Goatse Security

June 20th, 2010 ― Goatse Security is dismayed at AT&T’s effort to co-opt the authority of the FBI to absolve themselves of their responsibility in a massive security vulnerability which disclosed private and secure information of its customers. Indeed, this vulnerability was 100% avoidable, and 100% AT&T’s fault. By co-opting the FBI, the private lives of Goatse Security volunteers has been invaded, and destroyed by what was at best a blunt instrument: the raid, by force, of the Goatse Security spokesperson’s private residence.

Goatse Security, in terms both clear and public, deplores this use of force to solve what is, in the end, AT&T’s PR problem. Goatse Security took measures beyond the norm to contact AT&T and assist them in patching the vulnerability before publishing it, or allowing any related media story to be published. It is our belief, and AT&T’s brash and public actions re-enforce this belief that:

• Without large numbers of compromised customers, and without the headlines that go with them, this vulnerability would have gone unpublished, and AT&T customers unprotected. AT&T, as has been demonstrated in this instance, grossly irresponsible with the private data of its customers. We have no reasonable belief that AT&T would have taken action, would have warned anyone of this vulnerability. Instead, they would have simply swept it under the rug.
• Full disclosure, the immediate public release of a vulnerability, is justified when companies act in their own self-interest, instead of protecting their customers’ privacy. Indeed, AT&T, instead of respecting its customers’ privacy, violated ours. This is unacceptable. Further vulnerabilities developed against AT&T will continue to be developed utilizing the best common practices (BCP) for developing such exploits, but will no longer be privately given to AT&T prior to their release. All future releases of AT&T related vulnerabilities will occur under “Full Disclosure” practices.

Goatse Security is relieved that Andrew has been released from his incarceration and is mostly unharmed, but condemns the violent, subversive, and unnecessary actions taken against him by both AT&T and the FBI. We wish Andrew the best in coming days as he picks up his front door, and his life, both pointlessly shattered by the FBI.
Goatsec is dismayed at AT&T’s effort to co-opt the authority of the FBI to absolve themselves of their responsibility in a massive security vulnerability which disclosed private and secure information of it’s customers. Indeed, this vulnerability was 100% avoidable, and 100% AT&T’s fault. By co-opting the FBI, the private lives of Goatsec volunteers has been invaded, and destroyed by what was at best a blunt instrument, the raid, by force, of the head of Goatsec’s private residence.
Goatsec, in terms both clear and public, deplores this use of force to solve what is, in the end, AT&T’s PR problem. Goatsec took measures beyond the norm to contact AT&T and assist them in patching the vulnerability before publishing it, or allowing any related media story to be published. It is our belief, and AT&T’s brash and public actions re-enforce this belief, that:
without large numbers of compromised customers, and without the headlines that go with them, that this vulnerability would have gone unpublished, and AT&T customers unprotected. AT&T, as has been demonstrated in this instance, grossly irresponsible with the private data of it’s customers. We have no reasonable belief that AT&T would have taken action, would have warned anyone of this vulnerability. Instead, they would have simply swept it under the rug.
Full Disclosure, the immediate public release of a vulnerability, is justified when companies act in their own self-interest, instead of protecting their customers privacy. Indeed, AT&T, instead of respecting it’s customers’ privacy, violated ours. This is unacceptable. Further vulnerabilities developed against AT&T will continue to be developed utilizing the best common practices (BCP) for developing such exploits, but will no longer be privately given to AT&T prior to their release. All future releases of AT&T related vulnerabilities will occur under “Full Disclosure” practices.
Goatsec is relieved that Andrew has been released from his incarceration and is mostly unharmed, but condemns the violent, subversive, and unnecessary actions taken against him by both AT&T and the FBI. We wish Andrew the best in coming days as he picks up his front door, and his life, both pointlessly shattered by the FBI.

Most of the media coverage on the AT&T leak is a mix of factual information and spokesperson quotes. Journalists ask us questions, which we are glad to answer because it means our opinion somewhat matters. But in the end, we mostly see the old full disclosure debate, and the attempt at labelling us white hats, black hats or brown hats. Yet I think there is something new here.

Gawker identified many high profile people in the list of emails leaked by AT&T. They could easily tell them from other individuals, because they had nifty .gov or .mil addresses. At DARPA, in the EUCOM, at the White House, NASA, DoJ, the FAA… So many government employees who really, really needed an iPad.

I hope there are still a few investigative journalists out there who will certainly be thrilled to try to answer the taxpayers’ question of who exactly paid for all those government officials’ iPads. But this is not what worries me the most here.

I graduated from a pretty elite engineering school. People from that school don’t usually end up plotting funny hoaxes or working for the entertainment industry (though my favourite one actually did). They often occupy high level positions in large corporations or government agencies. When I was studying there, people from the secret services came several times to teach us about the risks of information theft. They were very serious about it. If you were going to work for the government or a top national company, you would have to learn not to write down your password under your coffee mug, but also to be wary about data protection, cell phone eavesdropping, foreign agents, including more intimate spying techniques. The message was clear: information is power, you will have it, and others will want it.

Later I worked for a state-owned company. The IT people there were using an antique version of Microsoft Exchange and disallowed the use of Firefox because it had not been approved by the security people yet. I found that extremely annoying, especially since my previous works at several security companies led me to different conclusions about the products being used, but at least it showed that they cared about security, even for average employees. I was willing to give up convenience for security.

But Barack Obama disagreed. In early 2009, he fought to keep using his BlackBerry device, against the objections of secret services and government lawyers. Barack Obama wanted convenience over security. The country’s security. And by doing so, he gave tacit clearance to every fucking idiot in the government or the military to get the latest cool electronic gadget and use it with their government email account.

Since not so long ago, UK ministers can no longer use iPhones due to security concerns. Now I hear the FBI is going to… come for Goatse? Please, someone at the NSA wake up and give a good spanking to those US government idiots using a device with a public 3-month old unfixed security vulnerability with their military or government email account. And everyone else who let them.

So, AT&T calls us malicious in their letter to their customers. I think this calls for a statement to clear the air.

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.

Even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm.

I had previously thought that only an attacker who could crack the secret Ki key (I believe but am not certain that David Hulton and Skyper could based on information I have received about their presentation in Dubai, and if they have figured it out who knows who else has) could use the ICCIDs in this breach. Later, two security researchers from iSec Partners revealed that an attacker of much lower sophistication could use the ICC-IDs to determine iPad owner location.

iSec is a well-established name in the security industry and is known for its absolute integrity. I had the good fortune of meeting iSec hacker Josha Bronson at a convention. His abilities were second to none. I have no reason to doubt iSec’s claims.

Beyond that, AT&T is not highlighting the potential for a skilled attacker to use a Safari exploit, or other iPad application exploit based on this dataset to takeover the iPad. A complete list of iPad 3G customers (which could have been generated from this vulnerability) would have the ideal bit of data for those in the RBN with zero-day Safari exploits to acquire.

I released a semantic integer overflow exploit for Safari through Goatse Security in March— it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.

Robert “RSnake” Hansen, one of the world’s foremost web application security researchers and the author of “Detecting Malice”, talked a little about our March release on his blog.

The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure. People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion.

In addition AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it. I know that the RBN has literally thousands of people working full-time to exploit software vulnerabilities. At any given moment, whatever efforts us researchers are making are dwarfed by those in the thrall of evil. So get real. You fucked up, we helped you figure that out and informed the public. You should thank us, but you can keep on shit-talking if you want. We know what we did was right.

When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.

-Escher Auernheimer