Could AT&T's iPad Email Leak Really Be A Much, Much More Serious Security Breach?

from the doesn't-sound-good dept

Tue, Jun 15th 2010 8:35pm — Mike Masnick

Last week, we wrote about the security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:

So yeah, knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you're prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.

There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, ipad, security
Companies: apple, at&t

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 15 Jun 2010 @ 8:42pm

It's the CYBERWAR!!!!
[ link to this | view in chronology ]
Jay (profile), 15 Jun 2010 @ 8:57pm

Holy crap... Can we put AT&T up for war crimes?
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jun 2010 @ 9:38pm
  
  Re:
  I wonder if they should be prosecuted in civilian court or military court? Maybe Obama can create a new Military Cyberwar court czar.
  [ link to this | view in chronology ]
Anonymous Coward, 15 Jun 2010 @ 9:13pm

Yawn.
[ link to this | view in chronology ]
Anonymous Coward, 15 Jun 2010 @ 9:28pm

IIRC, many of the correlations ultimately pointed to persons in positions where one would ordinarily expect security would be a significant concern (e.g., members of the military).

Perhaps it already exists, or perhaps many of the needed "pieces" are already in place waiting for someone or some group to recognize a potential integration of these "pieces" (perhaos in conjunction with new "pieces")into a system or method that mitigates data mining.

It is from situations such as this that "inventions" spring forth, some of which, of course, are more effective than others. And, it is in situations such as this that persons consider whether or not circumstances dictate that the filing of a patent application(s) may be prudent.

This is not meant to be a "see, patents are important" comment, but merely to note that not everything is necessarily obvious to those of ordinary skill in the relevant art.
[ link to this | view in chronology ]
Chris in Utah (profile), 15 Jun 2010 @ 9:42pm

Do you own homework.
I needn't ask you to do you own homework on this but this has gone on for years. Techdirt may have been "alert" but certaintly not awake to the wider picture.

Please open thy eyes to the world around you!

Telecoms fund and supply info to big brother too.

Rage against the machine.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jun 2010 @ 10:06pm
  
  Re: Do you own homework.
  So, are you responsible for putting up "Infowars.com" bumper stickers on rest stops across America?
  
  If so, Good job. I'm really looking forward to the Chris Matthews interview with Alex Jones tomorrow night.
  [ link to this | view in chronology ]
Anonymous Coward, 15 Jun 2010 @ 9:58pm

I doubt it. But "ICCD" is a very technical term. Most companies refer to them as SIM IDs.

I have some theories, but frankly, I have no desire to seek out or analyze the list unless someone legitimately provides it along with a check for $20,000 along with an NDA that states they would be hold me harmless, protect, indemnify and defend my analysis.

Until then, well, I guess the FBI will do their job. After all, us tax payers depend on AT&T's security.
[ link to this | view in chronology ]
Anonymous Coward, 15 Jun 2010 @ 10:02pm

"but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances." - or not. it could be instructive as to how often people over reach looking for a scary hacker / data theft story.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Jun 2010 @ 10:25pm
  
  Re:
  Yeah, the media has a way to sensationalize things they don't understand.
  
  I find this especially true if they favor Microsoft. Anything to scare people away from good platform, they jump on.
  [ link to this | view in chronology ]
- Anonymous Coward, 15 Jun 2010 @ 10:48pm
  
  Re:
  Just like how an AOL search log being leaked couldn't possibly reveal a person, right? Just ask Thelma Arnold. Oops.
  
  ANY leak of major personal information can be narrowed down to specific person, and linked to numerous other databases of information.
  
  You'd be surprised how easy it is to identify you with a little bit of data, and just how much can be gained from that.
  [ link to this | view in chronology ]
Skeptical Cynic (profile), 15 Jun 2010 @ 10:43pm

Wow people are really missing the risk
Ok, so the fact that they have your email address not a big deal. But having 2 pieces of info can make phishing attack much more successful.

So let's say the average phishing attack with 1 piece of info has just a .1% success rate. (Making this up so no not citing any studies) In this case that would mean 114 people fell for it and gave of info enough to clean them out. Well with 2 pieces of info let's say they can now get to a whopping 2% success rate. That means 2280 fell for it. And then lets say each victim lost $500 in each case. 57,000 versus $1,140,00.

