iPad Breach Update: More Personal Data Was Potentially At Risk

Editor’s note: This guest post is written by Kevin Mahaffey, CTO of Lookout Mobile Security.

The iPad security breach last week potentially exposed the emails of 114,000 AT&T customers, but that is not the only information that could have been discovered by clever hackers. iPad owners will be surprised to know that the data breach revealed far more personal and sensitive information than is generally known. Reports initially said only email addresses and ”ICC-ID numbers,” a seemingly unimportant identifier, were leaked. But those ICC-ID numbers reveal a lot about users, their identity and their location.

In fact, just a little fifth-grade math will allow you to turn the seemingly innocuous ICC-ID number into the more sensitive and generally protected “IMSI”—International Mobile Subscriber Identity. (You basically rearrange some digits). This number is unique to each SIM card and can be used to determine:

  • a person’s approximate location—you could track them to see where they are in real-time
  • a person’s associated phone number
  • and, in some cases, a person’s physical address.

Security researcher Chris Paget goes into more technical detail on the security hole and how it can expose the personal information indicated above. Once you have the IMSI, you can get the phone number, which potentially exposes more data such as a subscriber’s address and physical location. Suffice it to say that this vulnerability reveals a far bigger security risk and presents a new challenge that carriers and device makers should address right away. Carriers need to clearly separate what is public and what is private. Public identifiers like ICC-ID should not allow someone to retrieve private information.

Cyber criminals or hackers would only need to do the same mathematical conversion that we are able to do to expose this highly personal information.