AT&T Breach May Be Worse Than Initially Thought

ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix." Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'

Phew

[Azureflare]

I'm glad I got the WiFi-only version!

Re:Phew

I'm glad I didn't get one!

Re:Phew

[Fluffeh]

I'm glad I didn't get one!

That's okay. Google got it for you anyhow.

*sips coffee*

Well

I'm proud that Goatse Security revealed this gaping security hole.

Re:Well

Goatse Security defends decision to publicize hole

Who would've thunk it?

Re:Well

I'm proud that Goatse Security revealed this gaping security hole.

Speak for yourself! I think the guy's just a giant asshole! :)

Re:Well

[mr_lizard13]

I'm not. It's turning out to be a right pain in the arse.

Re:Well

[Krondor]

The best part about that team revealing this, was hearing NPR / CNN / BBC and others say Goatse in their broadcasts. Priceless!

Re:Well

[lotho+brandybuck]

I'd take the guys word for it. If anyone is capable of servicing the nation...

thanks...

[Michael+Kristopeit]

my thanks for the security team's service to me.

Uh, correct me if I understood the story wrong

But did the group not A) download all the data to detect that it could be done, B) warn AT&T who immediately plugged the whole, C) send a small sample to a journalist which he censored to publish the story?

How has Goatsesecurity done anything they shouldn't have, EXCEPT draw attention to the fact that they were possibly not the first people to exploit the hole?

Re:Uh, correct me if I understood the story wrong

[fuzzyfuzzyfungus]

And point c) is why AT&T is bitching.

Fixing their no-doubt-creaky-and-hideously-flawed-empire-of-security-by-obscurity will be a costly pain in the ass. Every day that they didn't have to do that was money saved, never mind the fact that the better grade of black hat could well have been doing targeted attacks against high value individuals for all that time. But now that the NYT has the story, they'll have to do something. Total bummer. Bad for shareholder value.

This is why so many vendors use the phrase "responsible disclosure" as a polite synonym for "shut the fuck up, never tell anybody except us, and don't think that telling us entitles you to any ETA on a fix."

Re:Uh, correct me if I understood the story wrong

[Hatta]

B depends on who you ask. and D) they shared their script with unnamed other parties before the hole was closed.

Re:Uh, correct me if I understood the story wrong

If that's true they should go behind bars.

Re:Uh, correct me if I understood the story wrong

[hedwards]

Why? It's a legitimate free speech action. DVD John didn't go to jail for posting his code for cracking CSS, and that was far less ambiguous in it's legality.

Re:Uh, correct me if I understood the story wrong

[Sir_Lewk]

And this folks, is why everyone should support full disclosure. Full disclosure may hurt the producer (arguably they deserve to be hurt...), but responsible disclosure is just a stall tactic that hurts the consumer.

Re:Uh, correct me if I understood the story wrong

[digitalunity]

I'm all about telling the vendor about the security hole before publicizing it if it's known not to already be in the wild. Give them a chance to do the right thing.

This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc.

With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public. If the vendor doesn't like it, well they should have fixed the problem when only a few people knew about it. If they have egg on their face, it's because they failed to correct the problem.

A good example was the recent major DNS exploit. It was quietly fixed and then fully disclosed. That's how it should work.

Re:Uh, correct me if I understood the story wrong

[DJRumpy]

A) They didn't need to download 114,000 e-mail addresses to prove it could be done. A handful would have been more than sufficient, or even a simple description of what to do to reproduce the exposure.

B) No they didn't warn AT&T. AT&T and Goatse both stated that Goatse never tried to contact them.

C) This one is True at least

They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network.

The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.

Re:Uh, correct me if I understood the story wrong

[digitalunity]

Unauthorized access to a computer is a felony. So is copyright infringement for financial gain. Free speech is our most important right, but aiding and abetting others to commit crimes is a crime itself.

DVD John didn't do anything wrong in my book because DVDCSS had a lot of legitimate uses, despite what the movie studios said.

Selling information about an exploit to a third party while knowing they are likely to commit a crime with it is by definition aiding in the commission of a crime. Giving away that same information to the entire world in full disclosure would be speech, I think. It's for a social benefit, even if it is damaging to the company whose software is exploitable.

Re:Uh, correct me if I understood the story wrong

[Hatta]

Unauthorized access to a computer is a felony.

This access was authorized, as AT&T never requested any authorization.

