AT&T Breach May Be Worse Than Initially Thought

ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix." Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'

Phew

[Azureflare]

I'm glad I got the WiFi-only version!

Re:

[Anonymous Coward]

I'm glad I didn't get one!

Re:

[Fluffeh]

I'm glad I didn't get one!

That's okay. Google got it for you anyhow.

*sips coffee*

Well

[Anonymous Coward]

I'm proud that Goatse Security revealed this gaping security hole.

Re:Well

[Krondor]

The best part about that team revealing this, was hearing NPR / CNN / BBC and others say Goatse in their broadcasts. Priceless!

Link please

[Locke2005]

Goatse Security [goatse.cx]

Wait... is this correct?

Re:

[NatasRevol]

Link + sig = funny.

Or realllllly wrong.

Re:

[lotho brandybuck]

I'd take the guys word for it. If anyone is capable of servicing the nation...

thanks...

[Michael Kristopeit]

my thanks for the security team's service to me.

Re:Uh, correct me if I understood the story wrong

[fuzzyfuzzyfungus]

And point c) is why AT&T is bitching.

Fixing their no-doubt-creaky-and-hideously-flawed-empire-of-security-by-obscurity will be a costly pain in the ass. Every day that they didn't have to do that was money saved, never mind the fact that the better grade of black hat could well have been doing targeted attacks against high value individuals for all that time. But now that the NYT has the story, they'll have to do something. Total bummer. Bad for shareholder value.

This is why so many vendors use the phrase "responsible disclosure" as a polite synonym for "shut the fuck up, never tell anybody except us, and don't think that telling us entitles you to any ETA on a fix."

Re:Uh, correct me if I understood the story wrong

[Sir_Lewk]

And this folks, is why everyone should support full disclosure. Full disclosure may hurt the producer (arguably they deserve to be hurt...), but responsible disclosure is just a stall tactic that hurts the consumer.

Re:Uh, correct me if I understood the story wrong

[digitalunity]

I'm all about telling the vendor about the security hole before publicizing it if it's known not to already be in the wild. Give them a chance to do the right thing.

This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc.

With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public. If the vendor doesn't like it, well they should have fixed the problem when only a few people knew about it. If they have egg on their face, it's because they failed to correct the problem.

A good example was the recent major DNS exploit. It was quietly fixed and then fully disclosed. That's how it should work.

Re:

[SpaceLifeForm]

s/should be fully disclosed /should not be fully disclosed /

I believe that is what you meant.

Yes, 30 days sounds about right.

Re:

[mattack2]

With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public.

I presume you mean "any exploit should NOT be fully disclosed to the public."?

In other words, my interpretation of the rest of your post is that you think that 30 days is the absolute maximum, and the full details should be public after that amount of time, maximum.

Re:

[digitalunity]

Correct, my mistake. Full disclosure must occur in a reasonable time or the vendors will have no reason to patch the exploits.

Re:

[CAIMLAS]

I'd agree with you, but think of this from the perspective of a knowledgeable person who comes across a vulnerability (0-day).

He's got several realistic options in today's world:

1) Release the vulnerability to the public. Public disgust with company shields releaser from public reprisal.
2) Alert the vendor to their problem. Let the vendor sit on it indefinitely and not fix anything.
3)A lternatively, wait for law enforcement to subsequently knock down his door for 'hacking activities' or some such bullshit a

Re:

[dontgetshocked]

Are you kidding me? The customer comes first always.If it was your personal info would you still be as casual about this.Full and immediate disclosure is the only morally way to go.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[karlm]

At some point, I wrote a small tool that used Ron Rivest's "Time Lock Puzzles" to provide lagged full disclosure... publish full disclosure that will take several months to decrypt, and privately give the vendor the decryption key to give them a head start. Getting a gag order from the courts won't help the vendor at that point, since you've already published the encrypted information and the puzzle, it's just a matter of grinding through the time lock puzzle. The time ticking on the time lock puzzle shou

Re:

[AB3A]

I've been over this argument more times than I care to remember. Full disclosure before a fix is available is irresponsible.

There are applications out there where you simply can not spray patches at the net to see what sticks. Each update has to be carefully tested and validated. These are typically very high reliability applications.

Your ignorant attitude to this problem overlooks the fact that it's not the software company that you need to be concerned about. It's the customers who bought it!

So go ahead

Re:

[Sir_Lewk]

Your ignorant attitude to this problem overlooks the fact that it's not the software company that you need to be concerned about. It's the customers who bought it!

