AT&T’s failure to protect iPad e-mail addresses spotlight the kind of security issues facing enterprise smartphone deployments, according to a company that specializes in software security.
Enterprise security staff should take away four lessons from the AT&T affair, says Dan Cornell, CTO and co-founder of Denim Group, which works with companies to secure software, including a growing number of smartphone applications. He offered his comments in a blog post on the company’s Web site.
The AT&T breach was initially exposed by Gawker.com, drawing on information from a hacking group calling itself Goatse Security. The hackers learned that they could present an HTTP request to AT&T’s public Website, with an iPad User-Agent header and a valid Integrated Circuit Card Identifier (ICC-ID), which uniquely identifies a SIM card. In response, the Web site returned information about an Apple iPad 3G user, specifically, the e-mail address submitted by that user when activating the iPad according to Apple’s requirements.
- Related Content
- LoveBug worm hit 10 years ago during a simpler time
- In data breaches, keeping number of records lost secret can protect stock prices
- HITECH Act: What you need to know about new data-breach guidelines
- 802.11n Drives an Architectural EvolutionWHITE PAPER
- Lost: A $49,000 laptop computer
- Data breach hits payroll firm PayChoice
- Post-breach, Heartland plans aggressive encryption projec
- Data-breach costs rising, study finds
- Heartland tries to rally industry in wake of data breach
This breach was limited to iPad 3G users (though these included a high-profile group drawn from entertainment, high tech, government and the military) and apparently only the e-mail address was returned. The danger seems to have been limited to the possibility of being spammed, or possibly subjected to phishing attacks.
According to the original Gawker story, the Goatse Security hackers “notified AT&T.” The carrier, in a brief written statement on which a spokesman declined to expand, flatly denied this. “The person or group who discovered this gap did not contact AT&T,” the statement read. Instead, ““AT&T was informed by a business customer on Monday [June 7] of the potential exposure of their iPad ICC IDs. The only information that can be derived from the ICC IDs is the e-mail address attached to that device.” The carrier “essentially turned off the feature that provided the e-mail addresses” and that was done by Tuesday.
According to Cornell, there are four lessons to be learned from this, in creating secure smartphone applications.
First, effective authentication and authorization are crucial if you’re exposing to users any server resource that deals with sensitive data. Users have to be authenticated as being who they claim to be, and then authorized to access the data being requested.
“We have seen most folks we work with get pretty good about this for Web pages and OK about it for AJAX/RIA [Rich Internet Applications] endpoints, but they are still missing the mark with server endpoints devoted to smartphone applications,” he writes. “Protect your endpoints! If bad guys need credentials before they can attack you then you’ve certainly raised the bar. And if they don’t need to authenticate they are going to run all over you.”
Second, make sure you authenticate requests with values that are truly random. AT&T’s lapse was due in part, according to the hackers, because the ICC-IDs were easily guessable. Beware of relying on values that “look random but aren’t,” Cornell says. “We used to see this a lot with Social Security Numbers (SSNs) and we still see a lot of authentication schemes that rely on semi-public information or reasonably guessable values,” he writes.
Kudos to Dan for staying at it with writing, speaking, posting content and being found. We issued this news release on Wednesday and John Cox from Network World picked up on the story and ran it.