AT&T’s iPad Leak Incident

Lesson Learned

Presented by: IT Realists December 2010

A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID.

The security incident

Impacts of the incident Customers' email addresses were exposed. This

could have led to other personal information being intercepted or the email addresses could have been spammed. Also showed a weak link in the security of both AT&T and Apple which in turn could lead to the loss of customers and potential of gaining customers in the future. 

The security hole grew out of an effort by the carrier to make it easier for the customers to renew subscription. Customers gave AT&T their emails when they signed up for cellular service. The carrier then pre-entered those email addresses in a field on its websites as a convenience so customers wouldn't have to retype it when they renewed.

Goatse uses the ICC-ID (integrated circuit card identifiers) to get the email address of the iPad user. The ICC-ID is use to identify the SIM card of a device. Goatse then uses uploaded pictures from the device to obtain this number. With a poor encryption job of the ICC-ID from the device to the Internet, Goatse can then easily identified the user's ICC-ID

Major findings during investigation

AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber.

Even though AT&T is protected by firewalls and uses intrusion detection software and equipment to identify unauthorized attempts to access the network, these features have no relevance to the breach on the iPad.

Major findings during investigation (cont.)

AT&T closed the security hole as soon as they learned of the incident. The problem was victims of the incident were not aware of it until days later.

AT&T didn't handled the incident very well with the public. The apology letter seemed to be more focused on blaming the hackers than it did apologizing to its customers and reassuring them that their personal information and data was secure.

Major findings during investigation (cont.)

A scan for vulnerability should be run immediately for all AT&T dynamic pages.

We recommend purchasing the vulnerability scanning tools from Sword & Shield Enterprise Security for the following reason:

There are many commercially available vulnerability scanning tools that one can purchase that will give you some indications of vulnerabilities found. They may produce false positives and may not find all vulnerabilities. Sword & Shield run multiple tools, eliminate false positives and create a penetration test plan to see if we can think like a hacker and using knowledge from vulnerabilities found and attempt to penetrate the network to find valuable information. All of this work is manual and cannot be effectively done with automated tools.

Estimated cost: $4,000+

Immediate actions required

Recommendations According to FCC regulation, telephone

companies may use, disclose, or permit access to your customer information only in the following circumstances: 1) as required by law; 2) with your approval; or 3) in providing the service from which the customer information was obtained.

It is understandable that AT&T wanted to make it easier for the iPad users to renew their subscription. But it doesn’t mean that customer information can be compromised. AT&T should strictly follow the FCC regulation and provide the necessary protection for the customer information.

Telecommunications

Recommendations (cont.)

Procedures

Audit Recommended Changes AT&T needs a process in place to continually track the information that is listed on their website. If there was a policy and or procedure in place then AT&T could have detected that any users were able to obtain important user information through a script.

Physical Recommended Changes We would also suggest AT&T to hire a person that continually goes through AT&T's website to check for any information that would harm both AT&T and it's users. So for the main part, we believe AT&T needs some type of a strong monitoring system to ensure outside users are not able to access any information that could jeopardize AT&T and or it's users.

Recommendations (cont.)

Software

One possible way to increase information privacy is to change the use of an email address. Instead of linking the email address to the ICC-ID, a customer can create a username to replace the email address.

Furthermore, the username and a password will be use to login. So when a customer uses their device to login, the username will appear instead of an email address.

Create an application to encrypt the ICC-ID numbers. This will protect the ICC-ID from any hackers when uploading anything on the Internet.

Recommendations (cont.)

Hardware

With AT&T not going into detail in what they exactly are using as network intrusion detection or network hardware/software monitoring tools, there are products out there that could have supported this purpose and protection.

We recommend AT&T import Fortinet’s Web Application Security Solution. The FortiWeb solution drastically reduces the time required to protect your regulated, confidential, or proprietary internet-facing data.

Recommendations (cont.)

People

We recommend the staff to the InfoSec Institute for Intrusion Prevention training. This recommendation is based on our observation on how the IT team performed before and after this incident:

1. The IT manager and IT team should have had this authentication page fully tested and prepped before in went into a live production environment.

2. The IT team that set the function and authentication page up should be able to shut down the function within a quicker time period.

Conclusion Applications frequently use the actual name or key of an object

when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified.

Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.

Conclusion (cont.) Bad decision made by AT&T: information leakage, trusting

sequential numbers, relying upon the security of obscurity, and not respecting the boundary between internal and external data.

This risk is a good example of where security needs to get applied in layers as opposed to just a single panacea attempting to close the threat door in one go. Having said that, the core issue is undoubtedly the access control because once that’s done properly, the other defenses are largely redundant.

We believe that incident like iPad leak won’t happen again if AT&T takes our recommendations seriously!