What the AT&T Breach Means for iPad users (FAQ)
There is a lot of confusion surrounding
Some reports have left the impression the breach was due to a security flaw with the iPad, which is untrue. And the initial facts were slightly unclear.
But the ramifications are serious enough to prompt the FBI to announce on Thursday an investigation into the situation after learning that numerous U.S. government officials were among the many executives and luminaries that had their e-mail addresses exposed.
The blog site that broke the story, Gawker Media, confirmed that it has been contacted by the FBI and asked to preserve documents in the case (Gawker's Gizmodo is already in
Here is information to help people understand what happened and what the risks are.
What happened?
Hackers discovered a security vulnerability in an application on an AT&T Web site used by iPad customers. With some programming they were then able to trick the site into divulging e-mail addresses of other random iPad users.
What data was exposed?
E-mail addresses of about 114,000 iPad users were disclosed, and they were correlated to serial numbers for the SIM cards in the devices used by the e-mail account holders. No other data was compromised, according to AT&T. Names attached to the e-mail addresses included White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson. Exposed e-mail addresses also belonged to officials at the FBI, departments of Defense and Justice, federal courts, NASA and executives from Google, Microsoft, Amazon, Goldman Sachs and JP Morgan, among many others.
What is the real threat?
People whose e-mail addresses were exposed were vulnerable to getting spammed with junk e-mail or phishing attempts designed to steal login and other sensitive information by masquerading as a legitimate site. So-called "spear phishing" e-mails are tailored to specific high-level officials or executives whose data is very attractive. The owners of the e-mail addresses also could be victimized by a targeted attack in which an attacker sends a customized e-mail with an attachment or a link in it that leads to malware specifically written for the iPad. Knowing both the e-mail address of an important person and the fact that that person owns an iPad increases the risk level, says Daniel Kennedy of Praetorian Security Group. For instance, attackers could send e-mails masquerading as coming from AT&T or Apple.
Am I still at risk?
It's unclear exactly who has had access to the uncensored customer data that was exposed and the tool created to gather it, but a representative from the group that discovered the flaw
If I have an iPad what should I do?
You might want to change your e-mail address that is associated with the iPad, although AT&T says that is not necessary. Be wary of any unsolicited e-mails and be careful when clicking on links in e-mails and opening attachments, even if they appear to come from someone familiar or trusted. You might also consider using an e-mail address when registering for certain products that is different from your regular e-mail address.
Can my iPad be targeted directly?
There are potential, highly unlikely attacks in which more sensitive mobile device identifiers could be inferred from the SIM serial ID and that information then be used to track the location of a specific device. However, the data that was exposed in this breach doesn't really provide any additional information or means by which such theoretical attacks could be accomplished, says Karsten Nohl, who showed
Read the rest of this article at CNET News.com.