So is copyright infringement for financial gain

What copyrighted data is relevant in this case? The list of emails? That's factual, and cannot be copyrighted any more than you can copyright the phone book.

Re:Uh, correct me if I understood the story wrong

[Michael+Kristopeit]

Unauthorized access to a computer is a felony.

This access was authorized, as AT&T never requested any authorization.

the same defense used by the lawyers of individuals ultimately found guity...

Re:Uh, correct me if I understood the story wrong

[SpaceLifeForm]

s/should be fully disclosed /should not be fully disclosed /

I believe that is what you meant.

Yes, 30 days sounds about right.

Re:Uh, correct me if I understood the story wrong

[mattack2]

With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public.

I presume you mean "any exploit should NOT be fully disclosed to the public."?

In other words, my interpretation of the rest of your post is that you think that 30 days is the absolute maximum, and the full details should be public after that amount of time, maximum.

Re:Uh, correct me if I understood the story wrong

[TubeSteak]

The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.

Yeah, well, you know, that's just, like, your opinion, man.

Educated minds have been discussing full/public vs 'responsible' disclosure since locksmiths in the 1800s.
The end result is that there's ~200 years worth of reasoning to back up both positions, with no agreement in sight.

Re:Uh, correct me if I understood the story wrong

[hairyfeet]

But that isn't fair either, as anyone who has worked on any kind of complex software knows you can't just magically throw a fix out there, without breaking breaking more than you fix!

No, the fair and responsible thing is to give a standard 90 days and then disclose. If they can't get the shit done in 90 days knowing the clock is ticking then they deserve what they get, but 90 days should be a fair and reasonable time limit. That way every vendor knows exactly how much time they have got to get it done, the ones that find the hole and report it know that after 90 days they won't be judged as douchebags (unlike that asshole at Google that told them on patch Tuesday weekend and expected them to drop all that work and magically fix it in under a week) and nobody will have any doubts as to the time frame they have to get the problem solved.

All in all it seems like a fair and reasonable solution to me, and will be a LOT safer than just blurting everything out immediately and giving black hats even more exploits to play with, not to mention causing rushed out patches without proper QA. I mean do we really want to HELP black hats send us more spam?

Re:Uh, correct me if I understood the story wrong

"This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc."

Why should it not be immediately released? Do you honestly think the vendor is the only one affected? I guess my point is that this seems to be such a specious argument. Journalists are always talking about being professional about releasing the story over those it may hurt (let the public decide). Scientists are always pointing out the faults with traditional publishing, and getting the results out there sooner rather than later. Etc.

If I run a business, using vendor's software, and you do "responsible disclosure," every extra time given to the vendor puts my business at risk. You, as the known discoverer of the security issue, may not be the first.

If there is full disclsoure, I can at least pull the affected systems offline. I can confirm if my systems are those affected. I can *do something effective* in protection data and customers. Hell, by this very argument, it seems responsible disclosure hurts innocent people more than the irresponsible party (admittedly there are varying degrees of irresponsibility).

Further, even the best of those (in intention, resources, and policy) to issue a rapid and effective fix drop the ball. The best of them don't care if there is full disclosure; they got owned, and they are pissed as shit at that by itself, and will work feverishly to fix the issue. However, the impetus for them to implement that fix, is still the negative attention. Fire off a security hole email via responsible disclosure, and it might not get noticed because there is no weight behind it. Do it full disclsoure, and every user, customer, etc. will be saying "hey, do you know about this" and the fix will be the first priority.

And what's with this "severity" crap? Software is everywhere. Unless it's a nuke code, I don't see how responsible disclosure helps. It perpetuates the problem. With software communicating and programming implanted heart debrillators and pacemakers, how long do you want to wait? The theory is out there; you want to wait until even more of these devices get implanted in folks unfixed, so there are more victims when the code actually gets out there. What's the body count over time simply by some sick fuck walking through a mall before it registers with "responsible disclosure" shits that such crap doesn't help *at all*.

(In the nuke example, it's the only way; the party (military/government) is the only body this is going to be able to fix it anyways, and the magnitude is such that if they don't listen to even the faintest hint of such a possiblity, well, we're screwed already.)

Re:Uh, correct me if I understood the story wrong

[CAIMLAS]

I'd agree with you, but think of this from the perspective of a knowledgeable person who comes across a vulnerability (0-day).

