Update: AT&T Collapses On iPhone4 Debut
I was even more annoyed Sunday when I read AT&T’s “explanation” to customers, where it not only disavowed responsibility for the exploit, reported Wednesday, but said that the really bad guys were the people who identified their security hole. Here’s what AT&T wrote (emphasis added):
… unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster … deliberately went to great efforts … Now, the authentication page log-in screen requires the user to enter both their email address and their password.
A malicious exploit would not have been reported. It would have just been used.
A malicious exploiter wouldn’t advise companies of security issues. They’d simply use them.
Class action suit against AT&T, anyone? I can’t imagine the stockholders or board of directors demanding that the company get its act together. Hit ’em where it hurts: the pocketbook. It’s the only thing they care about.
Someone at Goatse Security (the team that IDed the security issue), discovered that if you gave the AT&T website an iPad serial number, AT&T would give you the email address associated with that iPad. Goatsee explained:
All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
The fact that AT&T wants the feds to investigate (“to the fullest extent of the law”) is, in my opinion, a misplaced use of resources. If it weren’t for teams like these, who would be keeping an eye out for the rank-and-file consumer? Certainly not AT&T and its ilk. And certainly not the feds.
In response to the AT&T attack, Goatse wrote:
AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.
I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it.
When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.
It turns out that there is Apple culpability, however, in a Safari security flaw that Apple hasn’t fixed for the iPad. It’s not specifically related to this brouhaha but it is a potential infrastructure exploit that should have been fixed long before now. Goatse notified Apple of the problem back in March.
Why email As Login?
AT&T said that Goatse exploited something designed to make logins faster. A question for you, AT&T: why do people have to use an email address that is linked to their iPad as a login ID?
Why can’t they create their own username?
Better yet, why can’t they choose a possibly more secure authentication scheme, such as OpenID? (I say “possibly more secure” because my banks will not allow me to use special characters in my passwords, unlike PayPal or WordPress.com, which is where I have an OpenID account situated.)
But Is There An Alternative?
Apple, you can’t afford to have your brand (disclaimer: I own stock) muddied by a clueless corporate giant like AT&T. Let’s face it: AT&T is the mobile phone company that we love to hate. I wish there were an alternative: however, my guess is that Verizon would do no better at identifying or preventing security issues.
I don’t know what it will take to shake up the American teleco wireless industry. The sector is too sheltered from competition (oligopolistic structure with duopolies in some markets); the regulators are too enamored with flawed “free market” thinking, thinking that doesn’t work when the market doesn’t have “free market” structural characteristics; and consumers are left with high-cost service, relative to Japan and Europe.
One step in the right direction: force competition, like in Europe.
- Free customers from phone-or-device/service lock-in.
- Require that monthly service fees for phones that are not subsidized by a carrier be less than the fees for phones that are subsidized by the carrier.
- Require that early termination fees on subsidized phones be prorated based on the remaining time left on contract.
- Require that companies sell data plans a la carte for all data devices (see Virgin America for USB modems and the iPad for handhelds).
- Prohibit discriminatory data pricing based on device. (iPhone data plans are more expensive than data plans for other smart phones on AT&T’s network.)
- Require carriers to share networks, to reduce infrastructure surplus.
Do these things and prices will come down and service should get better. Eventually.
Are you listening, Congress? Are you listening, Obama?
P.S. To those who think Goatse is the bad guy, read the last two graphs of this WSJ article (no registration firewall).