Blame For iPad Email Breach Lies With AT&T

US mobile operator AT&T’s recent data leak – that exposed the email addresses of 114,000 iPad owners – is now being investigated by the FBI and has been described by some as “Apple’s worst security breach”. But the fault was unmistakably AT&T’s, not Apple’s, so what is all the fuss about?

According to chief security officer for Mimecast, James Blake, this is a classic example of security researchers using fear to manipulate the media for the sake of publicity.

“This isn’t a vulnerability in the iPad. It is, in fact, a badly designed and implemented website by AT&T, the US carrier for the iPad,” wrote Blake in a blog post. “This explains why the problem is limited to the US and has not been seen in any of the other territories that the iPad is available in. But a bug on a website doesn’t make as much of a good story as a vulnerability on a device selling in its millions across the globe – does it?”

Media over-reaction?

Earlier this month, a group called Goatse Security exploited a security hole on AT&T’s website, which allowed it to get hold of the email addresses of 114,000 owners of 3G iPads. According to Gawker.com, which first reported the breach, some of the addresses belonged to prominent executives and high-profile individuals such as New York City Mayor Michael Bloomberg. Others belonged to military personnel.

The FBI has since asked Gawker Media to preserve potential evidence related to the investigation. Meanwhile, AT&T has blamed the incident on “computer hackers” who it claims “maliciously exploited” an attempt by the operator to speed up the process of logging in to its website.

However, Goatse Security has denied any wrongdoing, claiming the disclosure needed to be made. “iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address),” the group stated.

“What was exposed was Internet facing email addresses, no passwords, no phone numbers, no credit cards… Many of the addresses could probably have been easily guessed based on name or harvested using traditional directory or web-harvesting techniques,” wrote James Blake in his blog. “While an Internet email address could be considered a Personally Identifiable Information (PII) digital identifier, the sensitivity or impact level of this data on its own is very low. The use cases for someone who has harvested this data are quite limited.

“While it shouldn’t have been so easy to automate the collection of these emails, in the grand scheme of things this hardly represents a big risk, certainly not on the level of being suggested in some of the articles I’ve read. As security professionals we cannot cry wolf for our own notoriety’s sake or users will start to suffer from threat fatigue. The resulting diminished, or distracted, user awareness will hit us all in the long run,” he added.

Could damage enterprise uptake

Although the breach was primarily due to a hole in AT&T’s security and not an an iPad security breach, some industry commentators have suggested it could tarnish Apple’s reputation for privacy and even discourage enterprises from adopting the device. After all, Apple did select AT&T as the exclusive carrier for its iPad in the US, so a blunder by AT&T is bound to reflect badly on Apple.

Researchers at Citrix last month said that 84 percent of 494 customers surveyed said they would allow their employees to use their personal iPads for work. Eighty percent of respondents said they would buy an iPad for business use, with 87 percent of those surveyed claiming productivity tools as the primary use case. Moreover, 90 percent of respondents will use iPad for business email as well as presentations.

Citrix found in a follow-up survey on 10 June that 56 percent of 558 businesses polled would buy iPads for their employees to use. “The fact that IT can safely provide access to company apps, data and virtual desktops without managing the device will make the iPad a game changer for business beyond just the form factor and features,” said Chris Fleck, vice president of community and solutions development at Citrix.

Forrester Research analyst Ted Schadler, while labelling Citrix’s reports as highly biased, said businesses are very interested in iPads because they’ve already done the due diligence on the iPhone, and in many industries found it to work well for basic business applications like email and web apps.

“What’s interesting here is that the number of business applications on iPad is more diverse than I would have first expected,” Schadler told eWEEK. “With a Bluetooth keyboard and with the ability to deliver presentations, this becomes a decent executive presentation tool, as long as you have charts in Keynote format. Expect a rash of PowerPoint-to-Keynote conversation applications to come to an iMac near you any day now.”

Additional reporting by Clint Boulton