting the owner. It's like your school district buses transporting your kids to school aren't properly maintained, the brakes are bad, and you find this out. You walk onto the bus storage lot and take pictures. You contact the school district and they ignore you. You go to the press about it because you're concerned about your kids safety, and the school district trashes you for exposing them, rather than agreeing with you that your kids safety is of paramount importance.

        Just curious, do you work for or represent AT&T?
        erc@...
      • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

        @mrgoodall They could have not told anyone about the vulnerabilities and just sold/exploited them to their own advantages. Like selling the email lists to spammers.
        Jimster480
    • Both AT&T and Apple Should Be Grateful!

      @putty.master Absolutely correct. Goatse (contrary to mrgoodall's twisted allegations) provide a service and are normally rewarded for their work, not castigated for it. After discovering security hole, they documented it. They didn't go out and sell it, they contacted AT&T and waited till the hole was closed.

      After AT&T didn't notify their customers, they felt that this needed to be made public. So they took their info to Gawker and told their story. AT&T still waited too long to notify their customers of this gaping hole in their security, that exposed private information linking their Name, specific Apple Device and the private email address linked to their AT&T account. Meaning that this email address is the one they most likely use for banking as well! ....if it was me, I'd be upset and I'd have a right to be!!!

      AT&T are guilty of a major lapse in best practices security and Apple are just as guilty of not following up on their customer's purchase after the sale. If I'm a Real Estate Agent I have a fiduciary responsibility to ensure the safety of my client's privacy and personal information that I collect during the sale and after the sale for years. In buying a device that is tied to a Partner's Services, that doesn't ever release me from that fiduciary responsibility if I was compensated for it. The same for Apple!

      Apple is in a partnership with AT&T to deliver a device and service in a contract where they both benefit from the transaction. Therefore they have a fiduciary obligation to protect the purchaser's information and privacy even after the sale is complete. Apple is making money off the service plan not just the sale of the device. So they are just as responsible as AT&T!!!

      They are lucky Goatse found it and not some black hats!
      i2fun@...
  • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

    AT&T is Apple's worst enemy. Not Google :P
    fer.paredesb@...
    • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

      @fer.paredesb@... It's a funny story.. Maybe they learned it from watching Apple. Jobs doesn't tell anyone of an exploit found, it's just tucked quietly away until a fix can be found, and then that is tossed in a generic "system updates" for next time it's downloaded surreptitiously and installed in the background.
      thatroom
  • Is Goatse the bad guy?

    No.
    AT&T is incompetent.
    davebarnes
    • Agreed, it's AT&T's fault

      It was purely wishful thinking on the part of some AT&T engineer(s) that this security hole wouldn't be exploited. What were they thinking? It's a major PITA for customers who wanted their e-mail address to be confidential. No indication from AT&T about how widely the e-mail list has been disseminated. Just a "you're screwed. sorry."

      AT&T, customers and the Feds should be thanking Goatse for exposing the stupidity.
      dogbreath1
    • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

      @davebarnes So if Goatse didnt just hack into your PC, but also harvested your info and then published them to a 3rd party without contacting you, you'd be incompetent too right?
      mrgoodall
      • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

        @mrgoodall the complete lack of concern by AT&T engineers is incompetence. If someone hacks into your PC and you are a security specialist that works on a PC you may indeed be incompetent. If you have the ability to secure your pc and open up ports on the firewall that expose you to threats without considering possibile holes you would be incompetent. In other words if you don't know any better you would be incompetent in this area.
        When you think that you can sell a device in a fashion wherein there are security holes that expose customer data you are not only incompetent but you are wrecklessly endangering the personal data of those that have trusted you to maintain their privacy.
        reed@...
  • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

    Kinda strange that Goatse never explicitly stated whether they notified AT&T or immediately tried to sell the story to the media.
    aep528
  • it must be Apple's fault!

    I'm sure there is some way to blame this on Steve Jobs?
    john_gillespie@...
  • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

    I have not yet formulated an opinion, but am intrigued by @aep528's reference to "sell the story." Is that ethical? Is it legal?
    ---
    http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

    Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. The most important point is that an Ethical Hacker has authorization to probe the target.
    ---
    For just a moment, if you forget that AT&T and/or Apple are involved (as their is often strong emotion one way or another with those companies), is hacking for profit and without permission legal? Should it be? Is that not malicious?
    billparks@...
    • Hitting an HTTP server hacking now

      @billparks@... Only if you consider asking an HTTP server for a web page can you consider it hacking. They made a web service that spews this information out. If they had put even rudimentary security around it i could agree with you, but the decided to "hide" the url and hope no one hit it.
      zdnet-registraion
      • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

        @zdnet-registraion - I hoped not to take a position, but to merely pose a few general hypothetical questions regarding ethical behavior.

        It sounds as though perhaps some might have the opinion that: if it is a web service, and without consent you are successful in probing it for data by spoofing another's identity (in this case with a random number generator), whether that is ethical or a malicious act is purely dependent on the protocol employed and the difficulty encountered.

        Let's assume that is a true statement, only for the sake of extending the ethics analysis.

        Is it then also ethical and non-malicious to do so for profit, in this case to sell a story? Would it have been more ethical to first privately warn the owner of the web service that the vulnerability exists, if only for a very brief period before publishing the story? Regarding owners of iPads, does it "serve them right" only because it was SOAP and easy?

        I'll refrain from comparing this to someone leaving their keys in the car. If it is easy to steal, then it is ethical and not malicious.
        billparks@...
  • iPad Security Breach???

    Since when is a vulnerability at ATT considered an iPad security breach? Their server was providing information to anonymous requesters without requiring identity verification. iPad had nothing to do with it. The iPad was not hacked. This is strictly and ATT security breach. It just affects iPad owners.

    This headline screams of sensationalism...
    DT2
    • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

      @DT2 The buck stops with Apple!
      MSFTWorshipper
      • RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?

        @MSFTWorshipper

        And why would that be?
        SpiritusInMachina