How Harmful Was AT&T's iPad Security Hole?

114,000 e-mail addresses--including that of Rahm Emanuel--were compromised

This article is from the archive of our partner .

A security breach at AT&T has compromised the e-mail addresses of over 114,000 iPad owners, including members of the media, government and military elite. The security hole was discovered by Goatse Security, a hacker group that finds these types of vulnerabilities and reports them to the software maker. They leaked the information to Gawker's Ryan Tate and the story quickly raised alarm bells across the Web.

The list of compromised e-mail addresses includes New York Mayor Michael Bloomberg, ABC's Diane Sawyer and White House Chief of Staff Rahm Emanuel. In classic Gawker-style, Tate's reportage is provocative and highly critical of Apple. Since the story broke, other technology bloggers have downplayed the breach and debated its severity:

  • Not Just an AT&T Problem, writes Ryan Tate at Gawker: "Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. This is particularly the case given that U.S. iPad 3G customers have no choice in mobile carriers -- AT&T has an exclusive lock, at least for now. Given the lock-in and the tight coupling of the iPad with AT&T's cellular data network, Apple has a pronounced responsibility to patrol the network vendors it chooses to align and share customer data with."
  • Very Troubling, writes Jason O'Grady at ZDNet: "Even worse is the potential security threat this could expose to members of the military that adopted the iPad. On the list are several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, including William Eldredge, who 'commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.'"
  • In Laymen's Terms, How Was the Security Hole Exposed? Dan Nosowitz at Fast Company helpfully explains: "Goatse figured out a way to have AT&T provide email addresses for subscribers, using what's called an ICC-ID. The ICC-ID identifies a SIM card, thus linking a customer with a device. Each AT&T customer has an individual ICC-ID. Without going into too much hackery language, AT&T has a script on its website that will return an email address if the ICC-ID is provided. Goatse managed to trick it into revealing subscriber email addresses by guessing a huge swath of ICC-IDs based on a few real ones--they all have similar patterns--and feeding them into the script."
  • Bad--Not Devastating, writes John Paczkowski at All Things Digital: "Obviously, this is an ugly humiliation for AT&T. But as a security breach, it's not devastating. The only data compromised were email addresses and ICC IDs. The former could be sold to spammers, and I'm not sure there's much ill to be done with the latter. Which is not to downplay the severity of the incident. AT&T's negligence here is deeply troubling-and worth remembering every time we entrust our personal data to someone else."
  • This Is Overblown, writes Philip Elmer-DeWitt at Fortune: "Tate describes the breach as Apple's 'worst,' although losing e-mail addresses is hardly on the same scale as losing credit card or social security numbers, and it's not at all clear that the breach was Apple's in the first place."
This article is from the archive of our partner The Wire.