Goatse Security, the white-hat hackers that exposed the iPad’s problems keeping email addresses under wraps, is back with a warning about additional risks to owners of the tablet. And they’re also more than a little peeved that AT&T called them “malicious” in yesterday’s apology to customers. “When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare,” Goatse’s Escher Auernheimer said.
In a post published today, Auernheimer argued that AT&T hasn’t been honest with its customers, and that Apple has been slow to repair security bugs that were revealed months ago:
I released a semantic integer overflow exploit for Safari through Goatse Security in March- it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.
If you’re an iPad owner and you’re concerned about the security of your data, you do have some options, the most obvious of which are to use the device’s VPN (virtual private network) tools when sending and receiving sensitive information, and to avoid visiting unfamiliar web sites. However, security experts warn that the iPad “is not enterprise-ready,” so don’t be surprised if your IT folks aren’t willing to support it and disavow all knowledge of your existence if you try using one for work.
A response to AT&T’s letter — We have an iPad exploit and all iPads are vulnerable. [Goatse Security]
iPad security for the enterprise still subject to debate [Computerworld]