ATandT Breach Could Reach Further than Thought

The AT&T security breach that exposed some Apple iPad owners' e-mail addresses could help attackers more effectively launch a technically difficult attack known as IMSI catching, researchers tell eWEEK.

The security breach at AT&T that exposed the e-mail addresses of a reported 114,000 owners of the iPad with Wi-Fi + 3G could potentially impact privacy more than was initially thought. 

Two security researchers told eWEEK that the ICCIDs (integrated circuit card identifiers) of iPad owners could be used to determine their IMSIs (International Mobile Subscriber Identities). With an IMSI in hand, it would be easier for an attacker to potentially find the person in an area by using an IMSI catcher to scan for mobile devices.

"You can do this without knowing the IMSIs of people, but you won't know which IMSI belongs to which user," explained independent security researcher Nick DePetrillo. "There are other ways to determine that, but knowing ahead of time also helps, like in the case of the AT&T leak."

A group going by the name Goatse Security told Gawker.com that it was able in the AT&T breach "to guess a large swath of ICCIDs by looking at known iPad 3G ICCIDs ... which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad 'Settings' application," said a Valleywag post by Ryan Tate.

Goatse Security used a script on AT&T's Website to obtain the e-mail addresses. "When provided with an ICCID as part of an HTTP request, the script would return the associated e-mail address," Tate wrote. 

While AT&T said in a statement late June 9 the only information that could be derived from the ICCIDs was the e-mail address attached to a particular device, DePetrillo and Don Bailey, a security consultant at iSec Partners, said the iPad information could help attackers launch a technically difficult attack on information that flows on the non-3G data portions of the GSM network.

Through IMSI catching, an attacker could potentially intercept control messages or other data that might not be protected by the stronger encryption of the 3G data network. There is no known way to directly compromise or take control of a user's iPad with this information, however.

"Most U.S. GSM providers encode a unique portion of the International Mobile Subscriber Identity within the ICCID," Bailey explained. "The IMSI is unique to each subscriber on the GSM network and is considered a protected value ... Though the threat of IMSI catching is low, the attack can lead to a loss of personal privacy or an abuse of the victim's mobile device."

The technical difficulty of IMSI catching is currently high when trying to manipulate 3G data networks, but may be worthwhile for an attacker due to the high profile of individuals affected by the attack, he said. For now, the capability is limited to a handful of individuals, but anyone with a large enough budget can replicate the technique with varying success, he added.

"The equipment required to execute such an attack is decreasing," Bailey said. "With the appropriate technical knowledge, an attacker can leverage equipment costing only a few thousand dollars to perform this attack within approximately a square mile of coverage. Traffic from handsets within that coverage area may be redirected through the IMSI catcher, which then may lead to a loss of privacy or an abuse of mobile handsets."

Bailey suggested that the affected iPad owners consider requesting a new SIM (Subscriber Identity Module) card from AT&T.

DePetrillo said the iPad using 3G for data transfer has stronger encryption than just GSM voice, the typical target of IMSI catching. As a result, a man-in-the-middle attack using an advanced IMSI catcher won't get user data in clear text. Still, the researcher said, there is a possibility that an attacker could intercept and manipulate any non-3G data.

"It really comes down to [the fact that] giving any advantages to the attacker, including just unique numbers with names, can help them and that's never a good thing ... For the average consumer, [this is] not that big a deal-the bigger deal is information leakage of your identity and that unique number from AT&T," DePetrillo said.