AT&T Lied about iPad Attack Threat, Hackers Say
The hackers who harvested more than 100,000 Apple iPad 3G owner e-mail addresses blasted AT&T as "dishonest" today, and said the group has an exploit it or others could have used against all iPad owners.
The hacking group Goatse Security obtained the e-mail addresses using an automated PHP script that collected iPad 3G owners' ICC-ID numbers and associated addresses from AT&T's servers using a publicly-available feature of the carrier's Web site. AT&T disabled the feature last week, a day before the Valleywag Web site first reported the story.
On Sunday, AT&T used e-mail to apologize to customers for the hack, said Goatse "maliciously exploited a function designed to make your iPad log-in faster" and claimed the group "went to great efforts" to scrape information from its servers.
One member of Goatse took exception to AT&T's words.
"AT&T is being dishonest about the potential for harm," said Escher Auernheimer in a post today to the Goatse blog.
Specifically, said Auernheimer, other hackers armed with an iPad exploit could have used owner e-mail addresses in a targeted attack -- based on messages posing as ones from AT&T or Apple -- to hijack their tablets. "A complete list of iPad 3G customers, which could have been generated from this vulnerability [Goatse uncovered], would have the ideal bit of data for those ... with zero-day Safari exploits," Auernheimer argued.
Such a vulnerability exists, Auernheimer continued, noting that he had posted information and attack code for a Safari bug March 23. Apple has patched the flaw in the desktop version of Safari, but has yet to close the hole in the stripped-down browser on the iPad, he added.
"We released this in March, mind you, and Apple still hasn't got around to patching this on the iPad!" said Auernheimer.
Last week, Apple patched 48 vulnerabilities in Safari for Mac OS X and Windows -- the first update since Auernheimer went public with his integer overflow bug. None of the 48 patched vulnerabilities, however, was credited to Auernheimer or Goatse.
Auernheimer did not reply to e-mail asking him to point out the specific patch that fixed the vulnerability he disclosed in March.
Apple has said it will update the iPad to iOS4 -- its next-generation operating system -- sometime this fall. Unless it ships a rush patch in the interim, the iOS4 upgrade would be the first opportunity for the company to quash the bug Auernheimer claims is in Safari on the tablet.
Auernheimer also said AT&T downplayed the ease with which someone other than Goatse could have beaten the group to the e-mail vulnerability. In the Sunday message to customers, AT&T said Goatse "deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses."
"I'll tell you this, the finder of the AT&T e-mail leak spent just over a single hour of labor total, not counting the time the script ran with no human intervention, to scrape the 114,000 e-mails," said Auernheimer. "If you see this as 'great efforts,' so be it. [But] at any given moment, whatever efforts us [sic] researchers are making are dwarfed by those in the thrall of evil. So get real."
In his blog post today, Auernheimer again defended Goatse's release of the e-mail addresses to ValleyWag last week. "We did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare," he said. "I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
For its part, AT&T said it would cooperate with any investigation by authorities, including the Federal Bureau of Investigation (FBI), which has opened a probe to determine whether Goatse broke any federal laws. "We will ... prosecute violators to the fullest extent of the law," AT&T said in its e-mail to iPad 3G customers.
Saying that AT&T was out to "crucify" Goatse, Auernheimer suggested the carrier take a different approach.
"You f***ed up, we helped you that figure out and informed the public. You should thank us, but you can keep on s***-talking if you want. We know what we did was right," Auernheimer said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.