“Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the wireless-enabled tablet—could be vulnerable to spam marketing and malicious hacking,” Ryan Tate reports for Gawker.
MacDailyNews Take: Gawker owns Gizmodo, which may or may not explain why Tate tries to claim that Apple has suffered an embarrassment when it was AT&T’s security that was breached.
Tate continues, “The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel’s information was compromised.”
MacDailyNews Take: Again, Gawker owns Gizmodo, which may or may not explain why Tate maladroitly drops in the non-sequitur about how an “Apple employee lost an iPhone prototype in a bar.” It may also explain his use of the word “lost” as opposed to “stolen and fenced.”
Tate continues, “It doesn’t stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it’s possible that confidential information about every iPad 3G owner in the U.S. has been exposed.”
“Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet,” Tate reports. “When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application.”
Tate reports, “Exacerbating the situation is that AT&T has not yet notified customers of the breach, judging from the subscribers we and the security group contacted, despite being itself notified at least two days ago. It’s unclear of AT&T has notified Apple of the breach… Mobile security consultant and Nokia veteran Emmanuel Gadaix told us that while there have been “vulnerabilities in GSM crypto discovered over the years, none of them involve the ICC ID… as far as I know, there are no vulnerability or exploit methods involving the ICC ID. Another expert, white hat GSM hacker and University of Virginia computer science PhD Karsten Nohl, told us that while text-message and voice security in mobile phones is weak “data connections are typically well encrypted… the disclosure of the ICC-ID has no direct security consequences.”
Full article here.
MacDailyNews Take: Yet another screw up by AT&T used by Gawker to smear Apple. Wholly unsurprising.
[Thanks to MacDailyNews Readers “Fred Mertz” and “Steve” for the heads up.]