He's got several realistic options in today's world:

1) Release the vulnerability to the public. Public disgust with company shields releaser from public reprisal.
2) Alert the vendor to their problem. Let the vendor sit on it indefinitely and not fix anything.
3)A lternatively, wait for law enforcement to subsequently knock down his door for 'hacking activities' or some such bullshit after alerting said vendor of said problem.
4) Do nothing but sit on it yourself (and how likely is that, if you've worked hard at finding something hidden?)

Re:Uh, correct me if I understood the story wrong

[butlerm]

They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network

I suspect what these folks did is probably illegal. However, nowhere do they appear to have "entered" AT&Ts network, where "entering" means something like bypassing a firewall or logging onto a system. What they did was send requests to an unsecured interface, and AT&T's system happily sent back the answer.

What they did wasn't really an "attack" either, with the possible exception of a denial of service attack. AT&T doesn't seem to have noticed the extra accesses, however. It was not an "attack" in part because their actions did not cause any direct harm to the systems that they accessed, nor did they apparently need to disable, work around, or compromise any substantive security protocols.

However it appears that they have "intentionally accessed a computer without authorization" and obtained "information". That is probably a violation of 18 USC 1030 (a)(2) or a comparable state law.

Re:Uh, correct me if I understood the story wrong

[karlm]

They didn't enter into AT&T's network uninvited, they used a public facing and unprotected URL to retrieve information that URL was intended to retrieve. This is no more intrusion than if AT&T had put that data in a public facing flat file on a server somewhere and hoped nobody discovered the URL.

Re:Uh, correct me if I understood the story wrong

[digitalunity]

Correct, my mistake. Full disclosure must occur in a reasonable time or the vendors will have no reason to patch the exploits.

Re:Uh, correct me if I understood the story wrong

[karlm]

At some point, I wrote a small tool that used Ron Rivest's "Time Lock Puzzles" to provide lagged full disclosure... publish full disclosure that will take several months to decrypt, and privately give the vendor the decryption key to give them a head start. Getting a gag order from the courts won't help the vendor at that point, since you've already published the encrypted information and the puzzle, it's just a matter of grinding through the time lock puzzle. The time ticking on the time lock puzzle should hopefully light a fire under their rears to get a fix out. IMHO, time locked full disclosure gives you the best of both worlds... vendors have some reasonable time to implement a fix, but no amount of legal action can prevent the details from getting out several months later. The risk of "responsible disclosure" is that you can get slapped with a gag order, or at least legal threats, to prevent you from later putting pressure on the vendor for a faster fix.

Re:Uh, correct me if I understood the story wrong

[dontgetshocked]

Are you kidding me? The customer comes first always.If it was your personal info would you still be as casual about this.Full and immediate disclosure is the only morally way to go.

Re:Uh, correct me if I understood the story wrong

[AB3A]

I've been over this argument more times than I care to remember. Full disclosure before a fix is available is irresponsible.

There are applications out there where you simply can not spray patches at the net to see what sticks. Each update has to be carefully tested and validated. These are typically very high reliability applications.

Your ignorant attitude to this problem overlooks the fact that it's not the software company that you need to be concerned about. It's the customers who bought it!

So go ahead, put a software company under. I don't much care. But if you cause someone to die because a zero day exploit caused the hospital to not see a patient's life support fail, that's a problem. If you hack a SCADA system at some remote site, you could put a neighborhood without electricity for many days.

These bits of software have actual end-users. This isn't just about the company that sold the software, it's about the end-users. People's lives often depend on this software working correctly.

If you don't give them a chance to react, then you're just as guilty as those who actually attack these sites.

Re:Uh, correct me if I understood the story wrong

[Sir_Lewk]

Your ignorant attitude to this problem overlooks the fact that it's not the software company that you need to be concerned about. It's the customers who bought it!

The only reasonable assumption to make is that you are not the best there is, other people have already found what you have found, or will find what you have found, and the only way to protect the customer is to make sure the software company fixes the issue as fast as possible. That is what full disclosure ensures.

I'm not ignorant of the existance of end users. End users are the reason I support full disclosure. If end users didn't exist, then I couldn't give a shit.

Re:Uh, correct me if I understood the story wrong

if it's known not to already be in the wild

known by who? president of the wild?

Is anyone really surprised?

