The AT&T security breach that exposed some Apple iPad owners' e-mail addresses could help attackers more effectively launch a technically difficult attack known as IMSI catching, researchers tell eWEEK.
breach at AT&T
that exposed the e-mail addresses of a reported 114,000
owners of the iPad with Wi-Fi + 3G could potentially impact privacy
more than was initially thought.
Two security researchers told eWEEK that the ICCIDs (integrated circuit card
identifiers) of iPad owners could be used to determine their IMSIs
(International Mobile Subscriber Identities). With an IMSI
in hand, it would be easier for an attacker to potentially find the person in
an area by using an IMSI catcher to scan for
"You can do this without
knowing the IMSIs of people, but you won't know which IMSI belongs to which user," explained
independent security researcher Nick DePetrillo. "There are other ways to
determine that, but knowing ahead of time also helps, like in the case of the
A group going by the name Goatse
Security told Gawker.com
that it was able in the AT&T breach "to
guess a large swath of ICCIDs by looking at known iPad 3G ICCIDs ... which can
also be obtained through friendly associates who own iPads and are willing to
share their information, available within the iPad 'Settings'
application," said a Valleywag post by Ryan Tate.
Goatse Security used a script on AT&T's Website to obtain the
e-mail addresses. "When provided with an ICCID as part of an HTTP
request, the script would return the associated e-mail address," Tate
While AT&T said in a statement late June 9 the only information that could
be derived from the ICCIDs was the e-mail address attached to a particular
device, DePetrillo and Don Bailey, a security consultant at iSec Partners, said
information could help attackers
launch a technically difficult attack on
information that flows on the non-3G data portions of the GSM network.
Through IMSI catching, an attacker
could potentially intercept control messages or other data that might not be
protected by the stronger encryption of the 3G data network. There is no known
way to directly compromise or take control of a user's iPad with this
"Most U.S. GSM providers encode a unique portion of the International
Mobile Subscriber Identity within the ICCID," Bailey explained. "The IMSI
is unique to each subscriber on the GSM network and is considered a protected
value ... Though the threat of IMSI catching
is low, the attack can lead to a loss of personal privacy or an abuse of the
victim's mobile device."
The technical difficulty of IMSI catching
is currently high when trying to manipulate 3G data networks, but may be
worthwhile for an attacker due to the high profile of individuals affected by
the attack, he said. For now, the capability is limited to a handful of
individuals, but anyone with a large enough budget can replicate the technique
with varying success, he added.
"The equipment required to execute such an attack is decreasing,"
Bailey said. "With the appropriate technical knowledge, an attacker can
leverage equipment costing only a few thousand dollars to perform this attack
within approximately a square mile of coverage. Traffic from handsets within
that coverage area may be redirected through the IMSI
catcher, which then may lead to a loss of privacy or an abuse of mobile
Bailey suggested that the affected iPad owners consider requesting a new SIM
(Subscriber Identity Module) card from AT&T.
DePetrillo said the iPad using 3G for data transfer has stronger encryption
than just GSM voice, the typical target of IMSI
catching. As a result, a man-in-the-middle attack using an advanced IMSI
catcher won't get user data in clear text. Still, the researcher said, there is
a possibility that an attacker could intercept and manipulate any non-3G data.
"It really comes down to [the fact that] giving any advantages to the
attacker, including just unique numbers with names, can help them and that's
never a good thing ... For the average consumer, [this is] not that big a
deal-the bigger deal is information leakage of your identity and that unique
number from AT&T," DePetrillo said.