Goatse Security

Gaping Holes Exposed

A response to AT&T’s letter — We have an iPad exploit and all iPads are vulnerable.

81 Comments »

So, AT&T calls us malicious in their letter to their customers. I think this calls for a statement to clear the air.

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.

Even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm.

I had previously thought that only an attacker who could crack the secret Ki key (I believe but am not certain that David Hulton and Skyper could based on information I have received about their presentation in Dubai, and if they have figured it out who knows who else has) could use the ICCIDs in this breach. Later, two security researchers from iSec Partners revealed that an attacker of much lower sophistication could use the ICC-IDs to determine iPad owner location.

iSec is a well-established name in the security industry and is known for its absolute integrity. I had the good fortune of meeting iSec hacker Josha Bronson at a convention. His abilities were second to none. I have no reason to doubt iSec’s claims.

Beyond that, AT&T is not highlighting the potential for a skilled attacker to use a Safari exploit, or other iPad application exploit based on this dataset to takeover the iPad. A complete list of iPad 3G customers (which could have been generated from this vulnerability) would have the ideal bit of data for those in the RBN with zero-day Safari exploits to acquire.

I released a semantic integer overflow exploit for Safari through Goatse Security in March– it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.

Robert “RSnake” Hansen, one of the world’s foremost web application security researchers and the author of “Detecting Malice”, talked a little about our March release on his blog.

The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure. People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion.

In addition AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it. I know that the RBN has literally thousands of people working full-time to exploit software vulnerabilities. At any given moment, whatever efforts us researchers are making are dwarfed by those in the thrall of evil. So get real. You fucked up, we helped you figure that out and informed the public. You should thank us, but you can keep on shit-talking if you want. We know what we did was right.

When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.

-Escher Auernheimer

81 Responses

Because they’re the heroes America deserves, but not the ones it needs right now. So they’ll hunt them, because they can take it, because they’re not our heroes. They’re silent guardians… Watchful protectors… Goatse-men.

    • Amazingly well placed quote, I couldn’t possibly agree more. On a side note, I really do believe someone should set up an anonymous site where hackers could release exploits like these to pressure companies into acting like sane humans, and not like idiots who want their customer’s data stolen. (WikiLeaks perhaps?)

  • [...] Goatse Security on AT&T’s letter Print SHARETHIS.addEntry({ title: "QOTD", url: [...]

  • [...] for their own publicity.Goatse, which initially gave its findings to Gawker, wasn’t pleased. In a blog post, Goatse said:AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. [...]

  • AT&T’s shitty servicing and high pricing should be more than enough proof that they hate America and the values of freedom, free market, and service to God it stands for.

    • Fuck AT&T, it’s Ifruit that is unamerican. They need to quit building such pieces of shit that noone should use. The ipad is a frikking joke, the iphone is an overhyped toy and anything else they make is so closed off and proprietary that it is like you don’t even own your own device. That is the essence of unamerican. The worst part of it all is that they act like their overpriced, overhyped made in china crap blocks are the answer to lifes problems. n iphone cannot save someones life or bring them back from the dead and having 50000 fart-noise making apps doesn’t make it worth having. Every app in the store can’t really be used for anything useful and the software is built to satisfy people who know nothing about using computers. Burn apple, and I hope Steve Jobs goes straight to hell.

  • [...] astounds me to see all of the fingers being pointed at Goatse Security this morning. Several prominent blogs are backtracking today in light of the FBI investigation. [...]

  • [...] security breach revealed last week, though the group responsible for identifying the exploit has denied any “malicious” wrongdoing.  According to the carrier’s letter, which went out to 3G-capable iPad owners via email late [...]

  • [...] and their activities "malicious" in the apology email to customers. The group wrote on its blog on Monday morning, saying AT&T "is being dishonest about the potential for harm" from [...]

  • this is the new world order of corporations. All internal/external security and engineers are possible threats to be dealt with via the attorneys, FBI and District Attorneys office. Corporations have no interest in acknowledging they are not perfect, best to blame the people who find their mistakes.

