Slashdot Mirror
AT&T Breach May Be Worse Than Initially Thought
ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."
Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'
I'm proud that Goatse Security revealed this gaping security hole.
my thanks for the security team's service to me.
And point c) is why AT&T is bitching.
Fixing their no-doubt-creaky-and-hideously-flawed-empire-of-security-by-obscurity will be a costly pain in the ass. Every day that they didn't have to do that was money saved, never mind the fact that the better grade of black hat could well have been doing targeted attacks against high value individuals for all that time. But now that the NYT has the story, they'll have to do something. Total bummer. Bad for shareholder value.
This is why so many vendors use the phrase "responsible disclosure" as a polite synonym for "shut the fuck up, never tell anybody except us, and don't think that telling us entitles you to any ETA on a fix."
Not surprisingly, AT&T criticized the "security team" that discovered and reported the hole because it made them (AT&T) look pretty bad.
In a fair world, the security team would send AT&T a nice big bill for their services and AT&T would promptly pay it with a note of thanks.
You are welcome on my lawn.
screw AT&T if that is what they think. Same goes for any other company who builds and designs half-assed security measures and publicly, or even privately, blasts those for exposing how much they suck at this. It's like blaming the people who exposed Madoff.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
"Captain, I discovered that the bulkheads that seal the ship in case of a hull breach actually stop several floors short, and could be compromised in the event of a major collision."
"How dare you point out a fatal flaw in our Honorable Engineer's design. Now that the Icebergs know this, they will surely attack our boat! You should have kept your dumb mouth shut"
"but..."
http://www.mfi-training.com/forum/paper/SIM&Salsa.pdf
Their lack of security, let me show you it:
T-Mobile
ICCID 8901260390012345679
IMSI....... 310260391234567
AT&T
ICCID 89310170101234567891
IMSI......... 310170123456789
[Fuck Beta]
o0t!
Assuming an info leak like this is true, we're talking about a crime network knowing when everyone is at home, at work, stuck in traffic, on vacation, etc. That's billions of dollars worth of info given what they could accomplish with it.
And this folks, is why everyone should support full disclosure. Full disclosure may hurt the producer (arguably they deserve to be hurt...), but responsible disclosure is just a stall tactic that hurts the consumer.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
you seem a bit young, remember the baby bells? leasing your phone from ATT/MaBell? Their logo looks like the deathstar for a reason.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
They didn't screw anyone over..It is your choice to upgrade or downgrade you plan away from the Unlimited data plan. They are not forcing you to upgrade to a different phone. I am keeping my Iphone 3g/Unlimited plan until i am ready to move off the plan.. Then I will make the choice whether to stick with ATT or not at that time.. They didn't say you will have this option forever..And guess what when you contract expires, you will still be on the unlimited plan until you consciously choose to move to a different plan.
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
I'm all about telling the vendor about the security hole before publicizing it if it's known not to already be in the wild. Give them a chance to do the right thing.
This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc.
With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public. If the vendor doesn't like it, well they should have fixed the problem when only a few people knew about it. If they have egg on their face, it's because they failed to correct the problem.
A good example was the recent major DNS exploit. It was quietly fixed and then fully disclosed. That's how it should work.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
A) They didn't need to download 114,000 e-mail addresses to prove it could be done. A handful would have been more than sufficient, or even a simple description of what to do to reproduce the exposure.
B) No they didn't warn AT&T. AT&T and Goatse both stated that Goatse never tried to contact them.
C) This one is True at least
They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network.
The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.
Unauthorized access to a computer is a felony.
This access was authorized, as AT&T never requested any authorization.
So is copyright infringement for financial gain
What copyrighted data is relevant in this case? The list of emails? That's factual, and cannot be copyrighted any more than you can copyright the phone book.
Give me Classic Slashdot or give me death!
But that isn't fair either, as anyone who has worked on any kind of complex software knows you can't just magically throw a fix out there, without breaking breaking more than you fix!
No, the fair and responsible thing is to give a standard 90 days and then disclose. If they can't get the shit done in 90 days knowing the clock is ticking then they deserve what they get, but 90 days should be a fair and reasonable time limit. That way every vendor knows exactly how much time they have got to get it done, the ones that find the hole and report it know that after 90 days they won't be judged as douchebags (unlike that asshole at Google that told them on patch Tuesday weekend and expected them to drop all that work and magically fix it in under a week) and nobody will have any doubts as to the time frame they have to get the problem solved.
All in all it seems like a fair and reasonable solution to me, and will be a LOT safer than just blurting everything out immediately and giving black hats even more exploits to play with, not to mention causing rushed out patches without proper QA. I mean do we really want to HELP black hats send us more spam?
ACs don't waste your time replying, your posts are never seen by me.
They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network
I suspect what these folks did is probably illegal. However, nowhere do they appear to have "entered" AT&Ts network, where "entering" means something like bypassing a firewall or logging onto a system. What they did was send requests to an unsecured interface, and AT&T's system happily sent back the answer.
What they did wasn't really an "attack" either, with the possible exception of a denial of service attack. AT&T doesn't seem to have noticed the extra accesses, however. It was not an "attack" in part because their actions did not cause any direct harm to the systems that they accessed, nor did they apparently need to disable, work around, or compromise any substantive security protocols.
However it appears that they have "intentionally accessed a computer without authorization" and obtained "information". That is probably a violation of 18 USC 1030 (a)(2) or a comparable state law.