Posted by: Arik Hesseldahl Businessweek
How bad was the AT&T data breach on Apple’s iPad? According to AT&T, and the information about affected subscribers was limited to their email address, and a serial number known as an ICCID.
AT&T sent an email apologizing to affected customers, blaming “malicious hackers,” for the incident in reference to Goatse Security, a security consulting firm that publicized the vulnerability last week.
Now a wireless security consultant says that an ICCID number, once disclosed, can lead to further vulnerabilities that have been known for more than two years. An ICCID is a 19- or 20-digit serial number printed on a SIM card, the thumbnail-sized chip that gives the iPad and most wireless phones access to the cellular networks on which they operate.
Chris Paget, president and CTO of H4RDW4RE, a Sunnyvale, California-based firm that specializes in wireless security wrote in a blog post that on the AT&T network, the ICCID number directly correlates to another more sensitive and important number known as an IMSI, or International Mobile Subscriber Identity. An IMSI is a unique 15-digit number stored inside a SIM card, and it’s the number that a phone to identify itself on the wireless network.
Anyone who understand the correlation between the ICCID and IMSI numbers could use that information to carry out other kinds of attacks against wireless subscribers, Paget writes.
It turns out, that the correlation between the two numbers has already been documented. In a 2008 paper, security researcher Lee Reiber, owner of Boise, Idaho-based Mobile Forensics, Inc., a firm that trains law enforcement in collecting evidence from wireless phones, documented exactly how to extract an IMSI number from an AT&T ICCID number.
With the IMSI number in hand, the potential for trouble-making by an attacker grows much more serious, Paget says. In one scenario, the IMSI can be used to retrieve the subscriber’s full name, phone number, and approximate location relative to the nearest cell tower. Additionally, an attacker might be able to listen to their voice mail messages, something that obviously doesn’t apply to iPad owners.
In a second, more extreme scenario, a determined attacker could program a notebook PC to mimic a cell tower, and then drive within a few miles of their location, and intercept traffic from their phone or iPad. He describes the scenarios in more detail here and cites more original research in making his case.
AT&T spokesman Mark Siegel declined to comment on Paget’s observations in an email.
The list of people whose addresses were exposed include New York Times CEO Janet Robinson and New York Mayor Michael Bloomberg, the founder and majority owner of Bloomberg News parent Bloomberg Businessweek.
Niciun comentariu:
Trimiteți un comentariu