Bloomberg: iPad E-Mail Breach No Big Deal
NEW YORK (CBS) ― Mayor Michael Bloomberg’s e-mail address was exposed because of a security vulnerability with his new iPad, but the billionaire media mogul shrugged it off Thursday and said he didn’t understand the fuss.
“It shouldn’t be pretty hard to figure out my e-mail address,” Bloomberg said, “and if you send me an e-mail and I don’t want to read it, I don’t open it. To me it wasn’t that big of a deal.”
AT&T Inc. said Wednesday that a security weak spot exposed the e-mail addresses — but nothing else — of more than 100,000 iPad users. Only users who signed up for AT&T’s “3G” wireless Internet service were affected.
The problem had to do with the way AT&T’s website prompted iPad users to log onto their AT&T accounts.
A group of hackers called Goatse Security exploited a hole in an AT&T Web site to get e-mail addresses of about 114,000 iPad users, including what appears to be top officials in government, finance, media, technology, and military.
The leak could have affected all iPad 3G subscribers in the U.S., according to Gawker, which broke the story on Wednesday. Among the iPad users who appeared to have been affected were White House Chief of Staff Rahm Emanuel, Diane Sawyer, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson, in addition to Bloomberg.
Bloomberg, who founded the financial information company Bloomberg LP and has an estimated $18 billion fortune, said such glitches are part of modern life.
“We live in a world where information is available all over the place, and there’s going to be security breaches every day all over the world,” he said. “That’s what happens when you have information.”
In recent weeks, the mayor has often touted the Apple Inc. tablet as a helpful tool for managing a city of 8.4 million people.
AT&T said Wednesday it would notify all iPad users whose e-mail addresses may have been exposed.
“We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted,” the company said in a statement.
Meanwhile, the type of weakness discovered in the AT&T site is fairly common, they said.
“It is an authentication error to not require user authentication before returning private data,” said Chris Wysopal, chief technology officer at Veracode. “This is the type of vulnerability that would be found with a very basic Web application assessment. Apple should require its service providers to show proof of an assessment of its Web apps if sensitive Apple customer is stored there.”
Neither e-mail addresses nor SIM serial numbers are considered to be sensitive information, experts said.
“Doesn’t seem like a huge deal to me,” said Charlie Miller of Independent Security Evaluators. “It’s not like peoples’ Social Security or credit card numbers were compromised.”
But try telling that to Rahm Emanuel or any of the officials in the Defense Department, federal court system, or Goldman Sachs whose e-mail addresses could be targeted for phishing and other attacks.
“Now everyone in the world knows these people have iPads, and here’s their serial number and here’s their e-mail address,” said Bill Pennington, chief strategy officer at White Hat Security. “This puts them in a more vulnerable state.”
There is also the possibility that a SIM serial number could be used to get other customer information through this or other vulnerabilities on the AT&T site, he said. And there’s a chance that it’s not just iPad users who were at risk. “I believe this number could identify any 3G device on the AT&T network,” not just iPads, Pennington said.
“Obviously, AT&T is using the ICC-ID as some sort of authentication mechanism,” said Kevin Mahaffey, chief technology officer at mobile security firm Lookout. “The question is in the back-end are there other systems that are using the number as an identifier for other things?” There is a trend to use identifiers associated with devices as a way to trigger billing or interact with the account. There is some trust associated with these numbers.”
According to Gawker, Goatse Security shared the exploit it wrote for the AT&T site with others. But Pennington said it seemed like the hackers were more interested in shaming AT&T over lax security than making money off the situation.
“I don’t think the data would have a lot of value in the underground,” Pennington said. “I think their primary motivation is shame and guilt.”
CNET’s Erica Ogg contributed to this report
(© 2010 CBS Broadcasting Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)