iPad hack not so harmless

The hack of iPad user info on the AT&T site may be much worse than an embarassment, according to a security researcher who specializes in mobile devices. Yes, says Chris Paget of IOActive on his blog, the Integrated Circuit Card IDs (ICCIDs) exposed in the iPad attacks are intended to be public. But hackers could exploit lax security in other areas of AT&T’s GSM network and, using the email addresses exposed in the attacks, attack iPad accounts and gain access to sensitive information.

Paget is a well-known and respected security researcher who has a penchant for revealing inconvenient truths about ubiquitous technology. He famously concocted a device that could read and spoof access cards issued by HID, allowing those cards to be easily cloned.

[ Also on InfoWorld: Are cyber vigilantes good or bad? | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

According to Paget, the problem is with the way that AT&T (and other carriers, potentially) use the public ICCID values to generate other, non-public device IDs. In particular, Paget claims that the public ICCID is used to calculate an identifier known as the IMSI, a unique number used to authenticate a phone to a GSM network when that device first starts up. Rather than storing IMSI’s exclusively in a secure and centralized database, AT&T has decentralized IMSI generation — basically allowing retail outlets and others who are responsible for onboarding new mobile devices to calculate it on the fly, given the ICCID.

That’s a decicision, according to Paget, that opens up AT&T customers and the 100,000 or so high-visibility iPad users to a number of potential — though at this point hypothetical — attacks. Paget points to a presentation at the recent Source Boston conference on using IMSI numbers to derive the billing address, phone number and geolocation of mobile devices. Knowing which cell tower a particular user and device is connected to also makes it possible to trick that user’s device into connecting to a spoof tower — essentially conducting a 3G man-in-the-middle attack that could snarf the entirety of the device’s phone and data traffic.

Of course, iPads don’t do voice data, so some of the attack scenarios imagined for mobile phones don’t really translate. And clearly, cell tower spoofing isn’t the kind of thing that would be leveraged against your average iPad owner. But the exposed email addresses include some high-value targets, including NASA and Pentagon top brass, as well as executives from high finance. It’s not hard to imagine that certain sophisticated attackers might find cell tower spoofing worth the expense and effort.

As a solution, Paget recommends that compromised iPad owners be issued new SIM cards for their devices ASAP. The longer-term fix, of course, is for carriers to harden key elements of their 3G networks — deploying encryption around key transactions like IMSI generation, or at the very least recentralizing their operations so that key assets used in authenticating new or existing phones to the network can be properly defended and tracked.

Paget will be presenting some new research on using IMSI catchers at the upcoming Defcon. Given the reactions to some of his previous presentations, it will be interesting to see the response.

This article, “iPad hack not so harmless,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.