A few days ago Apple suffered a security breach – the ICCIDs and email adresses for 114,000 iPad users were hacked, leading to widespread press coverage and speculation. The general consensus seems to be that the ICCID (being the serial number that’s printed onto the SIM card) has no real security consequences to its disclosure, and that the bigger problem is the associated email addresses. The consensus is badly wrong – here’s why.
The ICCID is an identifier for the SIM card, and the SIM card is an identifier for a particular subscriber. GSM has another number to identify a subscriber – it’s called the IMSI, and is generally considered worth protecting. For example, your phone will only ever send out its IMSI when it first starts up – the network will immediately assign the handset a TMSI to replace the IMSI, where the TMSI is a somewhat-random number that bears no direct relationship to the IMSI. The IMSI is a secret, for sure, but not one of the most important ones in GSM (such as Ki).
The ICCID is designed to be non-secret – it’s printed on the outside of the box that your phone came in, and is probably printed on your sales receipt as well. It’s intended that you should be able to figure out what the IMSI is from the ICCID, but only if you have access to the big database that correlates them together (along with a bunch of other information – it’s called the HLR). In theory, disclosure of an ICCID should be useless without access to the HLR, so in theory the masses are correct here.
In practice though, things are a little different. AT&T (as well as T-Mobile and Cingular) made a very bad security decision when they were architecting their networks – their logic was along the lines of the following. In order to translate an ICCID into an IMSI, you need to query the HLR. Not only does that mean giving HLR access to all kinds of places that need to do this (such as retail locations), it also means that there’s more load on the HLR, which is already one of the busier parts of any GSM network. Instead, they figured they could cut out all of that by making the IMSI and ICCID directly correlate – if you know one, you can calculate the other just by understanding how they’re structured and rearranging the digits. This means that the retail locations no longer need HLR access, and they can reduce the load on the HLR by replacing the lookup call with a few lines of C to translate on-the-fly.
I noticed this artifact a little while ago with T-Mobile and hadn’t yet decided what to do with the info – it’s an information disclosure bug at best, and the telco’s don’t tend to have security@ addresses that you can ping the same way you would a software company. I hadn’t even confirmed whether AT&T were vulnerable to the same thing. As it turns out though it’s a known issue – this paper from 2008 describes step-by-step how to calculate the IMSI from an AT&T or T-Mobile ICCID.
So. Now we have 114,000 email addresses and IMSIs leaked. How does that change things? A lot – there’s at least two major attack scenarios that spring to mind.
This presentation on SS7 hackery from Nick DePetrillo and Don Bailey at Source earlier this year describes some of the things you can do if you know someone’s IMSI. Their full name (the unpublished billing name) and the actual phone number are the first things you get, with the ability to track individuals as they roam around the world (down to knowing which tower they’re attached to) and retrieving their voicemail easily obtainable as well (possibly via some clever social trickery).
So now you know who they are, where they are, and maybe their voicemail password – now we get into the active attack scenarios such as IMSI catchers. If we know where they are, all we need is a copy of OpenBootTS that’s configured to look like an AT&T tower, drive to within a couple of miles of their location and we become their cellular network. Every call they make, you get a copy of the audio – you also get a copy of every SMS message they send. Knowing their IMSI makes it a *lot* easier to configure GSM equipment so that they and only they will attach to your fake tower and hand you all of their traffic. I’m actually giving a presentation at Defcon about IMSI catchers and just how effective they are (you just have to spoof a pair of 3-digit numbers and you’re in business); watch for the details to go up here in the next few days.
So yeah, knowing someone’s ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you’re prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.
My recommendations? In the short term, AT&T should replace all 114,000 SIM cards and issue all of these people new cellular identities. In the long term, AT&T and T-Mobile both need to stop translating IMSIs and ICCIDs like this, and opt for either a cryptographic approach (doable) or a more traditional HLR-based approach (better). Leaks like this are going to be happening a whole lot more often; I’d also recommend that the cellular companies start waking up to the fact that they’re now a part of the internet security ecosystem rather than the telecommunications security ecosystem. That’s a big change – it’s going to be an interesting transition.
//edit: iPad is a data-only device, so voice isn’t entirely relevant here. If you have a target device on an IMSI catcher then you are their network so you can also intercept data; I didn’t mention it in the main post because OpenBTS (and therefore OpenBootTS which is based on it) is not data-capable. If you were really desperate there’s places that’ll rent you much more functional GSM gear that’ll happily intercept anything you like if you have a spare $5-10k/month to burn…
//edit2: My friend and colleague Pete Markowsky has posted an excellent blog entry about the exact mechanics of translating an ICCID to an IMSI, and even an online tool that does the translation for you (verified with AT&T SIM cards and OpenBTS). Anyone still want to argue that ICCIDs aren’t a security risk in US cellular networks?