    This is unfortunate, I have seen real world examples by at least 5 different mega corps in the last year behaving by villainizing engineers and security experts who have no malicious intent. It’s the person who found the exploit that’s the problem… not the idiot who wrote the flaw into the software.

    • Let’s be realistic here. It’s not even the engineer’s fault who originally coded the bug. Coding is hard, hard stuff. Testing it is even harder.

      All code has bugs, end of story. It’s a matter of fixing the worst parts of it that’s important and when a 3rd party company essentially files an awesome bug report for you, you shouldn’t crucify them.

      • Absolutely correct, but not enough drama. Can we go with “Let’s be in the thrall of realism, here”?

  • [...] Security rep Escher Auernheimer fired back on the Goatse Security website that “there was not a hint of maliciousness in our disclosure” and claimed that the [...]

  • Hats off to Goatse security here. We need more of this kind of vigilante hacking and securities testing if we want to stay on top. Support you guys through and through, keep doing what your doing.

  • [...] FBI is investigating and AT&T is spinning. Now, Goatse is hitting back at Ma Bell, and Apple, calling the carrier irresponsible and [...]

  • Why r u singling out the Chinese? Aren’t you doing the same as AT&T?

    • The Chinese government is known to to be the source of many attacks against US public and commercial infrastructure:
      http://www.wired.com/threatlevel/2010/01/operation-aurora/

      • Give me a break. the Wired article’s only mentioning of China is this:

        “originated from China”

        This falls WAY short of any reasonable substantiation of your “Chinese government” indictment, let alone your original indictment against 1.2 billion people.

        Check the facts, the so called “evidence” so far have been discredited, a) the supposed Chinese origin CRC optimization fingered by Joe Stewart turned out to from 20 year old Novell programming guide, b) the vocational school NYT’s supposed NSA source fingered turned out to be some 3rd rate voc tech for highschool drop outs, and their only association with the Chinese military was churning out cooks and mechanics.

  • Fight fire with fire. Sue AT&T for libel. Use the money to fight evil or go to Hawaii or whatever you want.

  • Correct me if I’m wrong, but should you not be asking AT&T for a public apology and/or not threatening for libel?
    )
    You did them a public service, and they’re using you as the scapegoatse (haha

  • [...] Goatse Security, meanwhile, defended its actions in a strongly worded Monday blog post. [...]

  • I’m not a lawyer, however if I was in your shoes, I would be both demanding a public apology from AT&T AND filing a lawsuit for libel. It has been said that the data that could be downloaded from this hole could be used to find the exact location of the iPad. Also, this data has the names of several very important people in America on it. Thusly, one could find the exact location of many important people in America. What you did was a service to the American government and the people it has sworn to protect, not to mention AT&T. It is simply ridiculous that AT&T said the things that they said, and they should apologize. NOW.

  • [...] but for anyone who has the slightest interest in their own personal security in this digital age. [Goatse Security] Tagged:appleat&tcomputersgoatse [...]

  • You know, I think everything you did was ethical, and AT&T is a congenitally stupid company. However, I might suggest that you change your name from Goatse. This doesn’t give people confidence.

  • Do you guys get paid to do this, or is it something you do after work? Are you making a living, or just banging on the computer keyboard during TV commercials?

    • We sometimes get paid, but not nearly enough! Send more money.

    • This is one of those irritating dismissals that really doesn’t matter. The notion that someone performing a task (particularly a creative one) as a job is somehow more noble than someone performing the same task as hobby is completely flawed. In reality, the guy doing security research in his spare time has less questionable motives than the guy that is on some corporation’s payroll and is signing NDAs to work there.

  • [...] A response to AT&T’s letter — security.goatse.fr Jenna Wortham says: Goatse Security bites back at AT&T’s apology for the iPad data breach, says “not a hint of maliciousness in our disclosure.” [...]