The only reasonable assumption to make is that you are not the best there is, other people have already found what you have found, or will find what you have found, and the only way to protect the customer is to make sure the software company fixes the issue as fast as possible. That is what full disclosure ensures.

I'm not ignorant of the exista

Re:

[Hatta]

B depends on who you ask. and D) they shared their script with unnamed other parties before the hole was closed.

Re:

[hedwards]

Why? It's a legitimate free speech action. DVD John didn't go to jail for posting his code for cracking CSS, and that was far less ambiguous in it's legality.

Re:

[digitalunity]

Unauthorized access to a computer is a felony. So is copyright infringement for financial gain. Free speech is our most important right, but aiding and abetting others to commit crimes is a crime itself.

DVD John didn't do anything wrong in my book because DVDCSS had a lot of legitimate uses, despite what the movie studios said.

Selling information about an exploit to a third party while knowing they are likely to commit a crime with it is by definition aiding in the commission of a crime. Giving away that sa

Re:

[Hatta]

Unauthorized access to a computer is a felony.

This access was authorized, as AT&T never requested any authorization.

So is copyright infringement for financial gain

What copyrighted data is relevant in this case? The list of emails? That's factual, and cannot be copyrighted any more than you can copyright the phone book.

Re:

[Michael Kristopeit]

Unauthorized access to a computer is a felony.

This access was authorized, as AT&T never requested any authorization.

the same defense used by the lawyers of individuals ultimately found guity...

Re:Uh, correct me if I understood the story wrong

[DJRumpy]

A) They didn't need to download 114,000 e-mail addresses to prove it could be done. A handful would have been more than sufficient, or even a simple description of what to do to reproduce the exposure.

B) No they didn't warn AT&T. AT&T and Goatse both stated that Goatse never tried to contact them.

C) This one is True at least

They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network.

The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.

Re:

[TubeSteak]

The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.

Yeah, well, you know, that's just, like, your opinion, man.

Educated minds have been discussing full/public vs 'responsible' disclosure since locksmiths in the 1800s.
The end result is that there's ~200 years worth of reasoning to back up both positions, with no agreement in sight.

Re:

[butlerm]

They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network

I suspect what these folks did is probably illegal. However, nowhere do they appear to have "entered" AT&Ts network, where "entering" means something like bypassing a firewall or logging onto a system. What they did was send requests to an unsecured interface, and AT&T's system happily sent back the answe

Re:

[karlm]

They didn't enter into AT&T's network uninvited, they used a public facing and unprotected URL to retrieve information that URL was intended to retrieve. This is no more intrusion than if AT&T had put that data in a public facing flat file on a server somewhere and hoped nobody discovered the URL.

oh noes

[stokessd]

People could eavesdrop in on my boring conversations with friends and family. That's a serious waste of intercept technology and time and effort.

Given that it's a RF broadcast signal, people shouldn't have an over-developed sense of privacy.

If this led to a release of my credit card info etc, then I'm worried. If it's a release of my email address that every spammer already has, then wake me when this story blows over.

Sheldon

Re:

[Anonymous Coward]

Assuming an info leak like this is true, we're talking about a crime network knowing when everyone is at home, at work, stuck in traffic, on vacation, etc. That's billions of dollars worth of info given what they could accomplish with it.

Of course

[PopeRatzo]

Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.

In a fair world, the security team would send AT&T a nice big bill for their services and AT&T would promptly pay it with a note of thanks.

Re:

[somaTh]

They should know. No good deed goes unpunished.

Re:

[cacba]

Perhaps the users whos info was leaked could sue and send a nice big cheque to the security team.

Re:

[vegiVamp]

The security team aren't responsible for the bad security, that's AT&T.

Re:

[Coren22]

I believe he was suggesting suing AT&T for making the information publicly accessible.

Re:

[mgblst]

He said "In a fair world...", but you cut that off.

If you didn't cut that off, you would actually have nothing to say.

I am not sure how you got modded up at all, you have added nothing to the conversation.

education is a security threat to our nation

[Locutus]

screw AT&T if that is what they think. Same goes for any other company who builds and designs half-assed security measures and publicly, or even privately, blasts those for exposing how much they suck at this. It's like blaming the people who exposed Madoff.

LoB

Meanwhile on the Titanic....

[SunSpot505]

"Captain, I discovered that the bulkheads that seal the ship in case of a hull breach actually stop several floors short, and could be compromised in the event of a major collision."

"How dare you point out a fatal flaw in our Honorable Engineer's design. Now that the Icebergs know this, they will surely attack our boat! You should have kept your dumb mouth shut"

"but..."

