Apple's iPad security breach reveals vulnerability of mobile devices

By Ariana Eunjung Cha
Washington Post Staff Writer
Saturday, June 12, 2010; A10

Mobile devices are slick, powerful and convenient, but the news this week that AT&T suffered a data breach on thousands of iPads highlighted another quality: They're vulnerable.

As more personal information migrates to mobile devices, experts say hackers have increasing opportunities to track people, listen in on phone calls and intercept e-mails or documents.

The security breach in a Web service used by Apple's new iPad 3G that was revealed this week suggested the potential stakes involved. Victims included not only thousands of ordinary consumers but also powerful figures in government -- including White House Chief of Staff Rahm Emanuel and New York City Mayor Michael R. Bloomberg -- and the military. Government agencies and companies whose employees' information was exposed were scrambling Friday to determine whether that data could have been used to help hackers track the movements of or get access to documents and e-mails of subscribers.

There's no evidence so far that happened, but it's hard to predict the ramifications of this type of security breach. The vulnerability exposed only e-mail addresses and the unique identification numbers that the devices use to communicate with the phone network for at least 114,000 iPad owners. And that alone can't be used to gain access to someone's iPad.

But in combination with other hacking strategies, security experts say, having the data could make it significantly easier to gain access to sensitive information.

"I don't want to fearmonger, but every time you reveal information that wasn't previously public, it gives hackers an advantage," said Nick DePetrillo, an independent researcher who specializes in wireless security.

Mobile flaws exposed

The flaw, which was not in the Apple iPad's software but in an AT&T Web site the device accesses, was discovered last month by a private security expert playing around with his own iPad. AT&T said it had fixed the problem by Tuesday and the issue was made public Wednesday by an online publication. Both AT&T and Apple have declined to comment further on the matter.

The fact that a hobbyist was, in hours, so easily able get access to information that Apple and AT&T, two of the country's most respected corporations, vowed to keep private and anonymous has jolted law enforcement officials, regulators and consumers, who had not made security for mobile devices a priority.

FBI spokesman Bryan L. Travers said the bureau had "opened an investigation to address the potential cyber threat" of the breach but declined to answer specific questions. Gawker Media, which owns the Web site that first reported the news, said Friday that it had been contacted by the bureau and asked not to dispose of the data it received from the security experts who found the flaw.

The Federal Communications Commission said Friday that it would increase its scrutiny of online security and privacy as a result of both the iPad breach and a separate incident in May involving vans for Google's StreetView service, which captured data from homes, offices and other open wireless networks as the vans mapped neighborhoods.

Some government agencies and companies whose e-mail addresses had been compromised reacted with caution. The New York Times warned employees to turn off access to AT&T's 3G network until the company's security experts could study the problem. The Pentagon, which says the devices registered under .mil were personal ones not issued by the Defense Department, said it's in the process of "trying to ascertain who and how many may be affected." The Federal Aviation Administration, which had purchased 10 iPads for a pilot project, said it had contacted AT&T to "determine what steps are being taken to prevent this from happening again." Others shrugged off the possibility of a threat.

Apple in spotlight

In the old world of desktops, Apple could take comfort in the fact that Microsoft was the prime target of hackers in part because of the ubiquity of its Windows operating system.

But in the mobile landscape, the iPhone, iPod Touch and iPad tablet -- all of which run the same operating system -- are so fancy and expensive and used by so many elites that they have become an irresistible challenge to hackers, as well as the security experts fighting against them.

In the first quarter of this year, Apple's devices had about 28 percent of the smartphone market, according to a report by Nielson. That compares to Research In Motion BlackBerry's 35 percent share, Microsoft Windows Mobile's 19 percent share and Google Android's 9 percent share.

Charlie Miller, principal analyst for Baltimore-based computer security firm Independent Security Evaluators, said that when Apple's iPhone debuted in 2007, the security was "pretty awful." Since then Apple has made several upgrades that do not allow any non-approved applications to run on its devices, and the operating system is made up of what's known as "sandboxes" to keep those who break in locked in one area so they can control only some features.

But problems keep cropping up.

In March, security experts discovered a flaw in the Safari browser on the iPhone that allowed them to steal someone's messages. Even worse, last year Miller found that he could send coded text messages that would allow him to take over someone's iPhone entirely.

"The user did not have to go a Web site or even be paying attention. The device could be sitting in your purse, and I could take over. I could track your location, send text messages, dial your phone. I could turn on the microphone to listen to what you're doing," Miller said.

Miller and a friend found the problem in about a week, when they were fiddling around with it for fun, for a hacking contest. "Imagine if it was a bad guy and not a good guy like me," he said.

Goatse Security, a white-hat hacker group, revealed the flaw in the AT&T Web site.

The security experts guessed the sim card identification number, the ICC-ID, of iPad users, which they discovered are generally sequential, and input them into the unsecured AT&T site which told them which e-mail address was registered for that device.

Daniel Kennedy, a partner at Praetorian Security Group in New York City, said he thinks the top problem with the breach is that if hackers got access to someone's e-mail address and if they could find out the names of the person's wife, husband or other trusted associates, they could send malicious e-mails supposedly from that person, almost guaranteeing that they will open them. "It's similar to how the Chinese attackers supposedly got into Google," Kennedy said.

Escher Auernheimer, a 24-year-old high school dropout from Los Angeles who is part of the nine-member Goatse group, said they destroyed the data after they finished studying the flaw and never used the information access for any illicit purpose. He said neither he nor any others involved has been contacted by the FBI.

"This disclosure needed to be made. iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue," the group wrote in a blog post Friday.

But, Auernheimer pointed out, the iPad 3G has been on sale since late April and it's possible that someone else swiped the data before the problem was fixed. "No one is putting a lot of thought into mobile security," Auernheimer said in a phone interview. "I think they need to start to."

View all comments that have been posted about this article.

© 2010 The Washington Post Company