  • Maybe if the single journalist you disclosed this to didn’t have a reputation for petty attacks on Apple and didn’t work for a publication whose affiliate is embroiled in an investigation over its apparent purchase of stolen property, the story might be taken more seriously. Your choice of media outlets inevitably leads to questions about your motives.

    • Our rhetoric, tone, and choice of media outlet is all free speech. Period, no questions asked. Our disclosure process was kinder and safer than many well-respected security researchers. If you do not like this, write your congressman and ask him to please legislate exploit disclosure processes.

  • Hey, thanks for being there! I appreciate & respect your efforts and your principles. However, in spite of the brightness displayed there is an attendant level of naivete. Briefly, ATT, IBM, google, yahoo…etc., etc., all deploy, manage, control & monitor *everything* with the full participation/sanction or knowledge of ‘Big Brother’. Hardware, software, FiOS, you name it is curtailed and/or maintained at levels which must meet approval of ‘Brother’. The essential F-up here for ATT is that on a non-split or tier of service, security was not implemented to keep the exploits out. IOW, this would have been just fine for civilian-only clients provided that military & requisite corp honchos had something impregnable. Due to the specific hardware or software implementation it’s often as simple as ‘flipping a switch’. The reason you’re getting so much fallout for this is that this is viewed in the industry, corp America & military-industrial complex as a ‘stranger’ butting into an argument between ‘husband & wife’!! The true scope of available technology to the average American citizen is mind-boggling even today, at at time when the average home desktop has tech that only military sites had say 10 – 15 years ago. For perspective consider: (all examples that follow are from early-to-mid-1980′s) —
    1. I could deploy a approx. 14″ ruggedized ‘puter out of my rucksack, pop-up a 16-18″ dish antenna, enter data into ‘puter, then send it from say NY to somewhere 1500 miles away by first conversion of signal to HF radio signal; OR in the alternative, grab a ‘chip’ (small, fingernail-sized piece of *anybody’s* satellite!!) convert to appropriate format and “squirt” — bam — 5 -8 page, single-spaced 11″x14″ document full of data gone from say NY to literally some cliff in Patagonia, just like that. Not on air long enough for RDF to find me (heh-heh!). I could go on, but believe-it-or-not, a lot of that 80′s stuff is *still* classified!! Bottom Line is this: What we are faced with is a classification or approval system that simply was/is not built to deal w/two things: (a) the rapidity of both hardware & software development, and (b) The intelligence of people like you & your crew!! Add to that the fact that in many countries (RBN, Japan, Korea, hell almost everywhere else) the bulk of the populace is so unitarily nationalistic or xenophobic as to put America to no small disadvantage when it comes to gaining certain capabilities. Americans/America values (and history proofs this out) INDIVIDUALISM almost above everything else!! Good, yes, but in the argument between ‘husband & wife’ juxtaposed with those “hungry” countries striving to knock down the ‘Big Dawg, America’, Americans who are into cutting-edge communications and other capabilities are sometimes left wanting until the ‘approval’ for such and such issues forth. Meantime, most people in your local community are really, really, simply satisfied with cable TV!!! Whew!! In any event, don’t stop what you’re doing, we need you. I SALUTE You & Crew. Have A Healthy, Prosperous Day!
    —rob

  • You guys are obviously not ‘attacking’ anyone but trying to prevent problems. One of the more important points in recent weeks is that those that thought the Apple platform (or for that matter Linux) are learning they need to protect themselves. Hopefully companies will start to deploy software etc., to thwart ‘invasions’.

  • Escher Auernheimer, you must be the finest man on the Internet right now. I seriously respect this group for being a bunch of honest hackers that the Internet really needs right now, and I also respect you for standing behind your own 100%. AT&T can bring it on. Big ups for all of the members!

  • Thank you for making this knowledge public.

    I don’t usually hesitate to use my full name when I comment, but I actually took a minute to contemplate it this time. I am disgusted that voicing support of exploit disclosure feels like a radical move. The Internet is more dangerous than most users know, and AT&T’s response to your disclosure has made it even more dangerous.

