Sloppy AT&T software led to theft of iPad email addresses

'No hack, no infiltration, no breach,' just very poorly designed software enabled hackers' 'brute force attack' on the iPad 3G, say security experts

The harvesting of over 100,000 iPad 3G owners' email addresses was not a hack or a classic data breach, but a brute force attack of a minor feature AT&T offered to Apple customers, experts said Wednesday.

According to New York-based Praetorian Security Group, which obtained a copy of the PHP script used to scrape email addresses from AT&T's servers, the attack succeeded because the mobile carrier used poorly designed software.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

A nine-person hacking group known as Goatse Security claimed responsibility for the script, which amassed 114,000 email addresses.

"There's no hack, no infiltration, and no breach, just a really poorly designed Web application that returns email address when ICC-ID is passed to it," Praetorian said in a late Wednesday entry on its security blog.

An ICC-ID (Integrated Circuit Card Identifier) is the unique number assigned to each SIM card. A mobile device's SIM stores information that identifies the specific wireless customer to his or her carrier. The iPad 3G contains a SIM card.

AT&T confirmed the nature of the attack to technology blog Gizmodo. Gawker, Gizmodo's parent Web site, first reported the email harvesting Wednesday.

The script Praetorian made public was a "brute force attack," according to AT&T's chief security officer Ed Amoroso, who spoke with Gizmodo.

When iPad 3G owners sign up for wireless data service with AT&T, the carrier detects the SIM's 19-digit ICC-ID -- essentially a serial number -- then asks for an contact email address. AT&T uses the email address to populate one of two log-in fields in the iPad's settings screen so that the user has to enter only a password to check his or her account status.

That same email address was what the script harvested. email addresses apparently belonging to New York Mayor Michael Bloomberg, and top executives at Dow Jones, the New York Times Company, and Time Warner, were among those collected.

AT&T has turned off access to the feature Tuesday, and apologized to customers in a statement it issued Wednesday. It also said that only email addresses linked to each ICC-ID, not financial information or other personal data, has been snatched from its servers.

AT&T did not respond to a request for further comment late Wednesday.

The disclosure of iPad owners ' email addresses was the second embarrassing story linked to Apple published by Gawker Media since April.

Two months ago, Gizmodo published photographs and an analysis of an iPhone prototype that it had bought from a California man who found it in a bar. Gizmodo was later denied a press pass to Apple CEO Steve Jobs' keynote at the Worldwide Developers Conference (WWDC), where he introduced the already familiar-looking iPhone 4 on June 7.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed. His email address is

Read more about security in Computerworld's Security Topic Center.

This story, "Sloppy AT&T software led to theft of iPad email addresses" was originally published by Computerworld.

Copyright © 2010 IDG Communications, Inc.