Re:

[chargersfan420]

This is slashdot, people. We need CAR analogies.

Re:

[NatasRevol]

AT&T had a hole. Goatse strapped a JATO rocket onto their car, and slammed AT&T up the ass because the security hole needed to be shown. AT&T complained that they shouldn't have used the JATO rocket.

Re:

[nyctopterus]

Okay, completely off-topic, but the Titanic's watertight compartment design was pretty good. The ship was not divided along its long axis, which was a deliberate design decision to make sure it stay on an even keel (i.e. didn't capsize) even in the event of a catastrophic collision. The Titanic took hours to sink, even though it had a hole 1/3rd the length of its hull under the waterline. Compare this to some other [wikipedia.org] sinkings [wikipedia.org], and I think the Titanic holds up pretty well.

Lack of lifeboats was, of course, the

AT&T needs to compensate us with unlimited dat

[AmazinglySmooth]

Seems like karma since they just shafted 3G us users with limited data plans. Now they are getting the shaft over security. Maybe they could appease our anger with unlimited data plans.

Re:

[Widowwolf]

They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a diffe

Re:

[cayenne8]

"They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a diff

ICCID = IMSI

[TubeSteak]

http://www.mfi-training.com/forum/paper/SIM&Salsa.pdf [mfi-training.com]
Their lack of security, let me show you it:

T-Mobile
ICCID 8901260390012345679
IMSI....... 310260391234567

AT&T
ICCID 89310170101234567891
IMSI......... 310170123456789

Re:ICCID = IMSI

[The Yuckinator]

There's a luggage joke in here somewhere but I can't find it.

Re:

[Anonymous Coward]

A suitcase full of artificial penises walks into an airport.

Re:ICCID = IMSI

[NixieBunny]

The story says that not all carriers encode it like this; some might have used such advanced encryption techniques as ROT13.

I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

Re:

[eulernet]

I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

Yes, they are securing their wages.

Since it takes a lot of time, they don't have time to spend on customers.

Re:

[lmnfrs]

I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

Unless things have changed, they don't participate too much in the design of their network. The companies that invent new technology are the most knowledgeable of their brand new tech, so they're the best to install it and set it up. Since the phone network brands (e.g. AT&T) don't know the details, they don't know what to scrutinize; there isn't much pressure for the inventing company to pay attention to security.

Re:

[noidentity]

Holy shit, that's my luggage combination. They stole it!

How about Sprint and Verizon?

[erroneus]

I use T-Mobile... another GSM type carrier... I'm not feeling too good about some of this. I was once a Sprint customer but hated their ass-hattedness. I will never willingly become a Verizon customer and I seriously dislike AT&T's attitude, service delivery, billing problem history, service plans and over-all history of abusing customers... not going there willingly either. So my choices are t-mobile or sprint. Anyone know of serious security problems with CDMA based mobile tech?

Re:

[Anonymous Coward]

GSM is an unamerican invention based on the useless antique TDMA for 2G, and the 3G is a rip-off of the American W-CDMA technology. Qualcomm is still waiting for Nokia to pay up after ripping them off, but it isn't likely to happen in anything other than a token way.

You are using CDMA anyway, so why not use Verizon or Sprint and use the real version of CDMA which is more secure and reliable?

Re:

[Anonymous Coward]

How often do people really buy phones not directly from their carrier? I used to buy phones on eBay, but I am hooked on Android and loving my motorola droid. I think that people who do "extreme" things like rock climbing might benefit from sim card swaps. Smartphone most of the time, crap phone when it might break. You can swap Verizon phones on the web site anyway, this isn't the 1980s. No need to ask permission or even call tech support.

Also the "if it is unlocked" caveat for GSM is a big one. The iPhone

Re:

[Kakari]

I can't tell - are you still working for Qualcomm or did they just let you go due to 'downsizing' ?

Re:

[dbcad7]

Have you had any breaches ?.. do you know of anyone who has ?.. I am also on T-Mobile, I'm not too worried.. I made a conscious choice for GSM tech, because the whole CDMA thing being only in the US felt like the companies choosing it, were intentionally screwing over customers into locking in to their network.. and I can, and have, taken my GSM phone overseas and used it.. As to the carrier wars, they all have pro and cons.. I think both AT&T and Verizon get more of a bad rap than they probably deserve

Re:

[Achromatic1978]

Australia started with GSM. They went to a CDMA / GSM mix. Five years later, they shut down their CDMA networks entirely.

It's not all as simple as you'd like to pretend.

