AT&T Breach May Be Worse Than Initially Thought

ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix." Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'

oh noes

[stokessd]

People could eavesdrop in on my boring conversations with friends and family. That's a serious waste of intercept technology and time and effort.

Given that it's a RF broadcast signal, people shouldn't have an over-developed sense of privacy.

If this led to a release of my credit card info etc, then I'm worried. If it's a release of my email address that every spammer already has, then wake me when this story blows over.

Sheldon

Re:AT&T needs to compensate us with unlimited

[Widowwolf]

They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a different plan.

Re:Uh, correct me if I understood the story wrong

[Hatta]

Unauthorized access to a computer is a felony.

This access was authorized, as AT&T never requested any authorization.

So is copyright infringement for financial gain

What copyrighted data is relevant in this case? The list of emails? That's factual, and cannot be copyrighted any more than you can copyright the phone book.

Re:Uh, correct me if I understood the story wrong

[butlerm]

They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network

I suspect what these folks did is probably illegal. However, nowhere do they appear to have "entered" AT&Ts network, where "entering" means something like bypassing a firewall or logging onto a system. What they did was send requests to an unsecured interface, and AT&T's system happily sent back the answer.

What they did wasn't really an "attack" either, with the possible exception of a denial of service attack. AT&T doesn't seem to have noticed the extra accesses, however. It was not an "attack" in part because their actions did not cause any direct harm to the systems that they accessed, nor did they apparently need to disable, work around, or compromise any substantive security protocols.

However it appears that they have "intentionally accessed a computer without authorization" and obtained "information". That is probably a violation of 18 USC 1030 (a)(2) [cornell.edu] or a comparable state law.