iPad 'vulnerability': A Reality Check
Thursday, June 10, 2010 at 12:27PM
I was asked by our PR team today whether that was a story on the recent iPad 'vulnerability' that is doing the rounds in both the tech and manstream media. The vulnerability was found by Goatse Security (great name guys) and is being pitched as 'Apple's worse security breach'.
The situation has got massively out of hand, I recieved a number of emails from worried staff today and I've even read that the FBI are investigating 'the cyberthreat posed by this exposure'. This is a classic example of security researchers using FUD to manipulate the media for publicity's sake. The media is complicit as well, while what they are reporting is factually true, the apocolyptic impacts they are espousing are laughable. The reality is that the only story is that there isn't really a story at all.
So its time for a reality check:
This isn't a vulnerability in the iPad. It is, in fact, a badly designed and implemented Website by AT&T, the US carrier for the iPad. This explains why the problem is limited to the US and has not been seen in any of the other territories that the iPad is available in. But a bug on a Website doesn't make as much of a good story as a vulnerability on a device selling in its millions across the globe - does it?
AT&T had designed a Web interface that would return an associated email address when presented with an identifier of an iPad known as an ICC-ID. Goatse simply wrote a PHP script that made it look like the useragent was an iPad and then looped through all possible ICC-IDs and harvested the returned e-mail addresses.
The ICC-ID to e-mail mapping has nothing to do with the iPad, this is all pulled in from the back-end OSS systems at the carrier - its a simple schoolboy error.
That brings me on to the second issue with the story - what was exposed, really?
What was exposed was Internet facing email addresses, no passwords, no phone numbers, no credit cards... Many of the addresses could probably have been easily guessed based on name or harvested using traditional directory or Web-harvesting techniques.
While an Internet email address could be considered a Personally Identifiable Information (PII) digital identifier, the sensitivity or impact level of this data on its own is very low. The use cases for someone who has harvested this data are quite limited.
While it shouldn't have been so easy to automate the collection of these emails, in the grand scheme of things this hardly represents a big risk, certainly not on the level of being suggested in some of the articles I've read.
As security professionals we cannot cry wolf for our own notoriety's sake or users will start to suffer from threat fatigue. The resulting deminished, or distracted, user awareness will hit us all in the long run.
The situation has got massively out of hand, I recieved a number of emails from worried staff today and I've even read that the FBI are investigating 'the cyberthreat posed by this exposure'. This is a classic example of security researchers using FUD to manipulate the media for publicity's sake. The media is complicit as well, while what they are reporting is factually true, the apocolyptic impacts they are espousing are laughable. The reality is that the only story is that there isn't really a story at all.
So its time for a reality check:
This isn't a vulnerability in the iPad. It is, in fact, a badly designed and implemented Website by AT&T, the US carrier for the iPad. This explains why the problem is limited to the US and has not been seen in any of the other territories that the iPad is available in. But a bug on a Website doesn't make as much of a good story as a vulnerability on a device selling in its millions across the globe - does it?
AT&T had designed a Web interface that would return an associated email address when presented with an identifier of an iPad known as an ICC-ID. Goatse simply wrote a PHP script that made it look like the useragent was an iPad and then looped through all possible ICC-IDs and harvested the returned e-mail addresses.
The ICC-ID to e-mail mapping has nothing to do with the iPad, this is all pulled in from the back-end OSS systems at the carrier - its a simple schoolboy error.
That brings me on to the second issue with the story - what was exposed, really?
What was exposed was Internet facing email addresses, no passwords, no phone numbers, no credit cards... Many of the addresses could probably have been easily guessed based on name or harvested using traditional directory or Web-harvesting techniques.
While an Internet email address could be considered a Personally Identifiable Information (PII) digital identifier, the sensitivity or impact level of this data on its own is very low. The use cases for someone who has harvested this data are quite limited.
While it shouldn't have been so easy to automate the collection of these emails, in the grand scheme of things this hardly represents a big risk, certainly not on the level of being suggested in some of the articles I've read.
As security professionals we cannot cry wolf for our own notoriety's sake or users will start to suffer from threat fatigue. The resulting deminished, or distracted, user awareness will hit us all in the long run.
Reader Comments (1)
[...] Security with the ‘iPad vulnerability‘, which turned out to be a much less newsworthy coding error on an AT&T website which [...]