Opinion: Don't Kill Messenger for iPad Breach
AT&T, it seems, would like us to kill the messenger, in this case Goatse Security, the group that broke the news of the massive security flaw in AT&T's iPad 3G Web application.
In a letter sent to its customers on Sunday, AT&T referred to the group in none-too-flattering terms, calling them "hackers" who "maliciously" "went to great efforts" to break into the Web application for the iPad and expose the ICC IDs and e-mail addresses of more than 100,000 iPad 3G customers.
That's not entirely true. Goatse Security may have a warped sense of humor, to judge by its name, but they're more Internet watchdogs than hackers. They didn't go "to great efforts" to break AT&T's system; all the e-mails they uncovered were publically available by entering a matching ICC-ID, no password required. Goatse says it took just one hour to discover the massive flaw in AT&T's Web application, a claim backed up by mobile security experts who told Wireless Week the security breach wasn't particularly sophisticated and could have been easily discovered by basic testing of AT&T's application.
As for as whether Goatse Security is malicious or not, attention-seeking is probably a better term. Goatse says it made sure third parties notified AT&T of the security problem, waited for AT&T to fix its system and gave them time to notify customers before leaking the information to Gawker.com.
AT&T says it wasn't notified by Goatse directly and fixed the problem "within hours," according to a letter from the company's privacy chief, Dorothy Attwood, though their initial statement on the matter suggested it took them a full day to fix the security flaw.
As you'll recall, the information Goatse Security found did not require a password and was available to anyone on the Internet. The list of e-mails disclosed by Gawker.com was heavily redacted, and the only thing Goatse is getting is a lot of publicity and a lot of criticism. Goatse could have sold the e-mail list to the criminal underground and left it at that, but instead they chose to make sure the general public was notified, a move which has admittedly garnered them a lot of attention.
AT&T would have us believe this was a rogue incident caused by malicious hackers. In reality, it was an easily revealed flaw in a Web application that wasn't properly secured. This is troublesome and worrying, at best.
Chenxi Wang, a security and risk management analyst at Forrester Research, told me last week that the security flaw in AT&T's system was so basic it indicated a "cavalier" attitude toward security at the carrier, and I agree. We should be pointing fingers at AT&T's lackadaisical approach to security instead of blaming the problem on Goatse Security.
It took AT&T six days to notify its customers of the breach. Six days. As Goatse Security correctly points out, it only takes one day for a criminal organization to exploit the information. AT&T could have notified its customers of the breach the day it solved the problem: Tuesday, June 8. Instead, they waited until Sunday, June 13. If Goatse Security hadn't gone public with the information, would anyone have been notified? I suspect not.
Goatse could have done things differently. It could have notified AT&T directly, instead of having the information conveyed through third parties. It could have waited for AT&T to disclose the information, instead of going to the media with it itself. But that isn't the real issue. The real issue is that AT&T failed to secure a basic part of a Web application. It's AT&T's fault, not Goatse Security's, and it's time we started pointing fingers in the right direction.