If the company is releasing details, expect them to be worse.
Recent example is the BP oil spill...

parent is not a troll and not offtopic

http://www.v3.co.uk/v3/news/2264505/goatse-security-claims-gaping?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%253A+LatestUpdatesFromVnunetcom+%2528Latest+updates+from+VNUNET.COM%2529


And does this bring anything to mind ? http://assets.portfolio.com/images/reuters/2010-06-10/net-us-att-fbi.jpg

oh noes

[stokessd]

People could eavesdrop in on my boring conversations with friends and family. That's a serious waste of intercept technology and time and effort.

Given that it's a RF broadcast signal, people shouldn't have an over-developed sense of privacy.

If this led to a release of my credit card info etc, then I'm worried. If it's a release of my email address that every spammer already has, then wake me when this story blows over.

Sheldon

Re:oh noes

Assuming an info leak like this is true, we're talking about a crime network knowing when everyone is at home, at work, stuck in traffic, on vacation, etc. That's billions of dollars worth of info given what they could accomplish with it.

Of course

[PopeRatzo]

Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.

In a fair world, the security team would send AT&T a nice big bill for their services and AT&T would promptly pay it with a note of thanks.

Re:Of course

[somaTh]

They should know. No good deed goes unpunished.

Re:Of course

[cacba]

Perhaps the users whos info was leaked could sue and send a nice big cheque to the security team.

Re:Of course

YES

Re:Of course

Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.

I think it's hilarious coming from one of the companies that routinely copies all traffic to the NSA, no questions asked, no warrants needed.

Re:Of course

[mgblst]

He said "In a fair world...", but you cut that off.

If you didn't cut that off, you would actually have nothing to say.

I am not sure how you got modded up at all, you have added nothing to the conversation.

Re:Of course

No, because they shared the script with others before notifying the world at large. Goatse security being GNAA might explain why they did it. They live to troll.

Re:Of course

[vegiVamp]

The security team aren't responsible for the bad security, that's AT&T.

Re:Of course

[Coren22]

I believe he was suggesting suing AT&T for making the information publicly accessible.

education is a security threat to our nation

[Locutus]

screw AT&T if that is what they think. Same goes for any other company who builds and designs half-assed security measures and publicly, or even privately, blasts those for exposing how much they suck at this. It's like blaming the people who exposed Madoff.

LoB

Meanwhile on the Titanic....

[SunSpot505]

"Captain, I discovered that the bulkheads that seal the ship in case of a hull breach actually stop several floors short, and could be compromised in the event of a major collision."

"How dare you point out a fatal flaw in our Honorable Engineer's design. Now that the Icebergs know this, they will surely attack our boat! You should have kept your dumb mouth shut"

"but..."

Re:Meanwhile on the Titanic....

[BBTaeKwonDo]

At the risk of being labeled an AT&T stooge, a better analogy would be, "Captain, I discovered that the bulkheads that seal the ship in case of a hull breach actually stop several floors short. I verified this by damaging the hull with an iceberg and observing that the water lapped over the bulkheads. That's why your feet are wet."

Re:Meanwhile on the Titanic....

[logjon]

No, it would be like that if they had actually caused damage.

Re:Meanwhile on the Titanic....

[chargersfan420]

This is slashdot, people. We need CAR analogies.

Re:Meanwhile on the Titanic....

[NatasRevol]

AT&T had a hole. Goatse strapped a JATO rocket onto their car, and slammed AT&T up the ass because the security hole needed to be shown. AT&T complained that they shouldn't have used the JATO rocket.

Re:Meanwhile on the Titanic....

[nyctopterus]

Okay, completely off-topic, but the Titanic's watertight compartment design was pretty good. The ship was not divided along its long axis, which was a deliberate design decision to make sure it stay on an even keel (i.e. didn't capsize) even in the event of a catastrophic collision. The Titanic took hours to sink, even though it had a hole 1/3rd the length of its hull under the waterline. Compare this to some other sinkings, and I think the Titanic holds up pretty well.

Lack of lifeboats was, of course, the main problem. But it was one shared with all other large ocean liners of the period.

Morons!

NEWSFLASH: Everything MAY be worse than originally thought, always! That's not news!

AT&T needs to compensate us with unlimited dat

[AmazinglySmooth]

Seems like karma since they just shafted 3G us users with limited data plans. Now they are getting the shaft over security. Maybe they could appease our anger with unlimited data plans.

