iPad has another security flaw, says hacker group

The iPad has inherent security vulnerabilities above and beyond the AT&T software flaw that allowed the harvesting of customer data, says Goatse Security.

The hacking group last week announced that it had been able to garner the email addresses of 114,000 iPad users through a flaw in carrier AT&T’s software systems.

But while this hole has now been fixed, Goatse’s Escher Auernheimer says that it’s not the only security problem with the device.

Back in March, he says, he released a semantic integer overflow exploit for Safari. It was quickly patched on Apple’s desktop Safari, he says –  but has yet to be patched on the iPad.

The bug allows the viewer of a webpage to become a proxy – even behind corporate and government firewalls – for spamming, exploit payloads and password brute force attacks. The attack can’t be detected by any current IDS/IPS system, says Auernheimer.

“We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad,” he says.

“I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.”

Late last week, AT&T senior vice president of public policy and chief privacy officer Dorothy Attwood sent a letter to customers apologising for the security breach and assuring them that the problem had been fixed.

“AT&T acted quickly to protect your information and we promise to keep working around the clock to keep your information safe,” she says.

But Auernheimer disputes this too.

“AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate – within the hour. Days afterward is not acceptable,” he says.

“It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.”

AT&T’s concerned about this possibility too. “While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email,” Atwood’s letter says.