AT&T-iPad security

AT&T-iPad security breach may be worse ...

Researchers looking in to the security of GSM phone networks are proposing that the recent breach, which saw tens of thousands of e-mail addresses & ICC-IDs inadvertently disclosed by AT&T, could have far more significant implications than a small bit of additional spam: attackers can use the information to learn the names & phone numbers of the leaked users, & may even track their position.

The issue is that ICC-IDs—unique serial numbers that identify each SIM card—can often be converted in to IMSIs. While the ICC-ID is nonsecret—it’s often found printed on the boxes of cellphone/SIM bundles—the IMSI is secret. In theory, knowing an ICC-ID shouldn’t be to decide an IMSI. The phone companies do require to know which IMSI corresponds to which ICC-ID, but this ought to be completed by looking up the values in a giant database.

In practice, however, plenty of phone companies basically calculate the IMSI from the ICC-ID. This calculation is often simple indeed, being small more complex than “combine this hard-coded value with the last nine digits of the ICC-ID.” So while the leakage of AT&T’s customers’ ICC-IDs ought to be harmless, in practice, it could reveal a secret ID.

What can be completed with that secret ID? a lot, it turns out. The IMSI is sent by the phone to the network when first signing on to the network; it’s used by the network to figure out which call ought to be routed where. With anyone else’s IMSI, an attacker can decide the person’s name & phone number, & even track his or her position. It also opens the door to active attacks—creating fake cell towers that a victim’s phone will connect to, enabling every call & text message to be eavesdropped.