ICCID = IMSI

[TubeSteak]

http://www.mfi-training.com/forum/paper/SIM&Salsa.pdf
Their lack of security, let me show you it:

T-Mobile
ICCID 8901260390012345679
IMSI....... 310260391234567

AT&T
ICCID 89310170101234567891
IMSI......... 310170123456789

Re:ICCID = IMSI

[The+Yuckinator]

There's a luggage joke in here somewhere but I can't find it.

Re:ICCID = IMSI

[NixieBunny]

The story says that not all carriers encode it like this; some might have used such advanced encryption techniques as ROT13.

I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

Re:ICCID = IMSI

A suitcase full of artificial penises walks into an airport.

Re:ICCID = IMSI

[noidentity]

Holy shit, that's my luggage combination. They stole it!

Re:ICCID = IMSI

[eulernet]

I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

Yes, they are securing their wages.

Since it takes a lot of time, they don't have time to spend on customers.

Re:ICCID = IMSI

[lmnfrs]

I wonder if the folks who do network design at AT&T have any idea at all that their job is related to security.

Unless things have changed, they don't participate too much in the design of their network. The companies that invent new technology are the most knowledgeable of their brand new tech, so they're the best to install it and set it up. Since the phone network brands (e.g. AT&T) don't know the details, they don't know what to scrutinize; there isn't much pressure for the inventing company to pay attention to security.

So is this worse because...

Is this problem worse than thought because the leaked info leads not just to email addresses, but also name/number/tracking? Or is it worse because the underlying problem of the non-secure IMSI database of every US mobile phone user hasn't been dealt with *at all*?

THIS IS NOT A PROBLEM

This is a good thing for all concerned.

How about Sprint and Verizon?

[erroneus]

I use T-Mobile... another GSM type carrier... I'm not feeling too good about some of this. I was once a Sprint customer but hated their ass-hattedness. I will never willingly become a Verizon customer and I seriously dislike AT&T's attitude, service delivery, billing problem history, service plans and over-all history of abusing customers... not going there willingly either. So my choices are t-mobile or sprint. Anyone know of serious security problems with CDMA based mobile tech?

Re:How about Sprint and Verizon?

GSM is an unamerican invention based on the useless antique TDMA for 2G, and the 3G is a rip-off of the American W-CDMA technology. Qualcomm is still waiting for Nokia to pay up after ripping them off, but it isn't likely to happen in anything other than a token way.

You are using CDMA anyway, so why not use Verizon or Sprint and use the real version of CDMA which is more secure and reliable?

Re:How about Sprint and Verizon?

Check out tracfone or net10 (same company). They don't have "smart" phones, but you can get onto the web with some of them, sort of (and the pages load surprisingly fast). They recently changed their portal so you can get on msn, yahoo, google and not just a walled garden. I don't know about tracfone plans, but net10 do have a way of automatically adding minutes every month with the added benifit of not having to maintain a contract with them.

I've got a samsung t401g from net10, it works fairly well and the call quality has been good.

Re:How about Sprint and Verizon?

Replying to myself. Apparently you may not be able to choose CDMA vs GSM if you go with tracfone or net10, they may only sell you a CDMA phone if you are in an area that is bad for GSM, or vice versa. Hope this helps.

Re:How about Sprint and Verizon?

I'd look at the history of the GSM protocol. It offers one big advantage over US CDMA providers that do not use R-UIM cards: You can swap your SIM card to another device and it should work (assuming it is unlocked.) I don't know if it is true today, but in the past, unless you bought the device from a CDMA provider, you would not be allowed to use it on the network. With GSM technology, it just takes a SIM card swap to enable a new phone for use. No asking for permission for the device to be activated.

CDMA has one advantage over GSM in the US, and that is the fact that it requires fewer towers to cover an area. I've been in a number of areas where CDMA providers have adequate coverage, while GSM providers struggle to provide GPRS, much less EDGE or even 3G coverage.

Re:How about Sprint and Verizon?

