iPad Security Breach

Posted on | June 15, 2010 | No Comments

AT&T has confirmed that a security breach related to Apple’s iPad device has compromised names and email addresses of over 100,000 early adopters and beta testers of the new device.  It appears that the iPad security breach is limited to users who signed up and received the optional 3G coverage from AT&T.  iPad users who have the “wifi only” model are not affected.

The “hackers” (and I use that term loosely) in this case essentially found that AT&T’s website would automatically populate an email address if a serial number from a SIM card (called the ICC-ID if you want to be technical) was used in the URL.  By quickly generating “fake” SIM card numbers, the hackers were eventually able to get the email addresses associated with the devices that were sent out.

Based on the email addresses obtained, it’s safe to say that a large number of iPad 3G early adopters are big movers and shakers in their respective industries.  Email addresses from .gov and .mil domains were widespread, as well as numerous CEOs and board members of Fortune 500 companies.

The hackers behind the exposure of this security breach claim that if they had not used this exploit and then alerted the media about it, other hacker groups could have exploited this security hole with much more far-reaching effects.  I applaud their responsible efforts to notify the companies responsible for the security hole – the data obtained or the means in which it was obtained could fetch a pretty penny on the black market, and AT&T is certainly not going to pay them for this bad press.

While email addresses were the only thing exposed here, that information can be combined with other personally identifiable information (PII) to create targeted attacks on users.  As privacy concerns grow each time a company surrenders private data, the question should not be, “how do we keep this data safe?” but rather, “how do we make this data less valuable?”

Comments

Recent Posts

• Uses of Computer Forensics
• Cellebrite UFED and Cell Phone Forensics
• Google-Motorola acquisition
• Updated the glossary
• Full-Disk Encryption comes to Android
• Information Security – Protecting your business online
• DEFT Linux 6 coming soon
• Digital Copiers as a Forensic Utility
• Cybersecurity Paper from Harvard National Security Journal
• SANS Blog Survey Results

Tags

Android antivirus attorney client privilege Autopsy celebrity Computer Forensics computer security Cyber Crime data recovery DEFT digital evidence disk image drive-by download encryption expectation of privacy facebook firefox Google Guymager hard drive failure law enforcement lawsuit linux Live CD malware mcafee MFT Nessus noscript online banking Ophcrack Password security phishing SANS scam SIM card Sleuthkit social media social networking svchost.exe tax return twitter Webmail workplace yahoo mail

Categories

• Android
• Cell Phone Forensics
• Computer Forensics
• computer security
• Encryption
• Evidence Analysis
• GPS
• Internet Privacy
• iPhone

Archives

• November 2011
• September 2011
• August 2011
• March 2011
• February 2011
• January 2011
• November 2010
• October 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010

Blogroll

• Ediscovery Trends
• SANS Computer Forensics Blog