Military, other fed iPad users compromised in AT&T hack

Civilian agency and military 3G Apple iPad users were among those whose e-mail addresses were exposed recently when a hacker group gained access to a list of users – including many high-profile people in industry, politics and the media – via AT&T’s Web site.

Gawker, which first reported the breach, said the compromised information also included users’ ICC numbers, which authenticate users on AT&T’s network. However, AT&T told the New York Times that those numbers only reveal the e-mail address for the iPad users.

A security expert told the Times that an ICC identification could, in theory, be used to determine a device’s location, but doing so would require gaining access to secure databases that are not usually connected to the Internet. Experts said little real harm is likely to come from the attack.

Despite the limited expected fallout, the breach does raise concerns for users of iPads and, perhaps, other wireless devices. The Times told its employees with iPads to turn off the 3G functions until it could investigate the matter.

According to Gawker, the group that first reported the breach to AT&T exploited a script on AT&T’s Web site to get the information on approximately 114,000 users. AT&T, which is Apple’s exclusive provider for the iPhone and iPad, said it was notified of the vulnerability Monday and has since closed the hole.

E-mail addresses revealed included those of New York City Mayor Michael Bloomberg, the chief executive officers of Dow Jones, the New York Times, Time magazine, Diane Sawyer of ABC News and film producer Harvey Weinstein. White House Chief of Staff Rahm Emanuel also was apparently on the list.

Among government users, the list included those with addresses at the Army, the Defense Advanced Research Projects Agency, the Federal Aviation Administration, the Federal Communications Commission, the Justice Department and NASA.

The script on AT&T’s Web site that allowed the data theft is available to anyone on the Internet, according to Gawker, which was shown the list of e-mail addresses. “When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an [Asynchronous JavaScript and Extensible Markup Language]-style le response within a Web application,” Gawker reported. “The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites.” They then wrote a PHP script to automate the collection of data, the report said.