[dbcad7]

Have you had any breaches ?.. do you know of anyone who has ?.. I am also on T-Mobile, I'm not too worried.. I made a conscious choice for GSM tech, because the whole CDMA thing being only in the US felt like the companies choosing it, were intentionally screwing over customers into locking in to their network.. and I can, and have, taken my GSM phone overseas and used it.. As to the carrier wars, they all have pro and cons.. I think both AT&T and Verizon get more of a bad rap than they probably deserve. T-Mobile fits my lifestyle and Sprint is used by several of my family members and they all seem to be happy with it.. I have one family member who only has a choice between Verizon and AT&T and he is happy with Verizon, but has never tried AT&T.. I don't buy in to too much of the trash talking done about one network over another, I think they all do a reasonably good job.

Re:How about Sprint and Verizon?

How often do people really buy phones not directly from their carrier? I used to buy phones on eBay, but I am hooked on Android and loving my motorola droid. I think that people who do "extreme" things like rock climbing might benefit from sim card swaps. Smartphone most of the time, crap phone when it might break. You can swap Verizon phones on the web site anyway, this isn't the 1980s. No need to ask permission or even call tech support.

Also the "if it is unlocked" caveat for GSM is a big one. The iPhone and iPad are locked. Even if you unlocked them (after paying the huge ETF), good luck using 3G on T-Mobile with it. AT&T and T-Mobile use different 3G bands.

Honestly I have used several Sprint phones on Verizon and 3G worked great. What takes a bit of effort with CDMA is impossible on GSM unless your phone supports all of those bands. At least all of the major CDMA carriers in the US use compatible bands.

Re:How about Sprint and Verizon?

Newsflash, CDMA is used all over the world. Europeans are embarrased by the fact that their GSM's 3G is a complete ripoff of CDMA so they like to lie about it and trash it by saying only "backward americans" use it.

GSM is used more because it got a foothold earlier, similar to microsoft windows. CDMA is used in most countries though. Despite its incompatibility with GSM, it is deployed in areas already served by GSM due to its technical superiority.

In fact, some European phone companies use it (for example netcologne and ice.net), an embarassing fact many gsm fanboys would like to keep hidden.

Re:How about Sprint and Verizon?

[Achromatic1978]

Australia started with GSM. They went to a CDMA / GSM mix. Five years later, they shut down their CDMA networks entirely.

It's not all as simple as you'd like to pretend.

Re:How about Sprint and Verizon?

[Kakari]

I can't tell - are you still working for Qualcomm or did they just let you go due to 'downsizing' ?

Re:How about Sprint and Verizon?

[Kakari]

You seem to confuse air interface/multiplexing types with user authentication/network access. Yes, most/all 3G stuff is some form of CDMA at the air interface level. The GSM/UMTS advantage is in the SIM/USIM and being able to easily swap them. Also, your cognitive dissonance to call GSM's 3G a ripoff of CDMA and then say that CDMA is incompatible with GSM leads me to think that you don't actually know what you're talking about. Then you mention netcologne - a company with revenue less than 1 percent of Deutsche Telekom? So how do you feel about 4G/LTE being OFDM? Or are you just blindly being a CDMA fanboy?

Re:How about Sprint and Verizon?

The air interface is what matters. Don't tell me I am supposed to pretend that I desire the GSM authentication scheme in the comments for a story that tells us how insecure it is. LTE is OFDMA, which uses orthogonal code division - just like CDMA. It is just an enhanced version of CDMA which will be used by GSM and CDMA carriers. To answer your question, I feel great about it. How do you feel about it?

Re:How about Sprint and Verizon?

I forgot to say that the European examples weren't examples of major success, just examples that CDMA is used everywhere other than maybe Australia lately, even in European countries that get the most frothy at the mouth about it.

CDMA in the official form is used all over the Americas, eastern and western Europe, the middle east, Asia, the whole world.

The fact that an inferior standard that was released earlier (as a 2G service, before W-CDMA enabled 3G) has more usage shouldn't be surprising. Again, look at Microsoft Windows.

And GSM's 3G is a ripoff of W-CDMA. They don't need to be compatible for that to be true, because as you said, they use a different form of authentication.

Re:How about Sprint and Verizon?

[Kakari]

The GSM authentication scheme isn't particularly secure (i.e. not at all), but this article doesn't address that (it addresses how AT&T, and other telecoms, did IMSI security through obscurity by making them directly translatable from an ICCID... but that's not really what we were talking about - we were being off-topic! ;)
UMTS (3G GSM) does at least attempt to address the worst GSM(2G) security faults.

