Editor’s note: This guest post is written by Kevin Mahaffey, CTO of Lookout Mobile Security.
The iPad security breach last week potentially exposed the emails of 114,000 AT&T customers, but that is not the only information that could have been discovered by clever hackers. iPad owners will be surprised to know that the data breach revealed far more personal and sensitive information than is generally known. Reports initially said only email addresses and ”ICC-ID numbers,” a seemingly unimportant identifier, were leaked. But those ICC-ID numbers reveal a lot about users, their identity and their location.
In fact, just a little fifth-grade math will allow you to turn the seemingly innocuous ICC-ID number into the more sensitive and generally protected “IMSI”—International Mobile Subscriber Identity. (You basically rearrange some digits). This number is unique to each SIM card and can be used to determine:
Security researcher Chris Paget goes into more technical detail on the security hole and how it can expose the personal information indicated above. Once you have the IMSI, you can get the phone number, which potentially exposes more data such as a subscriber’s address and physical location. Suffice it to say that this vulnerability reveals a far bigger security risk and presents a new challenge that carriers and device makers should address right away. Carriers need to clearly separate what is public and what is private. Public identifiers like ICC-ID should not allow someone to retrieve private information.
Cyber criminals or hackers would only need to do the same mathematical conversion that we are able to do to expose this highly personal information.
AT&T Inc. (AT&T) is a holding company. AT&T is a provider of telecommunications services in the United States and worldwide. Services offered include wireless communications, local exchange services and long-distance services. AT&T operates in four segments: Wireless, Wireline, Advertising Solutions and Other. Its Wireless subsidiaries provide both wireless voice and data communications services across the United States, and through roaming agreements, in a substantial number of foreign countries. Wireline subsidiaries provide primarily landline voice and data communication services, AT&T...
The Apple iPad, formerly referred to as the Apple Tablet, is a touch-pad tablet computer announced in January 2010, and released in April 2010. It has internet capabilities running on either WiFi or 3G, and offers an optional dock with a full size mechanical keyboard. The iPad is a line of tablet computers designed, developed and marketed by Apple Inc. primarily as a platform for audio-visual media including books, periodicals, movies, music, games, and web content. Its size and...