Military, other fed iPad users compromised in AT&T hack

E-mail addresses exposed in recent white-hat attack

Civilian agency and military 3G Apple iPad users were among those whose e-mail addresses were exposed recently when a hacker group gained access to a list of users – including many high-profile people in industry, politics and the media – via AT&T’s Web site.

Gawker, which first reported the breach, said the compromised information also included users’ ICC numbers, which authenticate users on AT&T’s network. However, AT&T told the New York Times that those numbers only reveal the e-mail address for the iPad users.

A security expert told the Times that an ICC identification could, in theory, be used to determine a device’s location, but doing so would require gaining access to secure databases that are not usually connected to the Internet. Experts said little real harm is likely to come from the attack.

Despite the limited expected fallout, the breach does raise concerns for users of iPads and, perhaps, other wireless devices. The Times told its employees with iPads to turn off the 3G functions until it could investigate the matter.

According to Gawker, the group that first reported the breach to AT&T exploited a script on AT&T’s Web site to get the information on approximately 114,000 users. AT&T, which is Apple’s exclusive provider for the iPhone and iPad, said it was notified of the vulnerability Monday and has since closed the hole.

E-mail addresses revealed included those of New York City Mayor Michael Bloomberg, the chief executive officers of Dow Jones, the New York Times, Time magazine, Diane Sawyer of ABC News and film producer Harvey Weinstein. White House Chief of Staff Rahm Emanuel also was apparently on the list.

Among government users, the list included those with addresses at the Army, the Defense Advanced Research Projects Agency, the Federal Aviation Administration, the Federal Communications Commission, the Justice Department and NASA.

The script on AT&T’s Web site that allowed the data theft is available to anyone on the Internet, according to Gawker, which was shown the list of e-mail addresses. “When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an [Asynchronous JavaScript and Extensible Markup Language]-style le response within a Web application,” Gawker reported. “The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites.” They then wrote a PHP script to automate the collection of data, the report said.

 

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.