AT&T blames hackers for stealing iPad email addresses
But Goatse claims it has exploit that others could use to hijack iPads
By Gregg Keizer | Computerworld US | Published: 11:30, 15 June 2010
The hackers who harvested more than 100,000 Apple iPad 3G owner email addresses blasted AT&T as "dishonest" today, and said the group has an exploit it or others could have used against all iPad owners.
The hacking group Goatse Security obtained the email addresses using an automated PHP script that collected iPad 3G owners' ICC-ID numbers and associated addresses from AT&T's servers using a publicly-available feature of the carrier's Web site. AT&T disabled the feature last week, a day before the Valleywag website first reported the story.
AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers' e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible.
Related Articles on Techworld
On Sunday, AT&T issued an apology for the hack that exposed thousands of iPad customers' e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible. AT&T said Goatse "maliciously exploited a function designed to make your iPad log-in faster" and claimed the group "went to great efforts" to scrape information from its servers.
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses," wrote Dorothy Attwood, AT&T's chief privacy officer, in an email sent to affected customers. "They then put together a list of these emails and distributed it for their own publicity."
The stolen email addresses were passed to Gawker.com. Goatse maintains that it did not directly contact AT&T but waited until the company fixed the problem before giving the email addresses to Gawker and said it has since destroyed the data.
Nonetheless, the US Federal Bureau of Investigation opened a probe last Thursday into whether Goatse Security broke the law.
AT&T said only the ICC-ID and email address were exposed and that other personal account information and email content were not. The hackers did not get access to AT&T data networks, according to the letter.
One member of Goatse took exception to AT&T's words. "AT&T is being dishonest about the potential for harm," said Escher Auernheimer in a post today to the Goatse blog.
Specifically, said Auernheimer, other hackers armed with an iPad exploit could have used owner email addresses in a targeted attack - based on messages posing as ones from AT&T or Apple - to hijack their tablets. "A complete list of iPad 3G customers, which could have been generated from this vulnerability [Goatse uncovered], would have the ideal bit of data for those ... with zero-day Safari exploits," Auernheimer argued.
Such a vulnerability exists, Auernheimer continued, noting that he had posted information and attack code for a Safari bug 23 March. Apple has patched the flaw in the desktop version of Safari, but has yet to close the hole in the stripped-down browser on the iPad , he added.
"We released this in March, mind you, and Apple still hasn't got around to patching this on the iPad!" said Auernheimer.
Last week, Apple patched 48 vulnerabilities in Safari for Mac OS X and Windows - the first update since Auernheimer went public with his integer overflow bug. None of the 48 patched vulnerabilities, however, was credited to Auernheimer or Goatse.
Auernheimer did not reply to email asking him to point out the specific patch that fixed the vulnerability he disclosed in March.
Apple has said it will update the iPad to iOS4 - its next-generation operating system - sometime this fall. Unless it ships a rush patch in the interim, the iOS4 upgrade would be the first opportunity for the company to quash the bug Auernheimer claims is in Safari on the tablet.
Auernheimer also said AT&T downplayed the ease with which someone other than Goatse could have beaten the group to the e-mail vulnerability. In the Sunday message to customers, AT&T said Goatse "deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses."
"I'll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total, not counting the time the script ran with no human intervention, to scrape the 114,000 emails," said Auernheimer. "If you see this as 'great efforts,' so be it. [But] at any given moment, whatever efforts us [sic] researchers are making are dwarfed by those in the thrall of evil. So get real."
In his blog post today, Auernheimer again defended Goatse's release of the email addresses to ValleyWag last week. "We did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare," he said. "I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
For its part, AT&T said it would cooperate with any investigation by authorities, including the Federal Bureau of Investigation (FBI), which has opened a probe to determine whether Goatse broke any federal laws. "We will ... prosecute violators to the fullest extent of the law," AT&T said in its e-mail to iPad 3G customers.
Saying that AT&T was out to "crucify" Goatse, Auernheimer suggested the carrier take a different approach.
"You f***ed up, we helped you that figure out and informed the public. You should thank us, but you can keep on s***-talking if you want. We know what we did was right," Auernheimer said.
AT&T will not offer any compensation to those customers affected, according to Mark Siegel, executive director for media relations.
Jeremy Kirk from IDG News Services contributed to this report