Recently the email address and ICCID (SIM serial number) of at least 140,000 iPad 3G owners were left unprotected by AT&T. AT&T chose to blame "hackers" for stealing this information, but that is just deflection. AT&T didn't adequately protect customer information, and as a result someone found it.
AT&T also claims that it was only the email address and ICCID that leaked, which is another partial truth. A 2008 paper titled SIMs and Salsa (quick view) demonstrates how the ICCID is directly linked to the IMSI.
AT&T SIM cards have a 20-digit ICCID, and the IMSI is 15 digits long.
The iPad ICCIDs all seem to begin with 8901410424 and followed by 9 important digits and then a single checksum digit. For example 89014104240123456781.
An AT&T IMSI is 15 digits, made up with the MCC (310), MNC (170) and the 9 underlined digits preceding the checksum in the ICCID. So if your ICCID was 89014104240123456781 as in the example above, your IMSI would be 310170012345678.
You can find your ICCID on your iPad by opening Settings, choosing General and then About.
Why is the IMSI Important?
Each device has a unique IMSI, and the IMSI is considered sensitive enough that it's rarely sent over the wireless network. Even the name – International Mobile Subscriber Identity – implies that it is something that shouldn't be shared freely.
The IMSI is also one of two pieces of information needed to clone a SIM card, the other being the Ki, or subscriber authentication key. Fortunately the Ki can only be retrieved with physical access to the SIM card.
But, knowing who a specific IMSI belongs to, for instance someone at the White House, allows an attacker target a specific user. Using technology like an IMSI catcher an attacker can insert their own device between a target and the carrier network and monitor data or voice conversations. There are a number of flaws in GSM that I assume could also be exploited relatively easily by someone – like a foreign government – with the proper resources and motivation.
AT&T is downplaying their own incompetence at securing customer information, and is putting customers at risk. Customers who are newsworthy in their own right. Even if the information on the iPad isn't sensitive, it can easily be compromised and used as an attack vector onto a previously inaccessible corporate wifi network.
Perhaps AT&T feels that is not a real risk? The latest jailbreak is a userland jailbreak and it's not inconceivable that it could be adapted to work in Mobile Safari. The first iPhone was able to be jailbroken simply by visiting a special website. And Dave Aitel has been selling Silica since 2006. One of the use cases Aitel would pitch for Silica was to mail it to a CEO and let it automatically hack anything it could find, beginning with wifi networks.
AT&T needs to immediately and proactively issue all iPad 3G subscribers new SIM cards.
Tags: Apple, AT&T, GSM, iPad, iPhone, Security