    Please keep fighting the good fight… There aren’t enough people doing it.

    • AT&T puts unnecessary constraints on pentesters thereby providing a less than encouraging atmosphere for folks discovering these problems. I for one would never consider contacting AT&T for this reason. Their subscribers are the ultimate victims as a result.

  • [...] to the statement issued by the group, they have not just erased the emails+ICCIDs, but haven’t shared them with anyone else but [...]

  • [...] From Goatse Security: “All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.” [...]

  • [...] Goatse Security se defiende diciendo que ellos no vendieron la información que consiguieron extraer de los servidores de AT&T sino que se pusieron en contacto con un periodista, le enviaron los datos como prueba de después borraron su copia. [...]

  • I have an iPad, not much of personal or business private info on it. Is any platform secure? Even ones with vendors that cater to security have to deal with unpatched exploits in the wild. Your point is that you are doing ATT & Apple a favor. You ought to be rewarded$$, not vilified. The industry as a whole has its head in the sand. My take is that if there is personal/private info, one ought to use FileVault or Bitlocker, neither or which is available on iPad. LastPass works.

  • [...] esta es la respuesta de Escher Auernheimer, de Goatse Security. Buscar [...]

  • [...] considerar que a incompetência veio dela mesma. Já que castigo vem a cavalo, a Goatse Security respondeu à carta enviada pela telecom aos seus clientes, tornando as coisas ainda mais constrangedoras para a Apple e sua [...]

  • [...] of days ago, in which the carrier referred to Goatse Security as malicious. The company states in a post on its blog that AT&T was too late informing its customers about the security breach. Additionally, Goatse [...]

  • Well, it was awful nice Ms. Attwood of AT&T, in her official letter to customers, to admit “the hackers never had access to AT&T communications or data networks, or your iPad.” That would sound to me like they agree that no “private” data was ever in jeopardy (and that the email addresses, by virtue of their application, were, in-fact, public). Then again, I’m not a lawyer… but it seems like an easy enough jump in logic.

  • GOOD WORK TEAM ,
    i like ur work
    Best Regards
    T34M ERR0R

  • [...] their scarcity in the market. This increasingly becomes true – the latest proof hits us via Goatse Security (which seems to be a work-safe site): [...]

  • [...] at the NSA wake up and give a good spanking to those US government idiots using a device with a public 3-month old unfixed security vulnerability with their military or government email account. And everyone else who let [...]

  • [...] folks at GS took umbrage at being called "malicious," and posted their own response, citing still-unpatched vulnerabilities in Mobile Safari on the iPad as evidence that Apple and [...]

  • I have an IPad 3G that I purchased on the first day they were available. I have yet to purchase AT&Ts 3G service but even so I think Apple should have informed me of this issue (to date they have not). I’ve also been considering getting my first IPhone but with AT&T’s reported poor 3G service and their obvious disregard for their customer’s security, I’ll think I’ll be sticking with my current provider and also forgo hooking up my IPad to 3G….. I’m also a little pissed that AT&T dropped the unlimited plan for the IPad, this looks like misleading advertising on both AT&T and Apple’s part.

  • [...] The hacker is 24 years old. Goatse says their hacker (who may not be the one arrested) spent just over an hour getting the emails off AT&T’s servers, while AT&T’s chief privacy officer has [...]

  • [...] Last week a security flaw on AT&T’s network allowed hackers to obtain the e-mail addresses and ICC-IDs for more than 100,000 Apple iPad owners, many of them high level politicians or military personnel. On the heels of an announcement that the FBI would be looking into the breach, AT&T has sent out a letter to the impacted customers (sort of) explaining the breach. The letter, which avoids admitting any blame for the website’s security issues, informs users that “unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster.” AT&T Then complains that the group “put together a list of these emails and distributed it for their own publicity.” The hackers have responded to AT&T’s letter here. [...]