I haven't worked with OFDMA in a while, but as I recall it splits users across orthogonal frequencies and, at the same time, across timeslots (OFDM symbols). To wit - with 5 users and 3 frequencies we might see something like this (increasing in time, numbers are users):

(Frequency 1|Frequency 2|Frequency 3)
(1|2|3)
(2|5|1)
(4|3|2)
(5|4|2)...

This is as opposed to CDMA (or multiple-carrier CDMA, which a multi-user OFDM scheme might use) which uses orthogonal codes to mix multiple users across the same range of frequencies simultaneously; a minor but important point. Of course, there may also be some advantage to use a MC-CDMA scheme, but then it's called MC-CDMA or something weird like OFDM-CDMA, not OFDMA (as I recall).

I am very much looking forward to LTE (and it's being OFDM/A) - especially if it's offered in the 700MHz range in the US.

GSM's 3G and W-CDMA as used by non-GSM carriers of course have different authentication methods - I suppose I was just saying that 3G GSM is a 'ripoff' (i.e. uses the same type of air interface, which was what we were talking about, wasn't it?). I've enjoyed the back and forth, but I'm afraid we're really rather in agreement about most of this stuff, except I'm not a fan of the phrase 'ripoff' :-).

Link please

[Locke2005]

Goatse Security

Wait... is this correct?

Re:Link please

[NatasRevol]

Link + sig = funny.

Or realllllly wrong.

So THAT'S how they'll do it.

I fucking KNEW that AT&T would find a way to screw me out of my unlimited plan, despite their promises. Who could possibly trust them after breaking their first set of promises not a month after the 3G iPads shipped? I would not be surprised in the slightest if they force everyone affected to replace their SIM cards and "oops, sorry, you can't transfer your unlimited plan to the new card."

Son of a fucking bitch. I fucking knew it. Paranoid? You tell me. We'll see in a couple weeks.

Re:So THAT'S how they'll do it.

[cynyr]

you seem a bit young, remember the baby bells? leasing your phone from ATT/MaBell? Their logo looks like the deathstar for a reason.

Re:AT&T needs to compensate us with unlimited

[Widowwolf]

They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a different plan.

Josephist

We are always voulnerable. In our company we are trying minimize that risk with Safetica bussiness, but im still aware...

Uh oh

[elrous0]

Normally AT&T is so beloved here on /. A story like this could ruin their reputation. It's almost as inconceivable as /.ers losing faith in Bill Gates.

Thoughts

[DaMattster]

My guess is that this really is not criminal. There is no real criminal intent, or in legalese, mens rea. Instead, the Goatse Security Group really did this as a form of public service. Was it the most ethical means to do so? Quite possibly not. Ethically speaking, Goatse would have been better off reporting it directly to AT&T first and then to the media if AT&T ignored or denied it. That way, Goatse would have some extra ammunition and would be much more clearly in the right. While I know two wrongs don't make a right, AT&T did far worse with its cooperation with the Bush warrantless wiretapping program so I feel somewhat okay about AT&T getting a little egg on its face over this one.

Re:Thoughts

[butlerm]

There is no real criminal intent, or in legalese, mens rea.

Assuming the type of access they performed is proscribed by law, the only thing required to establish "criminal intent" is that they intended to do what they did.

Whether they knew what they did was against the law, whether they intended to cause anyone any harm, or whether they thought what they were doing had some beneficial social purpose is completely irrelevant to the question of criminal intent. The question is did they intend to do something that happens to be against the law.

Re:Thoughts

[butlerm]

I should add that the level of intent required to make something a crime may differ from crime to crime, of course. General intent may not be enough in some cases.

Ron Burgundy

[Chrutil]

"I'm somewhat of an authority on GSM security,

That may very well be, but when I read that I see Anchorman Ron Burgundy saying: "I don't know how to put this but I'm kind of a big deal."...

Kudos are owed to Goatse

[B33RM17]

Like a few other /.ers have pointed out, I feel this is more about the money. I do agree that Goatse probably didn't go about this in the most ethical manner, however I think their intent was good in nature. From the way it sounds, they wanted to make sure AT&T knew of the security hole, but also wanted the corporation to be held accountable by going to a media outlet. This ensures the company knows about the issue and has to take more prompt action to resolve it.

