Anatomy of a Security Hack: iPads and AT&T

Back in June last year, hackers were able to extract about 114,000 individual user’s personal email addresses and their ID used to authenticate them on AT&T’s 3G network for Apple iPad users. Here’s how the hack happened.

AT&T wanted to offer a convenient way of letting users log into their 3G data plan accounts, auto-populating users email address on the dashboard by referencing the unique identifier (ICC-ID) of the users’ iPad. The iPad users used AT&T to access the Web. The hackers, realizing this, produced a script called the “iPad 3G Account Slurper” that utilized brute force techniques to auto-generate thousands of unique ICC-ID’s, harvesting usernames, e-mail addresses, and billing addresses as the script went on.

AT&T iPad Login

In this situation AT&T was trying to create ease of use and convenience for their customers by reducing the number of keystrokes needed to log-in. However, tech savvy hackers were able to recognize the schema used and with malicious intent took advantage.

AT&T has now fixed the problem by removing the email auto populate feature. The issue service providers have to consider, as a result of this incident, is the trade-off between user convenience and security. We just have to look at airport security measures that resulted from the terrorists attacks in the U.S. and realize that security must trump user convenience whenever possible. Folks may not like it initially, but they will appreciate the peace of mind.