The hack of iPad user info on the AT&T site may be much worse than an embarassment, according to a security researcher who specializes in mobile devices. Yes, says Chris Paget of IOActive on his blog, the Integrated Circuit Card IDs (ICCIDs) exposed in the iPad attacks are intended to be public. But hackers could exploit lax security in other areas of AT&T's GSM network and, using the email addresses exposed in the attacks, attack iPad accounts and gain access to sensitive information.
Paget is a well-known and respected security researcher who has a penchant for revealing inconvenient truths about ubiquitous technology. He famously concocted a device that could read and spoof access cards issued by HID, allowing those cards to be easily cloned.
According to Paget, the problem is with the way that AT&T (and other carriers, potentially) use the public ICCID values to generate other, non-public device IDs. In particular, Paget claims that the public ICCID is used to calculate an identifier known as the IMSI, a unique number used to authenticate a phone to a GSM network when that device first starts up. Rather than storing IMSI's exclusively in a secure and centralized database, AT&T has decentralized IMSI generation -- basically allowing retail outlets and others who are responsible for onboarding new mobile devices to calculate it on the fly, given the ICCID.
That's a decicision, according to Paget, that opens up AT&T customers and the 100,000 or so high-visibility iPad users to a number of potential -- though at this point hypothetical -- attacks. Paget points to a presentation at the recent Source Boston conference on using IMSI numbers to derive the billing address, phone number and geolocation of mobile devices. Knowing which cell tower a particular user and device is connected to also makes it possible to trick that user's device into connecting to a spoof tower -- essentially conducting a 3G man-in-the-middle attack that could snarf the entirety of the device's phone and data traffic.