The Little Feature That Led to AT&T's iPad Security Breach

The second question about the AT&T iPad security breach, after "Should I be freaking out?" is "How the hell did it happen?" Well, AT&T was just trying to make your life easier.

You probably know the basics at this point. Goatse Security, clever rascals that they are, wrote a script that harvested iPad 3G owners' ICC-IDs and email addresses by exploiting a security hole in an AT&T website. (An ICC-ID, again, is an integrated circuit card identifier and it's used to identify the SIM cards that associate a mobile device with a particular subscriber.)

I asked AT&T's chief security officer Ed Amoroso how Goatse were able to snag that info from at least 114,000 subscribers. Turns out, it's from a tiny convenience feature you probably never noticed. When you sign up for 3G service on iPad, AT&T looks at the SIM serial number, which Amoroso says "is not a secret, like the serial number on the dishwasher," and asks for an email address you'd like to be contacted at. When you access the AT&T website to check your data account from your iPad (Settings -> Cellular Data -> View Account), it pre-populates your email address using the ICC-ID, so you don't have to type the email address every single time, but just your password.

That's the feature Goatse exploited, using a script that Amoroso describes as a "brute force attack," trying ICC-IDs as part of an HTTP request until they gave up an email address. And it's why the damage really does appear to be limited to iPads' ICC-IDs and the email addresses associated with them. How many accounts were exposed, precisely, is still an open question, since AT&T is "doing the forensics as we speak" and until they're completed, there's "no way of validating the number of addresses," says Amoroso. Because Goatse didn't follow a "responsible disclosure process," says Amoroso, AT&T's had to do their own detective work. AT&T will be contacting each and every customer affected, and "shed some more light" on the issue once they're done with the investigation.

AT&T has already turned off the feature. If you to go your iPad's 3G account settings, you'll notice your email is no longer already completed, so you have to type the whole thing out. I hope you don't have a terribly long email address.

What about the future, though? Could it happen again? Well, Amoroso says "as we innovate on the provisioning process, reinventing the way we provision service, there will be growing problems," and "you can probably think of a lot of features because the community went through some sort of security issue that requried some hardening." So: maybe. It's the classic tradeoff between convenience and privacy.

The entire episode is a bit ironic in the context of a talk AT&T CEO Randall Stephenson gave at an IBM conference yesterday that was focused heavily on privacy and security: "If you lose the customers' confidence once on a privacy...it would be a hard issue to recover from." I guess we'll see.