The Federal Bureau of Investigation is investigating the breach on AT&T servers that exposed the e-mail address and mobile SIM IDs of more than 100,000 iPad 3G owners, including high-profile early adopters like Chief of Staff Rahm Emanuel and New York City Mayor Michael Bloomberg.
The report came out yesterday that a “grey hat” security firm, known as Goatse Security, was able to use what is essentially a brute-force cross-scripting attack to get this information from AT&T. The firm said it disclosed this to AT&T before going public with the information. AT&T, however, has a different tale.
In an e-mail to IntoMobile Wednesday, the second-largest U.S. carrier said:
AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device … We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.
So, AT&T is saying a business customer informed them of the vulnerability and not the security firm, so the FBI will sort it out and see if there’s been any wrongdoing.
It’s unclear how big of a hassle this breach will result in for iPad users, although this could potentially open them up to spammers. In a blog post, McAffee said this type of vulnerability is actually quite common around the web.
I would guess that this application vulnerability gained so much attention because, after all, it is Apple we are talking about. The hype around Apple products – like the new iPhone and iPad – is amazing. However, the reality is this type of vulnerability isn’t really news and happens all day long … So while I believe that this vulnerability is not as big as the media makes it out to be, it does highlight the fact that a good security program and lifecycle development practices are critical to success.
One thing is certain: this paint AT&T in a negative light. Maybe this will be the straw that breaks the camel’s back and gives Apple justification to bring its iPhone and iPad to other carriers. T-Mobile, anyone?