Military, other fed iPad users compromised in AT&T hack

E-mail addresses exposed in recent white-hat attack

Civilian agency and military 3G Apple iPad users were among those whose e-mail addresses were exposed recently when a hacker group gained access to a list of users – including many high-profile people in industry, politics and the media – via AT&T’s Web site.

Gawker, which first reported the breach, said the compromised information also included users’ ICC numbers, which authenticate users on AT&T’s network. However, AT&T told the New York Times that those numbers only reveal the e-mail address for the iPad users.

A security expert told the Times that an ICC identification could, in theory, be used to determine a device’s location, but doing so would require gaining access to secure databases that are not usually connected to the Internet. Experts said little real harm is likely to come from the attack.

Despite the limited expected fallout, the breach does raise concerns for users of iPads and, perhaps, other wireless devices. The Times told its employees with iPads to turn off the 3G functions until it could investigate the matter.

According to Gawker, the group that first reported the breach to AT&T exploited a script on AT&T’s Web site to get the information on approximately 114,000 users. AT&T, which is Apple’s exclusive provider for the iPhone and iPad, said it was notified of the vulnerability Monday and has since closed the hole.

E-mail addresses revealed included those of New York City Mayor Michael Bloomberg, the chief executive officers of Dow Jones, the New York Times, Time magazine, Diane Sawyer of ABC News and film producer Harvey Weinstein. White House Chief of Staff Rahm Emanuel also was apparently on the list.

Among government users, the list included those with addresses at the Army, the Defense Advanced Research Projects Agency, the Federal Aviation Administration, the Federal Communications Commission, the Justice Department and NASA.

The script on AT&T’s Web site that allowed the data theft is available to anyone on the Internet, according to Gawker, which was shown the list of e-mail addresses. “When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an [Asynchronous JavaScript and Extensible Markup Language]-style le response within a Web application,” Gawker reported. “The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites.” They then wrote a PHP script to automate the collection of data, the report said.

 

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected