Apple's iPad security breach reveals vulnerability of mobile devices
Saturday, June 12, 2010
Mobile devices are slick, powerful and convenient, but the news this week that AT&T suffered a data breach on thousands of iPads highlighted another quality: They're vulnerable.
As more personal information migrates to mobile devices, experts say hackers have increasing opportunities to track people, listen in on phone calls and intercept e-mails or documents.
The security breach in a Web service used by Apple's new iPad 3G that was revealed this week suggested the potential stakes involved. Victims included not only thousands of ordinary consumers but also powerful figures in government -- including White House Chief of Staff Rahm Emanuel and New York City Mayor Michael R. Bloomberg -- and the military. Government agencies and companies whose employees' information was exposed were scrambling Friday to determine whether that data could have been used to help hackers track the movements of or get access to documents and e-mails of subscribers.
There's no evidence so far that happened, but it's hard to predict the ramifications of this type of security breach. The vulnerability exposed only e-mail addresses and the unique identification numbers that the devices use to communicate with the phone network for at least 114,000 iPad owners. And that alone can't be used to gain access to someone's iPad.
But in combination with other hacking strategies, security experts say, having the data could make it significantly easier to gain access to sensitive information.
"I don't want to fearmonger, but every time you reveal information that wasn't previously public, it gives hackers an advantage," said Nick DePetrillo, an independent researcher who specializes in wireless security.
Mobile flaws exposed
The flaw, which was not in the Apple iPad's software but in an AT&T Web site the device accesses, was discovered last month by a private security expert playing around with his own iPad. AT&T said it had fixed the problem by Tuesday and the issue was made public Wednesday by an online publication. Both AT&T and Apple have declined to comment further on the matter.
The fact that a hobbyist was, in hours, so easily able get access to information that Apple and AT&T, two of the country's most respected corporations, vowed to keep private and anonymous has jolted law enforcement officials, regulators and consumers, who had not made security for mobile devices a priority.
FBI spokesman Bryan L. Travers said the bureau had "opened an investigation to address the potential cyber threat" of the breach but declined to answer specific questions. Gawker Media, which owns the Web site that first reported the news, said Friday that it had been contacted by the bureau and asked not to dispose of the data it received from the security experts who found the flaw.
The Federal Communications Commission said Friday that it would increase its scrutiny of online security and privacy as a result of both the iPad breach and a separate incident in May involving vans for Google's StreetView service, which captured data from homes, offices and other open wireless networks as the vans mapped neighborhoods.
Some government agencies and companies whose e-mail addresses had been compromised reacted with caution. The New York Times warned employees to turn off access to AT&T's 3G network until the company's security experts could study the problem. The Pentagon, which says the devices registered under .mil were personal ones not issued by the Defense Department, said it's in the process of "trying to ascertain who and how many may be affected." The Federal Aviation Administration, which had purchased 10 iPads for a pilot project, said it had contacted AT&T to "determine what steps are being taken to prevent this from happening again." Others shrugged off the possibility of a threat.
Apple in spotlight
In the old world of desktops, Apple could take comfort in the fact that Microsoft was the prime target of hackers in part because of the ubiquity of its Windows operating system.