Could AT&T's iPad Email Leak Really Be A Much, Much More Serious Security Breach?
from the doesn't-sound-good dept
Last week, we wrote about the security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:
So yeah, knowing someone’s ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you’re prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.
There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it’s still instructive of how a “simple” data breach can lead to much more in certain circumstances.
Comments on “Could AT&T's iPad Email Leak Really Be A Much, Much More Serious Security Breach?”
It’s the CYBERWAR!!!!
Holy crap… Can we put AT&T up for war crimes?
Re: Re:
I wonder if they should be prosecuted in civilian court or military court? Maybe Obama can create a new Military Cyberwar court czar.
Yawn.
IIRC, many of the correlations ultimately pointed to persons in positions where one would ordinarily expect security would be a significant concern (e.g., members of the military).
Perhaps it already exists, or perhaps many of the needed “pieces” are already in place waiting for someone or some group to recognize a potential integration of these “pieces” (perhaos in conjunction with new “pieces”)into a system or method that mitigates data mining.
It is from situations such as this that “inventions” spring forth, some of which, of course, are more effective than others. And, it is in situations such as this that persons consider whether or not circumstances dictate that the filing of a patent application(s) may be prudent.
This is not meant to be a “see, patents are important” comment, but merely to note that not everything is necessarily obvious to those of ordinary skill in the relevant art.
Do you own homework.
I needn’t ask you to do you own homework on this but this has gone on for years. Techdirt may have been “alert” but certaintly not awake to the wider picture.
Please open thy eyes to the world around you!
Telecoms fund and supply info to big brother too.
Rage against the machine.
Re: Do you own homework.
So, are you responsible for putting up “Infowars.com” bumper stickers on rest stops across America?
If so, Good job. I’m really looking forward to the Chris Matthews interview with Alex Jones tomorrow night.
I doubt it. But “ICCD” is a very technical term. Most companies refer to them as SIM IDs.
I have some theories, but frankly, I have no desire to seek out or analyze the list unless someone legitimately provides it along with a check for $20,000 along with an NDA that states they would be hold me harmless, protect, indemnify and defend my analysis.
Until then, well, I guess the FBI will do their job. After all, us tax payers depend on AT&T’s security.
“but it’s still instructive of how a “simple” data breach can lead to much more in certain circumstances.” – or not. it could be instructive as to how often people over reach looking for a scary hacker / data theft story.
Re: Re:
Yeah, the media has a way to sensationalize things they don’t understand.
I find this especially true if they favor Microsoft. Anything to scare people away from good platform, they jump on.
Re: Re:
Just like how an AOL search log being leaked couldn’t possibly reveal a person, right? Just ask Thelma Arnold. Oops.
ANY leak of major personal information can be narrowed down to specific person, and linked to numerous other databases of information.
You’d be surprised how easy it is to identify you with a little bit of data, and just how much can be gained from that.
Wow people are really missing the risk
Ok, so the fact that they have your email address not a big deal. But having 2 pieces of info can make phishing attack much more successful.
So let’s say the average phishing attack with 1 piece of info has just a .1% success rate. (Making this up so no not citing any studies) In this case that would mean 114 people fell for it and gave of info enough to clean them out. Well with 2 pieces of info let’s say they can now get to a whopping 2% success rate. That means 2280 fell for it. And then lets say each victim lost $500 in each case. 57,000 versus $1,140,00.
This can be illustrated by looking at spam. Why do you think you get so much spam? Because (last stat I saw) .001% of people buy the product in the spam. Well if you send out 500 million and your product offers $10 of profit of each sale, you make $50k not bad since it only cost $200 to send all that. Same with phishing attacks. All you want to do is increase your response rate. More info more success.
And for those that are slow the two pieces of info are your email address and that you own an iPad 3G with cell data service.
Re: Wow people are really missing the risk
Oh yeah forgot to say that I have gotten 6 phishing emails that are very specific in the info related to this, just this week to an email address that gets just 20 spam a week.
But at this time, it’s really not worth it because AT&T is an interesting company that likes to find someone else to blame. AT&T isn’t AT&T. They are still operating from the SBC playbook.
* When SBC/BLS bought AT&T they blamed AT&T and said that they paid too much for AT&T.
* When SBC/BLS was screwing all their non-bargained employees for healthcare, they immediately blamed Obama’s Healthcare plan for a $1,000,000,000 healthcare charge.
* When SBC/BLS didn’t have a scalable network to support data users, they blamed their customers and put in place “a data cap you can’t refuse.”
* When SBC/BLS was offered constructive criticism by a customer, they told a customer about a thing called a cease and desist.
They may be “AT&T” in name, but it isn’t the AT&T that survived 200 years and was a leader in practice. Skimping on security and QA is unacceptable and would be looked down upon by anyone who is familliar with The Bell System.
AT&T owns this. It’s sickening that the Government has to get involved to help manage their security.
But at this time, it’s really not worth it because AT&T is an interesting company that likes to find someone else to blame. AT&T isn’t AT&T. They are still operating from the SBC playbook.
* When SBC/BLS bought AT&T they blamed AT&T and said that they paid too much for AT&T.
* When SBC/BLS was screwing all their non-bargained employees for healthcare, they immediately blamed Obama’s Healthcare plan for a $1,000,000,000 healthcare charge.
* When SBC/BLS didn’t have a scalable network to support data users, they blamed their customers and put in place “a data cap you can’t refuse.”
* When SBC/BLS was offered constructive criticism by a customer, they told a customer about a thing called a cease and desist.
They may be “AT&T” in name, but it isn’t the AT&T that survived 200 years and was a leader in practice. Skimping on security and QA is unacceptable and would be looked down upon by anyone who is familliar with The Bell System.
AT&T owns this. It’s sickening that the Government has to get involved to help manage their security.
It is unsurprising to see an article like this about AT&T but not Google during the breach of its network.
As to phone calls and SMS...
You said that the original poster noted that the iPad isn’t a voice device and so one probably could not sniff phone calls. I have 2 things to add to this:
1. Sniffing email is probably just as bad. Many people specifically email things when they are in public places that they would not want to say aloud, so this might be even worse than sniffing phone calls. GPRS/EDGE has been cracked for as long as GSM, and UTMS probably won’t be secure more than another year.
2. If they have access to all this other data, especially the location data, couldn’t they just find the user’s cell phone (probably also on AT&T) that’s within 10 feet of the iPad, then confirm with the account data on the phone? In a way, this is worse than cracking their phone – cracking the iPad gives them access to both, with a little more effort.
Just some thoughts. I have a friend on AT&T who just ordered an iPad and she’s VERY privacy-conscious. She’s already kinda pissed about Apple eliminating the 1 button they used to have on the mouse and MobileMe being down half the time. It should be a lot of fun when I call her and tell her I know where she is…maybe enough to finally move her to Linux 🙂
It’s bad for the future!
hire a hacker
hacker4hire@hackermail.com
iPad is so overrated
mine broke after 3 weeks
penny@dorne.info