  • do you guys make t-shirts – i’d love to buy one. good work with AT&T! love it!!

  • Nice work….For the love of god, please do not keep any controversial or illegal materials in your home, you can bet the feds are going to be visiting you soon.

  • Love… America? Every single country in the world sucks with the inclusion of the outdated currency system. Including America. AT&T, Comcast, it doesn’t matter. They are all corporate giants with one goal in mind: Money. That’s obvious. Patriotic brainwashed tools.

  • [...] letter AT&T sent to its customers, Auernheimer, writing under the name “Escher,” wrote a blog post calling AT&T dishonest. “AT&T had plenty of time to inform the public before our [...]

  • [...] And if there’s any doubt about AT&T withholding disclosure, read Goatse Security’s response to them here:  A Response to AT&T’s Letter – We have an iPad exploit and all iPads are vulnerable. [...]

  • [...] address does not like how AT&T has portrayed them.  They wrote an explicit response to that letter here .  I still think Goatse could have done things a bit differently.  According to them, they [...]

  • [...] Yet the attacks continued. Which makes sense; even individual people and groups associated with /b/ and 4chan can have real impact, whether it’s by getting into Sarah Palin’s email account, waging a surprisingly effective war against the Church of Scientology or finding iPad security breaches. [...]

  • Thanks for the useful info. It’s so interesting.

  • If you were so concerned about their security, inform them of the hole and help them fix it. You did the wrong thing and since your reasoning is very adolescent, I hope you don’t go to jail.

  • [...] day after the breach was came to light, Goatse posted a scathing entry on its blog accusing ATT and Apple (AAPL, Fortune 500) of not taking security [...]

  • [...] in a blog post on Goatse Security’s Web site, Escher Auernheimer responded to AT&T’s letter and defended [...]

  • [...] House Chief of Staff Rahm Emanuel.  However, in the iPad case the breach came as a result of a direct attack on iPad vulnerabilities where the Android compromise attacked a weakness in Google’s Market policies – [...]

  • [...] of the hacks, as well as a number of business executives.In June 2010, Goatse Security posted a letter on its website about the ATT hacks after the group received widespread media attention for the [...]

  • [...] June 2010, Goatse Security posted a letter on its website about the ATT hacks after the group received widespread media attention for the [...]

  • [...] June 2010, Goatse Security posted a letter on its website about the ATT hacks after the group received widespread media attention for the [...]

  • I really do believe someone should set up an anonymous site where hackers could release exploits like these to pressure companies into acting like sane humans who want their customer’s data stolen.That the main point to make iPad from AT&T Comp. This is not possible to hack the information.
    Glad for information.

    ———————————-
    Mary

  • [...] Goatse Security received widespread media coverage for its attack on iPad users, the group posted a letter in June 2010 that explained the personal data it acquired was destroyed once the hack was [...]

  • [...] Goatse Security received widespread media coverage for its attack on iPad users, the group posted a letter in June 2010 that explained the personal data it acquired was destroyed once the hack was [...]

  • [...] June 2010, Goatse Security posted a letter on its website about the ATT hacks after the group received widespread media attention for the [...]

  • [...] what was their motivation? What was going through their minds? In a publicly posted letter to “clear the air” last year, the hacking group insisted that their intentions were [...]

  • [...] attempt to make a name for himself in the security industry and, according to his open letter to AT&T “as a service to our nation.” (Last summer TechCrunch agreed, and awarded [...]

  • [...] the security industry and, according to his open letter to ATT “as a service to our nation.” (Last summer [...]

  • [...] = ''; } iPhone and iPad security: The human elementiPad security tipsA response to AT&T’s letter — We have an iPad exploit and all iPads are vulnerable.iPhone and iPad security: The human elementiPad security tipsA response to [...]

  • [...] day after the breach was came to light, Goatse posted a scathing entry on its blog accusing ATT and Apple (AAPL, Fortune 500) of not taking security [...]

  • Leave a Reply

    Switch to our mobile site