In a development that should give pause to those who claim the iPad has a bright future in health care, a clandestine group of white-hat hackers announced last week that it was able to acquire email addresses and other confidential information for at least 114,000 iPad users by exploiting a security vulnerability in AT&T’s mobile (3G) network.
Although the breach affected a veritable who’s who of corporate executives, military officials and politicians, there is no evidence that health care leaders were affected. As well, the nature of the breach makes it unlikely to have compromised the protected health information of patients.
The security vulnerability involves AT&T servers and not the iPad device itself. Nevertheless, Apple’s interest in the breach is acute since AT&T is the sole-source iPad carrier in the US.
According to Gawker, which broke the story last week, the breached email list includes Janet Robinson, the CEO of the New York Times, ABC News anchor Diane Sawyer, New York City mayor Michael Bloomberg and White House Chief of Staff Rahm Emanuel. It also includes William Eldredge, who commands the largest operational B-1 [strategic bomber] group in the US Air Force, as well as people at Dow Jones, Viacom, HBO, News Corporation, NASA, the Department of Homeland Security, the FAA and the FCC.
In addition to email addresses, breached information includes a special identification code that iPad subscribers use to become authenticated on AT&T’s 3G network—the so called ICC ID, or integrated circuit card identifier. No other information was exposed.
What Happened
A group known as Goatse Security contacted Gawker and claimed responsibility for the hack. By all accounts, the breach was fixed by AT&T within 2 days. News of the breach was not made public until it had been fixed.
According to Gawker, Goatse “obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC ID as part of an HTTP request, the script would return the associated email address.”
Goatse personnel then sussed-out a huge chunk of ICC IDs by examining known iPad 3G ICC IDs that had been published by “gadget enthusiasts” to Flickr and other internet sites, and then guessing what other ICC IDs might be. The ICC ID information is also available within the “Settings” application on the iPad.
Goatse Statement:
“This disclosure needed to be made,” said Goatse in a lengthy blog post. “iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public…Your iPads are safer now because of us.”
“There was no illegal activity or unauthorized access” involved.
AT&T Statement:
“AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday. We have essentially turned off the feature that provided the e-mail addresses. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We apologize to our customers who were impacted.”
Fallout
If the email list had fallen into the hands of those with malicious intent, affected individuals could have been exposed to hackers or spam marketers. Malicious hackers in possession of a cache of email addresses could launch “phishing” attacks, in which emails purporting to be from trusted sources are used to extract more personal information from unsuspecting recipients. There is no evidence so far that this has happened, though such attacks have been directed at health care organizations in the past.
With respect to the heisted ICC IDs, Michael Kleeman, a communications expert at UC San Diego told the New York Times they could be exploitable by hackers to ascertain an iPad’s location.
“You could in theory find out where the device is,”Kleeman told the Times. “But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet.”
The implications of the breach for AT&T and Apple remain unclear, as is its potential impact on health care app developers and enthusiasts who see the iPad as a potentially revolutionary tool for health care.
Those who remain in the “honeymoon phase” when it comes to the possibilities for the iPad in our sector ought to take a deep breath and begin evaluating the gadget like any other technology. Careful, dispassionate assessments of the iPad’s risks and benefits in health care are, unfortunately, few and far between.
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs
Practice Fusion EMR
