The recent AT&T data leak underscores the need for iPad security precautions.
The U.S. telco wanted to make logging into its 3G data plan dashboard a little easier on their iPad customers so they populated the email address based on the ICC-ID.
Hackers effectively used a brute force technique to get the system to spit out email addresses. (As of now, the email populating system is turned off).
AT&T has apologized for a hack that exposed thousands of customers’ e-mail addresses last week, and said it will work with law enforcement to prosecute those responsible.
A hacker group called Goatse Security got about 114,000 e-mail addresses of people including White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg by exploiting an authentication page on AT&T’s Web site.
The group found that the page would return an e-mail address associated with a particular iPad if they entered the correct serial number for that iPad’s SIM card.
The group wrote code that would randomly generate serial numbers and query the Web site until it got e-mail addresses back.
It happened that the victims of this breach was a U.S. telco, and its customers – but the incident should spur iPad users – wherever they live – to take a closer look at the security of their devices, and the data on it.
Fortunately, there are few simple steps one can take to protect confidential data on your iPad.As a multipurpose computing device, the iPad is susceptible to a wide variety of attacks.
Jon Heimerl, director of strategic security for Solutionary, an enterprise security service provider, shared some tips via e-mail to me on how users can protect themselves.
Keep an eye on it
“Most simply put, the single most effective thing someone can do to protect their iPad from any security issues is just to hang on to it. Keeping the device under your physical control means you also have control over device and data access
If you can keep the iPad in your physical control, many other security concerns do not come into play,” Heimerl said.
Use a passcode when taking the iPad out in public. The passcode blocks unauthorized users from accessing your apps and information. However, the passcode only provides limited protection; it can be bypassed by users with long-term physical control of the device. “If someone has prolonged control over your iPad and access to a PC, they can connect to the iPad with a PC and remove the passcode, allowing them to log onto the device,” Heimerl said. “An attacker can also bypass encryption on the iPad the same way.” Even if they don’t get access to the data, the attacker can reset the device, destroying your data and converting the device to their own use.
Another limitation of passcodes: “The keypad you use to enter your passcode always appears in the same place on the screen,” Heimerl said.
This may leave a tell-tale pattern of fingerprints on your screen where you enter your passcode. “Of course, if you never clean the screen and leave fingerprints everywhere this may not matter at all, but it is something to keep in mind in how you use the device,” Heimerl said. (Hear that, guy who never wipes down his iPad? You’re not a slob — you’re security conscious!)
Consider enabling automatic data erasing. “You can configure the iPad to erase all user data on the device after 10 failed passcode attempts,” Heimerl said. “Whether this is good or bad depends on the quality of any data backups, and how likely you are (or your children are) to exceed the 10 failed passcode attempts.”
He added, “While the iPad does not really erase the data, it does erase the key to the data which is actually stored on the iPad encrypted. So, since you no longer have the key with which you can decrypt the data the end result is essentially the same.”
Restrict the capabilities of the iPad
“To add additional controls, the iPad allows the user to restrict certain functions on the device, Heimerl said. Users can restrict access to Safari, YouTube, installing applications, and explicit media content. “This function is also passcoded so it could be configured by a corporate administrator and not changed by the end user,” Heimerl said. Of course, it can also be configured by a parent for a child’s iPad.
Use a VPN — The iPad lets you encrypt all your Wi-Fi traffic using a Virtual Private Network (VPN) service.
Get MobileMe — While a little bit pricey at $99 per year to start, Apple’s MobileMe service provides several tools for syncing, backing up and securing data, “including the ability to sound a tone and/or display a message on a lost iPad if you have temporarily misplaced it,” Heimerl said.
“If your iPad is stolen or completely lost, you can access MobileMe from a computer and can display the location of the device on a map in order to help find it. You can also use MobileMe to keep information in sync across multiple devices, to share information through iDisk, and, when you get desperate, to initiate a remote wipe of the device, thus removing all information from the device, including all potentially sensitive information.
However, “If the remote iPad is not connected via cellular or [Wi-Fi] network, it will not receive the remote wipe commands, so a determined attacker would likely take the iPad off the network before they worked on the system.”
Heimerl added, “The iPad also supports Microsoft Exchange ActiveSync. The remote wipe can be triggered via ActiveSync. MS Exchange ActiveSync can also be used to enforce additional controls and extended password policies beyond what the iPad can support natively.”
Jailbreak with care — “Jailbreaking is hacking an iPad so you can install non-App store apps and have access beyond Apple control,” Heimerl explains. “[W]hile it does give the user more control over the end device, it also removes some of the controls that help make the iPad more secure than a PC.
In any case, jailbreaking the iPad dramatically changes the controls in the device, so the best we can say about security on a jailbroken iPad is that your results will be unpredictable. Besides that, jailbreaking an iPad automatically voids any warranty.”
Share with care — The iPad is “essentially a single user device,” Heimerl said. Unlike a Mac or PC, you can’t create multiple user accounts on the iPad and block access to information between accounts, everyone with access to the iPad has access to all the information on the device, including e-mail and browser and personal information. However, users can protect their privacy in some ways, by disabling the option to autofill browser fields, and regularly clearing browser history, cookies and cache, Heimerl said.
Also, users can use software like 1Password, which encrypts information stored in the app.Install software updates — Apple regularly updates its operating system software on all devices to keep up with the latest vulnerabilities. “[T]o make sure the system is current, it is necessary to regularly connect the system to iTunes on a computer,” Heimerl said.
“If a remote system does not have iTunes available, or is not connected for some length of time, it is possible that the system would miss a critical update and therefore be exposed to a risk that had been patched. For long-term use of the device in a corporate environment, IT will need a means to manage appropriate updates.”