Wednesday, June 9, 2010

The Real Threat of the AT&T iPad 3G Leakage

Via (Bits Blog) -

A hacking group has obtained the e-mail addresses of 114,000 owners of 3G iPads by exploiting a security hole on AT&T’s Web site, according to a report by Gawker.

The group also obtained the identification number that those iPads use when they communicate over AT&T’s network, known as an ICC-ID. It is not clear what that information could be used for.

According to Gawker, which was given a copy of the list of e-mail addresses, it includes military personnel, staff members in the Senate and the House of Representatives, and people at the Justice Department, NASA and the Department of Homeland Security. Private-sector addresses that were exposed include those of executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, the News Corporation, HBO and Hearst, along with bankers and venture capitalists.

The hacking group, Goatse Security, found that a program on AT&T’s Web site, when given an iPad’s ID number, would return the owner’s e-mail address. It used a script that could guess IDs and collect the associated e-mail addresses. The group eventually notified AT&T of the breach, and the security hole was closed.


Based on the not so detailed description of the hack, I would saw that the massive leakage is a combination of two web application security issues:
  1. Information Leakage: the customer's e-mail address is exposed by the web application on AT&T's website when sent a valid ICC-ID as part of an HTTP request. Why would the e-mail need to be sent back to an iPad? Who knows.
  2. Insufficient Anti-Automation: once the leakage was discovered, Goatse Security created a custom PHP script which was used to "semi-smartly" brute force the AT&T page in an attempt to find valid ICC-IDs and thus harvest their associated e-mail addresses. Leading to the discovery of 114,000 ICC-IDs and e-mails.
So the attacker has a whole heap of valid e-mail addresses. You might ask - What is the big deal?

If you believe Gizmodo, the only real threat is increased levels of spam - which is very likely. But corporations and government are pretty good at dealing with your everyday basic spam...that isn't really a threat...just more of an annoyance.

In my view, the real corporate level threat of this exposure is spear phishing. An attacker now knows the exact corporate/work e-mail of a high level executive (or government employee) and know they own a iPad 3G.

At this point, a smart attacker would formulate a very convincing spear phish. Perhaps a spear phish that looks like a survey for those exclusive iPad 3G owners. This could lead to an exploit, which leads to malware...which leads to a foothold in their corporate / government network.

No comments:

Post a Comment