Gawker has called an information disclosure on AT&T servers “Apple’s Worst Security Breach”

Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.

Note that the attack used predictability of cellular hardware IDs to generate a list. It then leveraged an insecure AT&T application that registered the IDs (e.g. it did not flag or block a high rate of requests).

The issue is thus really isolated to AT&T’s servers. It involves an Apple product, but seems premature to call it Apple’s worst breach.

Also, while email addresses are important and some may resist change they are not regulated data and not considered personal identity information.

I would say the most significant risk is for these email addresses is that they can be used for spear-phishing/impersonation attacks. A good example of what I mean is the attack on the law firm in the Green Dam suit with China.

Gipson Hoffman & Pancione, a Los Angeles law firm, says employees began receiving well-crafted e-mail messages that appeared to come from other company staffers. The messages tried to get the victims to either open a malicious attachment or visit a Web site that hosted attack code. “It came from e-mail addresses that people would recognize as internal to the firm, and the attempt was to make it seem like everyday stuff,” said Elliot Gipson, an attorney with the company.

Thus, extra precaution should now be taken when email is received from someone you know who purchased an iPad…but that was already good advice. :)

Here is a short list of lessons I see in this story:

1. Device IDs with low entropy makes them a weak choice for authentication
2. Registration sites/software should detect and alarm on brute force attacks
3. Registration sites/software should have rate-limits to prevent guessing
4. There is a lot of hype around the attack, but even a breach of non-regulated non-sensitive identity information is damaging to reputation and trust
5. Relying on a single email address is a bad idea — maintaining multiple email addresses is a good idea. Diversify based on trust.

Updated (10 June 2010): The BBC has just posted a report with the above analysis on spear-phishing and called it “one concern raised by security experts”.