Forgot your password?
typodupeerror
Communications Security

AT&T Breach May Be Worse Than Initially Thought 102

Posted by Soulskill
from the i-smell-class-action dept.
ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix." Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'
This discussion has been archived. No new comments can be posted.

AT&T Breach May Be Worse Than Initially Thought

Comments Filter:
  • Phew (Score:1, Funny)

    by Azureflare (645778)

    I'm glad I got the WiFi-only version!

    • by Anonymous Coward

      I'm glad I didn't get one!

  • Well (Score:3, Funny)

    by Anonymous Coward on Monday June 14, 2010 @05:50PM (#32571488)

    I'm proud that Goatse Security revealed this gaping security hole.

  • thanks... (Score:5, Insightful)

    by Michael Kristopeit (1751814) on Monday June 14, 2010 @05:50PM (#32571498)
    my thanks for the security team's service to me.
  • oh noes (Score:1, Informative)

    by stokessd (89903)

    People could eavesdrop in on my boring conversations with friends and family. That's a serious waste of intercept technology and time and effort.

    Given that it's a RF broadcast signal, people shouldn't have an over-developed sense of privacy.

    If this led to a release of my credit card info etc, then I'm worried. If it's a release of my email address that every spammer already has, then wake me when this story blows over.

    Sheldon

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Assuming an info leak like this is true, we're talking about a crime network knowing when everyone is at home, at work, stuck in traffic, on vacation, etc. That's billions of dollars worth of info given what they could accomplish with it.
  • Of course (Score:5, Interesting)

    by PopeRatzo (965947) * on Monday June 14, 2010 @06:05PM (#32571752) Homepage Journal

    Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.

    In a fair world, the security team would send AT&T a nice big bill for their services and AT&T would promptly pay it with a note of thanks.

    • by somaTh (1154199)
      They should know. No good deed goes unpunished.
    • by cacba (1831766)
      Perhaps the users whos info was leaked could sue and send a nice big cheque to the security team.
  • by Locutus (9039) on Monday June 14, 2010 @06:06PM (#32571760)
    screw AT&T if that is what they think. Same goes for any other company who builds and designs half-assed security measures and publicly, or even privately, blasts those for exposing how much they suck at this. It's like blaming the people who exposed Madoff.

    LoB
  • by SunSpot505 (1356127) on Monday June 14, 2010 @06:10PM (#32571806)
    "Captain, I discovered that the bulkheads that seal the ship in case of a hull breach actually stop several floors short, and could be compromised in the event of a major collision."

    "How dare you point out a fatal flaw in our Honorable Engineer's design. Now that the Icebergs know this, they will surely attack our boat! You should have kept your dumb mouth shut"

    "but..."
    • Okay, completely off-topic, but the Titanic's watertight compartment design was pretty good. The ship was not divided along its long axis, which was a deliberate design decision to make sure it stay on an even keel (i.e. didn't capsize) even in the event of a catastrophic collision. The Titanic took hours to sink, even though it had a hole 1/3rd the length of its hull under the waterline. Compare this to some other [wikipedia.org] sinkings [wikipedia.org], and I think the Titanic holds up pretty well.

      Lack of lifeboats was, of course, the

  • Seems like karma since they just shafted 3G us users with limited data plans. Now they are getting the shaft over security. Maybe they could appease our anger with unlimited data plans.
    • Re: (Score:2, Informative)

      by Widowwolf (779548)
      They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a diffe
      • by cayenne8 (626475)
        "They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a diff
  • ICCID = IMSI (Score:5, Interesting)

    by TubeSteak (669689) on Monday June 14, 2010 @06:15PM (#32571892) Journal

    http://www.mfi-training.com/forum/paper/SIM&Salsa.pdf [mfi-training.com]
    Their lack of security, let me show you it:

    T-Mobile
    ICCID 8901260390012345679
    IMSI....... 310260391234567

    AT&T
    ICCID 89310170101234567891
    IMSI......... 310170123456789

    • by The Yuckinator (898499) on Monday June 14, 2010 @07:13PM (#32572552)

      There's a luggage joke in here somewhere but I can't find it.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        A suitcase full of artificial penises walks into an airport.

    • by NixieBunny (859050) on Monday June 14, 2010 @09:03PM (#32573524) Homepage

      The story says that not all carriers encode it like this; some might have used such advanced encryption techniques as ROT13.

      I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

      • by eulernet (1132389)

        I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

        Yes, they are securing their wages.

