iPad Security Breach Embarrasses AT&T

by Matt Klassen on June 15, 2010

You think that being the one and only wireless carrier to support arguably two of the most popular mobile devices in the world would be cause for celebration and rejoicing, but why then does AT&T not seem to be having any fun?

With the steady stream of absolutely rotten luck, some of which is certainly self-imposed, it might lead one to think that the wireless giant has been cursed by some jungle tribe shaman or mythical Greek god, forever cursed to carry popular devices but never able to enjoy them.

It is with this in mind that I bring to you news of a hack on AT&T iPad customers, an attack that exposed a glaring weakness in AT&T’s wireless security, and a story that contains more sexual innuendo than a Woody Allen movie. It’s a story that now involves a lengthy cast of characters, from the hacker front-company Goatse Security to the Federal Bureau of Investigations and almost everyone in between, a story which ultimately begs the question; can you ever trust AT&T again?

The story began last week when Goatse Security, a not-so-subtle legitimate front for a group of hackers that like to expose corporate electronic security loopholes—within the bounds of the law of course—and reveal those loopholes to the world, discovered a glaring weakness in AT&T’s iPad security measures.

The vulnerability, Goatse discovered, readily returned a customer’s email address if a valid serial number for the iPad SIM card was entered, which for a hacker simply means a few short minutes writing script to mimic a valid serial number and then downloading over 100,000 email addresses of unlucky iPad users.

While Goatse, being an upstanding and ethical company, did inform AT&T of its vulnerability, it did so only after sharing the information with online gossip site Gawker. Oh great, just what you would want to happen with your private information, have it pawned off to a site called “Gawker,” that’ll keep it safe!

But before you begin to worry that your overall privacy and security has been compromised, nothing truly private was obtained in Goatse’s little adventure, and all your iPad password remains as safe as ever. The only inconvenience you might experience is an increase in spam mail, and unless you have an insatiable desire to open every email that promises you sexual enhancement, you have little to worry about.

For its part, AT&T claims that it fell victim to “unauthorized computer ‘hackers’ [who] maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.” While the FBI is now investigating AT&T’s claims, and while we all may naively hope that such “security companies” would refrain from exploiting such vulnerabilities, there honestly doesn’t seem to be anything particularly malicious about this situation.

So has Goatse done anything wrong here? In its own defense, the security company claims that, “all data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.” This means, quite simply, that we couldn’t possibly expect a group of hackers who have the means to steal people’s private information to refrain from doing so if the opportunity legally presented itself.

In my mind, while it’s unfortunate that there are hackers willing to stoop to such lows, the fault in this situation lies squarely on the shoulders of AT&T. Unless the investigation finds that Goatse has actually sold this information, the only thing it could be found guilty of is publicly embarrassing AT&T, certainly nothing new for the wireless giant.

Did you like this post ? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. www.digitcom.ca >. Follow TheTelecomBlog.com > by: RSS >, Twitter >, Identi.ca >, or Friendfeed >

Previous post:

Next post: