AT&T Breach May Be Worse Than Initially Thought 102
ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."
Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'
Of course (Score:5, Interesting)
Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.
In a fair world, the security team would send AT&T a nice big bill for their services and AT&T would promptly pay it with a note of thanks.
ICCID = IMSI (Score:5, Interesting)
http://www.mfi-training.com/forum/paper/SIM&Salsa.pdf [mfi-training.com]
Their lack of security, let me show you it:
T-Mobile
ICCID 8901260390012345679
IMSI....... 310260391234567
AT&T
ICCID 89310170101234567891
IMSI......... 310170123456789
Re:oh noes (Score:2, Interesting)