        Since it takes a lot of time, they don't have time to spend on customers.

      • by lmnfrs (829146)

        I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

        Unless things have changed, they don't participate too much in the design of their network. The companies that invent new technology are the most knowledgeable of their brand new tech, so they're the best to install it and set it up. Since the phone network brands (e.g. AT&T) don't know the details, they don't know what to scrutinize; there isn't much pressure for the inventing company to pay attention to security.

    • Holy shit, that's my luggage combination. They stole it!
  • I use T-Mobile... another GSM type carrier... I'm not feeling too good about some of this. I was once a Sprint customer but hated their ass-hattedness. I will never willingly become a Verizon customer and I seriously dislike AT&T's attitude, service delivery, billing problem history, service plans and over-all history of abusing customers... not going there willingly either. So my choices are t-mobile or sprint. Anyone know of serious security problems with CDMA based mobile tech?

    • by Anonymous Coward

      GSM is an unamerican invention based on the useless antique TDMA for 2G, and the 3G is a rip-off of the American W-CDMA technology. Qualcomm is still waiting for Nokia to pay up after ripping them off, but it isn't likely to happen in anything other than a token way.

      You are using CDMA anyway, so why not use Verizon or Sprint and use the real version of CDMA which is more secure and reliable?

      • by Kakari (1818872)
        I can't tell - are you still working for Qualcomm or did they just let you go due to 'downsizing' ?
    • by dbcad7 (771464)
      Have you had any breaches ?.. do you know of anyone who has ?.. I am also on T-Mobile, I'm not too worried.. I made a conscious choice for GSM tech, because the whole CDMA thing being only in the US felt like the companies choosing it, were intentionally screwing over customers into locking in to their network.. and I can, and have, taken my GSM phone overseas and used it.. As to the carrier wars, they all have pro and cons.. I think both AT&T and Verizon get more of a bad rap than they probably deserve
  • by elrous0 (869638) *
    Normally AT&T is so beloved here on /. A story like this could ruin their reputation. It's almost as inconceivable as /.ers losing faith in Bill Gates.
  • My guess is that this really is not criminal. There is no real criminal intent, or in legalese, mens rea. Instead, the Goatse Security Group really did this as a form of public service. Was it the most ethical means to do so? Quite possibly not. Ethically speaking, Goatse would have been better off reporting it directly to AT&T first and then to the media if AT&T ignored or denied it. That way, Goatse would have some extra ammunition and would be much more clearly in the right. While I know t
    • by butlerm (3112)

      There is no real criminal intent, or in legalese, mens rea.

      Assuming the type of access they performed is proscribed by law, the only thing required to establish "criminal intent" is that they intended to do what they did.

      Whether they knew what they did was against the law, whether they intended to cause anyone any harm, or whether they thought what they were doing had some beneficial social purpose is completely irrelevant to the question of criminal intent. The question is did they intend to do something

    • by butlerm (3112)

      I should add that the level of intent required to make something a crime may differ from crime to crime, of course. General intent [answers.com] may not be enough in some cases.

  • "I'm somewhat of an authority on GSM security,

    That may very well be, but when I read that I see Anchorman Ron Burgundy saying: "I don't know how to put this but I'm kind of a big deal."...

  • Like a few other /.ers have pointed out, I feel this is more about the money. I do agree that Goatse probably didn't go about this in the most ethical manner, however I think their intent was good in nature. From the way it sounds, they wanted to make sure AT&T knew of the security hole, but also wanted the corporation to be held accountable by going to a media outlet. This ensures the company knows about the issue and has to take more prompt action to resolve it.

    Now back to the money. I don't doubt
  • Knowing how large companies work; Chris is going to get a subpoena to appear in court to provide his self-proclaimed expert testimony and Goatse Security is going to get charged with illegal computer access, which, by their own admission, did occur.

    And then everyone is going to forget about this and get right back to watching the World Cup.

  • I have worked on GSM networks for a living for over a decade and I am calling BS on this yellow editorial.

    What the author is suggesting is the wireless equivalent of hacking by Physical Level Access. No OS in the world can be 'secure' if you gain physical access to the machine it's running on. The idea that somebody can deduce your name and address, drive to your residence and get your mobile to attach to their pico cell for purposes of mining your data is ludicrous.

    1. IMSI is nothing special. It is nothing

Stupidity, like virtue, is its own reward.

Working...