A French group of security researchers, has obtained the emails of 114,000 iPad users who signed up for AT&T's 3G wireless service, including their associated ICC-IDs, relying on a flaw in the company's site which allowed them to automate the process.
Does this leak pose any security, privacy, or perhaps even national security risks due to the leaked U.S Department of Defense, U.S Army and DARPA emails? Update: FBI launches probe over AT&T's iPad breach
UPDATED: Tuesday, June 15, 2010: Due to the anticipated "What If" scenarios, and many direct questions that I'm receiving, the following update including comments from Goatse Security and Gawker, aims to clarify the situation.
"I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."
- According to the statement issued by the group, they have not just erased the emails+ICCIDs, but haven't shared them with anyone else but Gawker. Moreover, given the fact that there's no known public copy of the emails+ICCDs (as of June 15th, 2010), for researchers to experiment with, you can always request a new SIM card from AT&T, if you're uncomfortable with the incident that took place.
Asked to comment on the case, both, Goatse Security (Escher Auernheimer) and Gawker (Remy Stern) had the following to say.
Q: Once the harvested emails were obtained, were they shared with anyone else, but Gawker's reporter, or posted online in any form?
Goatse Security: No, they were only shared with Gawker who agreed to responsibly redact them to not reveal any personally identifying information. We did not post them online nor publish them as many have alleged. We destroyed the data after we gave it to Gawker, to prevent loss and security risks.
Q: Are you aware of whether Gawker's reporter did the same, namely erase the content, and not share the data with anyone else?
Goatse Security: I do not know if Ryan Tate destroyed his copy of the data. I believe he has been ordered by the FBI to retain it, so any potential breach of the data's security there would be the responsibility of the federal government.
Q: Did you share a copy of the PHP script with anyone? And if yes, was a copy of the script shared BEFORE the flaw was fixed, or AFTER it was fixed making the script virtually useless?
Goatse Security: A version of the script was potentially stored in an insecure fashion when the original author first made it. At this point in time we were lacking an additional bit of data that did not allow us to understand the full ramifications of the vulnerability. We have no evidence that it was retrieved or used by anyone else and made a best effort to lock it down and publicly disclose the vulnerability as soon as we had an understanding of the scale of AT&T's data exposure. As everyone at GS had other priorities when the script was first written it was not until later until it was tested and made a high priority on our groupware. Unfortunately for the consumer, our commercial priorities have to take precedence over our charitable public interest ones.
Q: Since Goatse claims to have erased the data, and have never shared it with anyone else but with Gawker, did you do the same, namely, not share it with anyone else, and delete it?
Gawker: No, we did not share the data with anyone else nor do we have any plans to do so. The printed copy of the data, which was depicted in our original story, was shredded immediately after the photograph was taken.
We do continue to possess a digital copy of the file. Per the preservation notice we received from last week from federal authorities, we have retained all our files related to the story, as was requested of us.
The security risks posed by this email leak, are pretty similar to the security risks from related compromises, with the potential malicious attackers now sitting on hundreds of thousands of email accounts. Here are two of the most common abuse scenarios that could take place:
- Targeted malware/phishing attacks impersonating Apple Inc. - Spear phishing attacks are emails specifically crafted for a particular targeted group, attempting to capitalize on a particular event. In this case, potential attackers could easily execute such an attack impersonating Apple's response to the situation/mitigation practices, knowing that the owners of these emails are now particularly susceptible to interacting with such emails.
- Targeted malware/phishing attacks impersonating AT&T - This scenario is identical to first one, however, this time it's AT&T's response/mitigation practices that could be used as social engineering lure. And although I don't really think there's going to be a significant outbreak of such campaigns, due to the fact that the rest of their campaigns are producing the results they desire, the possibility for abuse remains.
The following is brief FAQ summarizing the most important aspects of AT&T's iLeak incident:
- How did Goatse Security manage to obtain the emails and associated ICC-IDs? - The group (listen to a podcast with one of the researchers) appears to have automated the brute forcing process using a script with which they fed the AT&T's site with spoofed user-agents (iPad) and random ICC-IDs numbers, in between recording all the valid emails that were returned for a correct ICC-ID. The last time, a similar attempt abusing weak security practices was seen in the wild, resulted in thousands of leaked confidential/nude photos of the photo sharing iPhone app Quip.
- What are the privacy ramifications of the leak, if any? - Despite the leaked emails of top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO, Goldman Sachs, JP Morgan, Citigroup, Morgan Stanley etc. the only case where the incident would pose a privacy risk to these executives, is when these email accounts weren't published on the Web in the first place. Moreover, despite claims that average users can obtain the physical location of an iPad's user through the leaked ICC-ID, that's not really the case. The physical location is already known to the mobile carrier using plain simple triangulation and related techniques used by law enforcement agencies, with or without the possession of the ICC-ID.
- Does the leak pose any national security risks due to the sensitive nature of the emails involved? - Depends on the perspective and degree of paranoia, although the U.S Intelligence Community is definitely not happy with the fact that a particular U.S Department of Defense, U.S Army or DARPA email can now be associated with a ICC-ID that leaked on the Web. Meanwhile, the NYTimes has already responded by asking iPad users to turn off access to the 3G network - "As our security team and network engineers investigate the full extent of the breach via Apple and AT&T, we suggest that you turn off your access to the 3G network on your iPad until further notice."
- Did AT&T issue a response to the incident? - The following is the company's official response to the situation: AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDs [used to authenticate the subscriber on AT&T's network]. The only information that can be derived from the ICC IDs is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses. The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDs may have been obtained. At this point, there is no evidence that any other customer information was shared. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.
Although the iLeak is an embarrassing moment for both, AT&T and Apple, the incident only adds a small additional risk to the ones users are currently facing, such as malware, phishing, blackhat SEO, and client-side exploitation through unpatched 3rd party applications.
What it proves through, is what independent data breach reports have been saying for years - in the majority of cases a third-party business partner was usually responsible for the breach.
Are you affected by this incident, and somehow concerned about your privacy. What's your main concern? Do you believe that the leak of unpublished emails belonging to company executives, would somehow affect them? How about the ones belonging to the DOD, DOJ and DARPA? Who's to blame for this incident, Apple for trusting AT&T's ability to securely operate with the data, or AT&T for allowing this to happen?