AT&T Writes To iPad 3G Customers; Blames Hackers For Security Breach
AT&T has finally communicated to customers about the security breach that saw the email addresses of over 114,000 iPad 3G users compromised last week.
In an email sent to the iPad 3G owners, AT&T senior Vice President and Chief Privacy Officer Dorothy Attwood has apologized for the incident and has assured her customers that the matter has been resolved and no other confidential information has been leaked.
Interestingly, Attwood has placed the blame for the attack on Goatse security – the hacking group that exposed the vulnerability instead of taking full responsibility. She writes that the hackers exploited a functionality on the AT&T website for their own publicity. The feature that was exploited was meant to let iPad users login faster by pre-populating the subscriber authentication page with the user's email address. The AT&T email notes:
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity."
Attwood's statements are contradict statements issued by Goatse security. The hackers group had claimed to have exposed the vulnerability in good faith without compromising on the security of the iPad users.
In response to AT&T's email, Escher Auernheimer, an analyst at the Goatse security group writes:
"AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it.
When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
Auernheimer further accuses AT&T of being dishonest about the "potential for harm" and calls the delayed disclosure to customers "unacceptable". He has however made no note of recent statements from FBI that it was investigating the leaks that was a "potential cyberthreat".
Unless both parties aren't telling us something, AT&T should ideally be thanking Goatse Security for identifying the rather stupid security loophole rather than blaming them.
What are your views on this episode? Do you see this incident as a case of ethical hacking? Is AT&T being dishonest about Goatse Security's role in patching a serious security flaw? Let us know what you think in the comments.
[via The New York Times]
- AT&T Security Hole Let Hackers Steal Personal Info From Famous iPad Users
- ATT Leaks Emails Addresses of 114,000 iPad Users
- Security Loophole Reveals Email Addresses Of AT&T’s iPad 3G Users
- Hackers Face Criminal Charges In iPad Data Breech
- 41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses