Slashdot Mirror
AT&T Breach May Be Worse Than Initially Thought
ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."
Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'
I'm glad I got the WiFi-only version!
I'm proud that Goatse Security revealed this gaping security hole.
my thanks for the security team's service to me.
People could eavesdrop in on my boring conversations with friends and family. That's a serious waste of intercept technology and time and effort.
Given that it's a RF broadcast signal, people shouldn't have an over-developed sense of privacy.
If this led to a release of my credit card info etc, then I'm worried. If it's a release of my email address that every spammer already has, then wake me when this story blows over.
Sheldon
And point c) is why AT&T is bitching.
Fixing their no-doubt-creaky-and-hideously-flawed-empire-of-security-by-obscurity will be a costly pain in the ass. Every day that they didn't have to do that was money saved, never mind the fact that the better grade of black hat could well have been doing targeted attacks against high value individuals for all that time. But now that the NYT has the story, they'll have to do something. Total bummer. Bad for shareholder value.
This is why so many vendors use the phrase "responsible disclosure" as a polite synonym for "shut the fuck up, never tell anybody except us, and don't think that telling us entitles you to any ETA on a fix."
Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.
In a fair world, the security team would send AT&T a nice big bill for their services and AT&T would promptly pay it with a note of thanks.
You are welcome on my lawn.
screw AT&T if that is what they think. Same goes for any other company who builds and designs half-assed security measures and publicly, or even privately, blasts those for exposing how much they suck at this. It's like blaming the people who exposed Madoff.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
B depends on who you ask. and D) they shared their script with unnamed other parties before the hole was closed.
Give me Classic Slashdot or give me death!
"Captain, I discovered that the bulkheads that seal the ship in case of a hull breach actually stop several floors short, and could be compromised in the event of a major collision."
"How dare you point out a fatal flaw in our Honorable Engineer's design. Now that the Icebergs know this, they will surely attack our boat! You should have kept your dumb mouth shut"
"but..."
Seems like karma since they just shafted 3G us users with limited data plans. Now they are getting the shaft over security. Maybe they could appease our anger with unlimited data plans.
http://www.mfi-training.com/forum/paper/SIM&Salsa.pdf
Their lack of security, let me show you it:
T-Mobile
ICCID 8901260390012345679
IMSI....... 310260391234567
AT&T
ICCID 89310170101234567891
IMSI......... 310170123456789
[Fuck Beta]
o0t!
I use T-Mobile... another GSM type carrier... I'm not feeling too good about some of this. I was once a Sprint customer but hated their ass-hattedness. I will never willingly become a Verizon customer and I seriously dislike AT&T's attitude, service delivery, billing problem history, service plans and over-all history of abusing customers... not going there willingly either. So my choices are t-mobile or sprint. Anyone know of serious security problems with CDMA based mobile tech?
Why? It's a legitimate free speech action. DVD John didn't go to jail for posting his code for cracking CSS, and that was far less ambiguous in it's legality.
And this folks, is why everyone should support full disclosure. Full disclosure may hurt the producer (arguably they deserve to be hurt...), but responsible disclosure is just a stall tactic that hurts the consumer.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Link + sig = funny.
Or realllllly wrong.
There are two types of people in the world: Those who crave closure
you seem a bit young, remember the baby bells? leasing your phone from ATT/MaBell? Their logo looks like the deathstar for a reason.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a different plan.
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
I'm all about telling the vendor about the security hole before publicizing it if it's known not to already be in the wild. Give them a chance to do the right thing.
This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc.
With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public. If the vendor doesn't like it, well they should have fixed the problem when only a few people knew about it. If they have egg on their face, it's because they failed to correct the problem.
A good example was the recent major DNS exploit. It was quietly fixed and then fully disclosed. That's how it should work.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
A) They didn't need to download 114,000 e-mail addresses to prove it could be done. A handful would have been more than sufficient, or even a simple description of what to do to reproduce the exposure.
B) No they didn't warn AT&T. AT&T and Goatse both stated that Goatse never tried to contact them.
C) This one is True at least
They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network.
The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.
Normally AT&T is so beloved here on /. A story like this could ruin their reputation. It's almost as inconceivable as /.ers losing faith in Bill Gates.
SJW: Someone who has run out of real oppression, and has to fake it.
Unauthorized access to a computer is a felony. So is copyright infringement for financial gain. Free speech is our most important right, but aiding and abetting others to commit crimes is a crime itself.
DVD John didn't do anything wrong in my book because DVDCSS had a lot of legitimate uses, despite what the movie studios said.
Selling information about an exploit to a third party while knowing they are likely to commit a crime with it is by definition aiding in the commission of a crime. Giving away that same information to the entire world in full disclosure would be speech, I think. It's for a social benefit, even if it is damaging to the company whose software is exploitable.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Unauthorized access to a computer is a felony.
This access was authorized, as AT&T never requested any authorization.
So is copyright infringement for financial gain
What copyrighted data is relevant in this case? The list of emails? That's factual, and cannot be copyrighted any more than you can copyright the phone book.
Give me Classic Slashdot or give me death!
My guess is that this really is not criminal. There is no real criminal intent, or in legalese, mens rea. Instead, the Goatse Security Group really did this as a form of public service. Was it the most ethical means to do so? Quite possibly not. Ethically speaking, Goatse would have been better off reporting it directly to AT&T first and then to the media if AT&T ignored or denied it. That way, Goatse would have some extra ammunition and would be much more clearly in the right. While I know two wrongs don't make a right, AT&T did far worse with its cooperation with the Bush warrantless wiretapping program so I feel somewhat okay about AT&T getting a little egg on its face over this one.
Unauthorized access to a computer is a felony.
This access was authorized, as AT&T never requested any authorization.
the same defense used by the lawyers of individuals ultimately found guity...
s/should be fully disclosed /should not be fully disclosed /
I believe that is what you meant.
Yes, 30 days sounds about right.
You are being MICROattacked, from various angles, in a SOFT manner.
That may very well be, but when I read that I see Anchorman Ron Burgundy saying: "I don't know how to put this but I'm kind of a big deal."...
Like a few other /.ers have pointed out, I feel this is more about the money. I do agree that Goatse probably didn't go about this in the most ethical manner, however I think their intent was good in nature. From the way it sounds, they wanted to make sure AT&T knew of the security hole, but also wanted the corporation to be held accountable by going to a media outlet. This ensures the company knows about the issue and has to take more prompt action to resolve it.
Now back to the money. I don't doubt AT&T was half-assing their security, because from my experience, they half-ass their service as well. They obviously did not make sure their website was fully secure and allowed sensitive customer data to be taken right out from under their noses. They saved some money by skimping on security, and now they are gonna lose more because they have to fix the hole. Add to that the potential customers they are going to lose because of people who caught wind of the fiasco. On top of which will be some customers who will jump ship due to the client-company trust being broken. And to add more insult to injury, AT&T may just have to replace all those compromised SIM cards like the expert in the story suggested.
And let's all not forget AT&T's record of network performance, especially with Apple devices. That's even more money lost to reinforcing an already staggering network infrastructure. Although that can be seen as an investment as well. Given their current circumstances though, the positive side is not as likely.
By now you could say I'm just being an AT&T troll, but looking back at my past experiences with the company, along with the experiences of friends and family who are customers, I'm going to say AT&T needs to clean up their act. They're in a world of hurt now, and I would just like to seem them improve for the sake of their customers.
Whew, time for a beer. Cheers! *wipes forehead*
My blood hurts...
I thought I read that if you had the unlimited plan, and upgraded to the new iPhone, you could choose to be grandfathered in....at least if you are qualified to upgrade here June/July I believe.
Not sure if later upgrades will granfather in...hoping so.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Knowing how large companies work; Chris is going to get a subpoena to appear in court to provide his self-proclaimed expert testimony and Goatse Security is going to get charged with illegal computer access, which, by their own admission, did occur.
And then everyone is going to forget about this and get right back to watching the World Cup.
I presume you mean "any exploit should NOT be fully disclosed to the public."?
In other words, my interpretation of the rest of your post is that you think that 30 days is the absolute maximum, and the full details should be public after that amount of time, maximum.
But that isn't fair either, as anyone who has worked on any kind of complex software knows you can't just magically throw a fix out there, without breaking breaking more than you fix!
No, the fair and responsible thing is to give a standard 90 days and then disclose. If they can't get the shit done in 90 days knowing the clock is ticking then they deserve what they get, but 90 days should be a fair and reasonable time limit. That way every vendor knows exactly how much time they have got to get it done, the ones that find the hole and report it know that after 90 days they won't be judged as douchebags (unlike that asshole at Google that told them on patch Tuesday weekend and expected them to drop all that work and magically fix it in under a week) and nobody will have any doubts as to the time frame they have to get the problem solved.
All in all it seems like a fair and reasonable solution to me, and will be a LOT safer than just blurting everything out immediately and giving black hats even more exploits to play with, not to mention causing rushed out patches without proper QA. I mean do we really want to HELP black hats send us more spam?
ACs don't waste your time replying, your posts are never seen by me.
I'd agree with you, but think of this from the perspective of a knowledgeable person who comes across a vulnerability (0-day).
He's got several realistic options in today's world:
1) Release the vulnerability to the public. Public disgust with company shields releaser from public reprisal.
2) Alert the vendor to their problem. Let the vendor sit on it indefinitely and not fix anything.
3)A lternatively, wait for law enforcement to subsequently knock down his door for 'hacking activities' or some such bullshit after alerting said vendor of said problem.
4) Do nothing but sit on it yourself (and how likely is that, if you've worked hard at finding something hidden?)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network
I suspect what these folks did is probably illegal. However, nowhere do they appear to have "entered" AT&Ts network, where "entering" means something like bypassing a firewall or logging onto a system. What they did was send requests to an unsecured interface, and AT&T's system happily sent back the answer.
What they did wasn't really an "attack" either, with the possible exception of a denial of service attack. AT&T doesn't seem to have noticed the extra accesses, however. It was not an "attack" in part because their actions did not cause any direct harm to the systems that they accessed, nor did they apparently need to disable, work around, or compromise any substantive security protocols.
However it appears that they have "intentionally accessed a computer without authorization" and obtained "information". That is probably a violation of 18 USC 1030 (a)(2) or a comparable state law.
They didn't enter into AT&T's network uninvited, they used a public facing and unprotected URL to retrieve information that URL was intended to retrieve. This is no more intrusion than if AT&T had put that data in a public facing flat file on a server somewhere and hoped nobody discovered the URL.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Correct, my mistake. Full disclosure must occur in a reasonable time or the vendors will have no reason to patch the exploits.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
At some point, I wrote a small tool that used Ron Rivest's "Time Lock Puzzles" to provide lagged full disclosure... publish full disclosure that will take several months to decrypt, and privately give the vendor the decryption key to give them a head start. Getting a gag order from the courts won't help the vendor at that point, since you've already published the encrypted information and the puzzle, it's just a matter of grinding through the time lock puzzle. The time ticking on the time lock puzzle should hopefully light a fire under their rears to get a fix out. IMHO, time locked full disclosure gives you the best of both worlds... vendors have some reasonable time to implement a fix, but no amount of legal action can prevent the details from getting out several months later. The risk of "responsible disclosure" is that you can get slapped with a gag order, or at least legal threats, to prevent you from later putting pressure on the vendor for a faster fix.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Are you kidding me? The customer comes first always.If it was your personal info would you still be as casual about this.Full and immediate disclosure is the only morally way to go.
I've been over this argument more times than I care to remember. Full disclosure before a fix is available is irresponsible.
There are applications out there where you simply can not spray patches at the net to see what sticks. Each update has to be carefully tested and validated. These are typically very high reliability applications.
Your ignorant attitude to this problem overlooks the fact that it's not the software company that you need to be concerned about. It's the customers who bought it!
So go ahead, put a software company under. I don't much care. But if you cause someone to die because a zero day exploit caused the hospital to not see a patient's life support fail, that's a problem. If you hack a SCADA system at some remote site, you could put a neighborhood without electricity for many days.
These bits of software have actual end-users. This isn't just about the company that sold the software, it's about the end-users. People's lives often depend on this software working correctly.
If you don't give them a chance to react, then you're just as guilty as those who actually attack these sites.
Nearly fifty percent of all graduates come from the bottom half of the class!
The only reasonable assumption to make is that you are not the best there is, other people have already found what you have found, or will find what you have found, and the only way to protect the customer is to make sure the software company fixes the issue as fast as possible. That is what full disclosure ensures.
I'm not ignorant of the existance of end users. End users are the reason I support full disclosure. If end users didn't exist, then I couldn't give a shit.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I have worked on GSM networks for a living for over a decade and I am calling BS on this yellow editorial.
What the author is suggesting is the wireless equivalent of hacking by Physical Level Access. No OS in the world can be 'secure' if you gain physical access to the machine it's running on. The idea that somebody can deduce your name and address, drive to your residence and get your mobile to attach to their pico cell for purposes of mining your data is ludicrous.
1. IMSI is nothing special. It is nothing more than the entry the Home Location Register (HLR) uses to store information about your profile. Information like which Visitor Location Register (VLR) you are attached to, if you're roaming, what your phone number (MSISDN) is etc.
It does NOT contain any information about you, your name, your home address, your billing etc.
In order to view the IMSI profile in the HLR you would have to hack into ATT, Tmobile etc cellular network, know where to find the HLR's IP, how to log into it, and what commands to run to query the subscriber profile. Even if you did all that all you'd get out of it is a phone number......
There are MULTIPLE levels of security to secure the cellular network from unauthorized users gaining access to the switching equipment.
Firewall, VPN, Sitekey, multiple levels of logins and passwords requiring passing through multiple un NAT/PAT subnets.
If you had that kind of access you could do far more than look up somebody's phone number.
2. Even if someone had your IMSI, and knew where you lived, and set up a pico cell to try to trick your phone..... Your phone would not authenticate to the pico cell without a proper KI value. The KI is not something you can just look up and copy. Even having your IMSI, they can't get around the fact that GSM is encrypted and they don't have the key.
They would also not be able to make your mobile hand over to their pico cell because there is no handover to that non existant BTS in the Base Station Controller or BSC. Phones don't just attach willy nilly to any old radio signal.
3. If a person wanted to go through that much trouble to find out info about you they might as well break into your home and replace your Iphone with one that has spyware preinstalled, it would be FAR EASIER than trying to hack/spoof the network.
And lastly your IMSI, MSISDN, SIM, KI, CCID, IMEI, any of that stuff does not link to your name, home address, or your account. That information is on the customers billing network, usually handled by a 3rd party vendor. Gaining any of that information would require hacking yet another set of computer systems.
In summary.
1. Your IMSI is not a secret someone can use to come after you.
2. The HLR doesn't have any personal identifiable information about you.
3. Someone can't sit out side your house and sniff all your secrets by tricking your phone.
4. There are much easier ways to do these things if they really wanted your information. You are much more likely to be keylogged and exposed by using trojan software.