Re:

[Kakari]

You seem to confuse air interface/multiplexing types with user authentication/network access. Yes, most/all 3G stuff is some form of CDMA at the air interface level. The GSM/UMTS advantage is in the SIM/USIM and being able to easily swap them. Also, your cognitive dissonance to call GSM's 3G a ripoff of CDMA and then say that CDMA is incompatible with GSM leads me to think that you don't actually know what you're talking about. Then you mention netcologne - a company with revenue less than 1 percent of

Re:

[Anonymous Coward]

The air interface is what matters. Don't tell me I am supposed to pretend that I desire the GSM authentication scheme in the comments for a story that tells us how insecure it is. LTE is OFDMA, which uses orthogonal code division - just like CDMA. It is just an enhanced version of CDMA which will be used by GSM and CDMA carriers. To answer your question, I feel great about it. How do you feel about it?

Re:

[Anonymous Coward]

I forgot to say that the European examples weren't examples of major success, just examples that CDMA is used everywhere other than maybe Australia lately, even in European countries that get the most frothy at the mouth about it.

CDMA in the official form is used all over the Americas, eastern and western Europe, the middle east, Asia, the whole world.

The fact that an inferior standard that was released earlier (as a 2G service, before W-CDMA enabled 3G) has more usage shouldn't be surprising. Again, look a

Re:

[Kakari]

The GSM authentication scheme isn't particularly secure (i.e. not at all), but this article doesn't address that (it addresses how AT&T, and other telecoms, did IMSI security through obscurity by making them directly translatable from an ICCID... but that's not really what we were talking about - we were being off-topic! ;)
UMTS (3G GSM) does at least attempt to address the worst GSM(2G) security faults.

I haven't worked with OFDMA in a while, but as I recall it splits users across orthogonal frequenc

Re:

[cynyr]

you seem a bit young, remember the baby bells? leasing your phone from ATT/MaBell? Their logo looks like the deathstar for a reason.

Uh oh

[elrous0]

Normally AT&T is so beloved here on /. A story like this could ruin their reputation. It's almost as inconceivable as /.ers losing faith in Bill Gates.

Thoughts

[DaMattster]

My guess is that this really is not criminal. There is no real criminal intent, or in legalese, mens rea. Instead, the Goatse Security Group really did this as a form of public service. Was it the most ethical means to do so? Quite possibly not. Ethically speaking, Goatse would have been better off reporting it directly to AT&T first and then to the media if AT&T ignored or denied it. That way, Goatse would have some extra ammunition and would be much more clearly in the right. While I know t

Re:

[butlerm]

There is no real criminal intent, or in legalese, mens rea.

Assuming the type of access they performed is proscribed by law, the only thing required to establish "criminal intent" is that they intended to do what they did.

Whether they knew what they did was against the law, whether they intended to cause anyone any harm, or whether they thought what they were doing had some beneficial social purpose is completely irrelevant to the question of criminal intent. The question is did they intend to do something

Re:

[butlerm]

I should add that the level of intent required to make something a crime may differ from crime to crime, of course. General intent [answers.com] may not be enough in some cases.

Ron Burgundy

[Chrutil]

"I'm somewhat of an authority on GSM security,

That may very well be, but when I read that I see Anchorman Ron Burgundy saying: "I don't know how to put this but I'm kind of a big deal."...

Kudos are owed to Goatse

[B33RM17]

Like a few other /.ers have pointed out, I feel this is more about the money. I do agree that Goatse probably didn't go about this in the most ethical manner, however I think their intent was good in nature. From the way it sounds, they wanted to make sure AT&T knew of the security hole, but also wanted the corporation to be held accountable by going to a media outlet. This ensures the company knows about the issue and has to take more prompt action to resolve it.

Now back to the money. I don't doubt

What's going to happen is....

[1 inch punch]

Knowing how large companies work; Chris is going to get a subpoena to appear in court to provide his self-proclaimed expert testimony and Goatse Security is going to get charged with illegal computer access, which, by their own admission, did occur.

And then everyone is going to forget about this and get right back to watching the World Cup.

This is not a 'vulnerability' (10 yr GSM veteran)

[Kodack]

I have worked on GSM networks for a living for over a decade and I am calling BS on this yellow editorial.

What the author is suggesting is the wireless equivalent of hacking by Physical Level Access. No OS in the world can be 'secure' if you gain physical access to the machine it's running on. The idea that somebody can deduce your name and address, drive to your residence and get your mobile to attach to their pico cell for purposes of mining your data is ludicrous.

1. IMSI is nothing special. It is nothing