Now back to the money. I don't doubt AT&T was half-assing their security, because from my experience, they half-ass their service as well. They obviously did not make sure their website was fully secure and allowed sensitive customer data to be taken right out from under their noses. They saved some money by skimping on security, and now they are gonna lose more because they have to fix the hole. Add to that the potential customers they are going to lose because of people who caught wind of the fiasco. On top of which will be some customers who will jump ship due to the client-company trust being broken. And to add more insult to injury, AT&T may just have to replace all those compromised SIM cards like the expert in the story suggested.

And let's all not forget AT&T's record of network performance, especially with Apple devices. That's even more money lost to reinforcing an already staggering network infrastructure. Although that can be seen as an investment as well. Given their current circumstances though, the positive side is not as likely.

By now you could say I'm just being an AT&T troll, but looking back at my past experiences with the company, along with the experiences of friends and family who are customers, I'm going to say AT&T needs to clean up their act. They're in a world of hurt now, and I would just like to seem them improve for the sake of their customers.

Whew, time for a beer. Cheers! *wipes forehead*

Re:AT&T needs to compensate us with unlimited

[cayenne8]

"They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a different plan."

I thought I read that if you had the unlimited plan, and upgraded to the new iPhone, you could choose to be grandfathered in....at least if you are qualified to upgrade here June/July I believe.

Not sure if later upgrades will granfather in...hoping so.

What's going to happen is....

[1+inch+punch]

Knowing how large companies work; Chris is going to get a subpoena to appear in court to provide his self-proclaimed expert testimony and Goatse Security is going to get charged with illegal computer access, which, by their own admission, did occur.

And then everyone is going to forget about this and get right back to watching the World Cup.

Re:What's going to happen is....

Watching the world cup? I'm an American you insensitive clod, football doesn't start for another few months.

My SSN

My SSN is 519-39-2929iner.

I'd use my name, but I can't remember the password - so I'm an Anon Coward. oh well.

A plug for yourself

I love it when someone posts an "update" to an update plugging themselves. Gotta love humanity.

This is not a 'vulnerability' (10 yr GSM veteran)

[Kodack]

I have worked on GSM networks for a living for over a decade and I am calling BS on this yellow editorial.

What the author is suggesting is the wireless equivalent of hacking by Physical Level Access. No OS in the world can be 'secure' if you gain physical access to the machine it's running on. The idea that somebody can deduce your name and address, drive to your residence and get your mobile to attach to their pico cell for purposes of mining your data is ludicrous.

1. IMSI is nothing special. It is nothing more than the entry the Home Location Register (HLR) uses to store information about your profile. Information like which Visitor Location Register (VLR) you are attached to, if you're roaming, what your phone number (MSISDN) is etc.

It does NOT contain any information about you, your name, your home address, your billing etc.
In order to view the IMSI profile in the HLR you would have to hack into ATT, Tmobile etc cellular network, know where to find the HLR's IP, how to log into it, and what commands to run to query the subscriber profile. Even if you did all that all you'd get out of it is a phone number......

There are MULTIPLE levels of security to secure the cellular network from unauthorized users gaining access to the switching equipment.
Firewall, VPN, Sitekey, multiple levels of logins and passwords requiring passing through multiple un NAT/PAT subnets.

If you had that kind of access you could do far more than look up somebody's phone number.

2. Even if someone had your IMSI, and knew where you lived, and set up a pico cell to try to trick your phone..... Your phone would not authenticate to the pico cell without a proper KI value. The KI is not something you can just look up and copy. Even having your IMSI, they can't get around the fact that GSM is encrypted and they don't have the key.

They would also not be able to make your mobile hand over to their pico cell because there is no handover to that non existant BTS in the Base Station Controller or BSC. Phones don't just attach willy nilly to any old radio signal.

3. If a person wanted to go through that much trouble to find out info about you they might as well break into your home and replace your Iphone with one that has spyware preinstalled, it would be FAR EASIER than trying to hack/spoof the network.

And lastly your IMSI, MSISDN, SIM, KI, CCID, IMEI, any of that stuff does not link to your name, home address, or your account. That information is on the customers billing network, usually handled by a 3rd party vendor. Gaining any of that information would require hacking yet another set of computer systems.

In summary.

1. Your IMSI is not a secret someone can use to come after you.
2. The HLR doesn't have any personal identifiable information about you.
3. Someone can't sit out side your house and sniff all your secrets by tricking your phone.
4. There are much easier ways to do these things if they really wanted your information. You are much more likely to be keylogged and exposed by using trojan software.