The vulnerability on the Apple iPad that led to email addresses being exposed has got ‘massively out of hand'.
James Blake, chief security officer for Mimecast, said that he had received a number of emails from worried staff since the occurrence and he had read that the FBI are investigating 'the cyber threat posed by this exposure'.
He said: “This is a classic example of security researchers using FUD to manipulate the media for publicity's sake. The media is complicit as well, while what they are reporting is factually true, the apocalyptic impacts they are espousing are laughable. The reality is that the only story is that there isn't really a story at all.”
He claimed that there is not a vulnerability in the iPad, but the problem came from a badly designed and implemented website by AT&T, the US carrier for the iPad. The attackers, Goatse, wrote a PHP script that made it look like the user agent was an iPad and then looped through all possible ICC-IDs and harvested the returned email addresses. Blake said that the ICC-ID to email mapping has nothing to do with the iPad, it is pulled in from the back-end OSS systems at the carrier, and is a simple error.
Blake said: “What was exposed, really? What was exposed was internet facing email addresses, no passwords, no phone numbers, no credit cards. Many of the addresses could probably have been easily guessed based on name or harvested using traditional directory or web-harvesting techniques.
“While an internet email address could be considered a personally identifiable information (PII) digital identifier, the sensitivity or impact level of this data on its own is very low. The use cases for someone who has harvested this data are quite limited.
“While it shouldn't have been so easy to automate the collection of these emails, in the grand scheme of things this hardly represents a big risk, certainly not on the level of being suggested in some of the articles I have read.”
Last year I found an email on a tube train in London and asked whether the contents would be enough to create an attack, and the general consensus was that while it would enable spear-phishing, there was not enough personal information to steal someone's identity.
As Blake said, all that has been exposed is email addresses, and while SC Magazine has detailed the need to protect personal information, as he said, this could have been a lot worse.