U.S. Decides Hacking iPad Data Wasn't Altruistic
The federal government has charged two people with obtaining confidential information about 120,000 iPad owners from AT&T's network. The security breach last June reportedly included personal e-mail addresses and other information from such notables as ABC's Diane Sawyer, New York City Mayor Michael Bloomberg, and then-White House Chief of Staff Rahm Emanuel, as well as staff members in both houses of Congress, the Justice Department, NASA and Homeland Security.
The accused hackers are Daniel Spitler and Andrew Auemheimer, who have been charged by the U.S. attorney's office in Newark, N.J., with one count of fraud and one count of conspiracy to access a computer without authorization. The government said both were associated with a security hacker group called Goatse Security, which has claimed it was exposing a security weakness in AT&T's web site.
AT&T: Hack Was 'Malicious'
The defendants reportedly provided some of the purloined data to the Gawker web site. According to Gawker, the information included subscriber e-mail addresses and authenticating IDs that identify the SIM card used with a given mobile device.
In a posting shortly after the attack, Goatse Security said "all iPads are vulnerable" because of a weakness in Apple's Safari browser. According to Goatse, a user could click a malicious link and the vulnerability could allow unauthorized access to the iPad.
The group said at the time that Safari doesn't block high-numbered, illegitimate ports, or communication channels. It said this, in combination with the browser's ability to automatically fulfill software requests, could spell trouble.
Dorothy Attwood, AT&T senior vice president and chief privacy officer, has described the Goatse hack as "malicious." She added that the breach "exploited a function designed to make your iPad log-in process faster." AT&T has since said it has turned off the feature on its web site that made the security breach possible.
'No Breach, Intrusion or Penetration'
Some observers have said AT&T shouldn't be storing confidential information on a publicly accessible web site. Although AT&T accused Goatse of irresponsibly disclosing the vulnerability, the security site has said it disclosed the threat only after the hole was closed and no longer a threat. It added that it retrieved all the confidential information from AT&T's public web server without a password and that "there was no breach, intrusion or penetration."
Rather than being a major effort, as AT&T asserted, Goatse countered that the breach took only an hour. It said that neither AT&T nor Apple took security seriously at the time.
Goatse said that "this disclosure needed to be made," arguing that "iPad 3G users had the right to know that their e-mail addresses were potentially public knowledge so they could take steps to mitigate the issue," such as changing their address.