Thursday, June 10, 2010

AT&T got ipad emails hacked

The iPad was the target of a brute-force attack that harvested 114,000 e-mail addresses of iPad customers. High-level execs, military personnel, and politicians were among those affected.

Sure only the email addresses and the iPAD ICC-ID (unique iPAD identifier) got exposed, but if you think deeper in this, this could be very valuable information. 

Why?

This data in certain hands would show which CEO, CIO, CFO etc has an iPad, just by searching in the internet, or by buying user data through D&B (www.dnb.com). At D&B everybody can buy company data with email addresses. To compare the obtained addresses with a legal bought list is not a big deal.

Now we know who is using an iPad and how influence this person position is. With this information we can find out where this person work location is and try to get access to ipad, because we could assume some company critical information is stored on it. As soon we secured the ipad we could take the 3G card out ,switch wifi off (to make sure owner can’t delete the data remotely) and hack the ipad to get the data off.

Another scenario is (by knowing the email address and that they use an iPad) to send to the owners emails with a Trojan program which is optimized to read ipad data. Because the receiver list is limited and the target device is known, this program can be so good hidden that a firewall or virus program won’t detect it.

These are only 2 examples of many possible scenarios. The bottom line is, that it sounds not really a big deal to get iPAD ICC-ID plus email address hacked. But we should be aware that such information can be a small piece of a big puzzle. All puzzle pieces together build a nice picture.

I actually using for all my devices an email address which does not contain my name and is hosted at a free email account service I trust (and it is not gmail). This account does neither have my real name. Therefore my email address would be to a certain point pretty useless. The only way to find my real name would to find me through monitor where my ICC-ID is and ask people who I am.

But I guess I am not famous or important enough that anybody would care neither. But you never know.

No comments:

Post a Comment