Blog

Goatse, the hacking firm that discovered the vulnerability on AT&T’s website that found 144,000 iPad subscriber’s information including name, account number and email address does not like how AT&T has portrayed them.  They wrote an explicit response to that letter here .  I still think Goatse could have done things a bit differently.  According to them, they notified a third party, who Goatse claims was a journalist, and then promptly destroyed the data.  In other reports that I read, there were several third parties that were notified.  I don’t have any idea if they were all journalists or not.  The proper way to handle situations like this (if you aren’t trying to get free publicity and truly just trying to do the right thing) is to contact AT&T directly and work with them until the vulnerability is fixed.  Then you can disclose what happened.  This is of course much easier than it sounds but I still don’t think that Goatse followed the right steps.  But that doesn’t put them in the wrong either.  They could have done much worse with the vulnerability they discovered and information they gathered.

All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before.  One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs.  This is the unique identifier on the iPad.  Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes.  This could have very serious security ramifications, especially when you consider those that were among that list of 144,000.  If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem.  Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times.  There are a lot of scary scenarios that we could talk about if this were really possible.  But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.

Read about it here.  Here is what I think about it.

Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party.  So when everyone references this breach in the future it will be Apple’s name, not AT&T.  That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach.  It is unclear what other information, if any, was also captured.  This is an interesting case because no other time would anyone care about email addresses being exposed.  This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses.  A list like this simply doesn’t exist.  But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service.  While they say 114,000 emails were compromised, it is likely that many others were compromised as well.    Personally, this is where I think Goatse stepped over the line.  They detected and exploited the vulnerability.  They told AT&T about it.  They wanted press and they have it.  But they said that they gave the vulnerability exploit and script to others.  Who are these others?  What did they do with this information?  It is always a slippery slope when a rogue security firm does this type of thing in the first place.  But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use.  That is what makes it go from grey to black very quickly.  Let’s all remember it is just email addresses (as far as we know).  It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike.  But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.