This can be illustrated by looking at spam. Why do you think you get so much spam? Because (last stat I saw) .001% of people buy the product in the spam. Well if you send out 500 million and your product offers $10 of profit of each sale, you make $50k not bad since it only cost $200 to send all that. Same with phishing attacks. All you want to do is increase your response rate. More info more success.

And for those that are slow the two pieces of info are your email address and that you own an iPad 3G with cell data service.
[ link to this | view in chronology ]
- Skeptical Cynic (profile), 15 Jun 2010 @ 10:56pm
  
  Re: Wow people are really missing the risk
  Oh yeah forgot to say that I have gotten 6 phishing emails that are very specific in the info related to this, just this week to an email address that gets just 20 spam a week.
  [ link to this | view in chronology ]
Anonymous Coward, 16 Jun 2010 @ 2:20am

But at this time, it's really not worth it because AT&T is an interesting company that likes to find someone else to blame. AT&T isn't AT&T. They are still operating from the SBC playbook.

* When SBC/BLS bought AT&T they blamed AT&T and said that they paid too much for AT&T.

* When SBC/BLS was screwing all their non-bargained employees for healthcare, they immediately blamed Obama's Healthcare plan for a $1,000,000,000 healthcare charge.

* When SBC/BLS didn't have a scalable network to support data users, they blamed their customers and put in place "a data cap you can't refuse."

* When SBC/BLS was offered constructive criticism by a customer, they told a customer about a thing called a cease and desist.

They may be "AT&T" in name, but it isn't the AT&T that survived 200 years and was a leader in practice. Skimping on security and QA is unacceptable and would be looked down upon by anyone who is familliar with The Bell System.

AT&T owns this. It's sickening that the Government has to get involved to help manage their security.
[ link to this | view in chronology ]
Anonymous Coward, 16 Jun 2010 @ 2:21am

But at this time, it's really not worth it because AT&T is an interesting company that likes to find someone else to blame. AT&T isn't AT&T. They are still operating from the SBC playbook.

* When SBC/BLS bought AT&T they blamed AT&T and said that they paid too much for AT&T.

* When SBC/BLS was screwing all their non-bargained employees for healthcare, they immediately blamed Obama's Healthcare plan for a $1,000,000,000 healthcare charge.

* When SBC/BLS didn't have a scalable network to support data users, they blamed their customers and put in place "a data cap you can't refuse."

* When SBC/BLS was offered constructive criticism by a customer, they told a customer about a thing called a cease and desist.

They may be "AT&T" in name, but it isn't the AT&T that survived 200 years and was a leader in practice. Skimping on security and QA is unacceptable and would be looked down upon by anyone who is familliar with The Bell System.

AT&T owns this. It's sickening that the Government has to get involved to help manage their security.
[ link to this | view in chronology ]
Anonymous Coward, 16 Jun 2010 @ 6:28am

It is unsurprising to see an article like this about AT&T but not Google during the breach of its network.
[ link to this | view in chronology ]
Anonymous Coward, 16 Jun 2010 @ 11:50am

As to phone calls and SMS...
You said that the original poster noted that the iPad isn't a voice device and so one probably could not sniff phone calls. I have 2 things to add to this:

1. Sniffing email is probably just as bad. Many people specifically email things when they are in public places that they would not want to say aloud, so this might be even worse than sniffing phone calls. GPRS/EDGE has been cracked for as long as GSM, and UTMS probably won't be secure more than another year.

2. If they have access to all this other data, especially the location data, couldn't they just find the user's cell phone (probably also on AT&T) that's within 10 feet of the iPad, then confirm with the account data on the phone? In a way, this is worse than cracking their phone - cracking the iPad gives them access to both, with a little more effort.

Just some thoughts. I have a friend on AT&T who just ordered an iPad and she's VERY privacy-conscious. She's already kinda pissed about Apple eliminating the 1 button they used to have on the mouse and MobileMe being down half the time. It should be a lot of fun when I call her and tell her I know where she is...maybe enough to finally move her to Linux :)
[ link to this | view in chronology ]
Anonymous Coward, 17 Jun 2010 @ 12:34am

It's bad for the future!
[ link to this | view in chronology ]
kevinmitnick (profile), 18 Jun 2010 @ 8:42pm

hire a hacker
hacker4hire@hackermail.com
[ link to this | view in chronology ]
penny, 24 Jun 2010 @ 6:20pm

iPad is so overrated
mine broke after 3 weeks

penny@dorne.info
[ link to this | view in chronology ]