Wednesday, June 16, 2010

AT&T is Wrong About the iPad Breach & I have code to prove it

When I'm not working on Hamilton Carver: Zombie PI the web series, I've been known to do infosec research. Hell, it is still my day job.

So, at this point I assume everyone knows about the iPad Breach.

Originally AT&T stated that the disclosure of emails was the only issue from the information breach. Chris Paget soon reasoned out that this wasn't the case since American GSM vendors actually construct their Integrated Circuit Card identifier(ICC-ID)s to correspond to their International Mobile Subscriber Identifier(IMSI)s.

Thanks to a little bit of work between Ian Langworth and myself we now have a tool that takes advantage of this ICC-ID to IMSI correspondence. It also spits out a little bit of information about the ICC-ID as well. The tool can be found here but is likely to move. So if the link is dead, I'm probably moving it to new hosting. I'll make sure to update this post with the new address.

In Chris' post he describes the scary things you can do with an IMSI and links to a paper that explains how AT&T and T-Mobile ICC-IDs can be converted to IMSIs. There's just one catch, the paper is incomplete. Their method for AT&T / Cingular doesn't work. This bothered me, even more so after watching many people quote the paper on Slashdot and other sites. In addition to not trying the algorithm there was some confusion as to whether or not the ICC-IDs could correspond to the IMSIs, so I built the tool just to show definitively in this case it works.

So how do you convert an ICC-ID into an IMSI?

Basically the way you decode an AT&T or T-Mobile ICC-ID is like this.

  1. Read off the first 2 digits as the system code (all the ones we care about start with 89 for GSM)
  2. Read the ITU dialing prefix out of the next few digits this will be the next 2 - 3 digits. Make sure to match the longest prefix first.
  3. After parsing out the ITU prefix, parse the next three digits as the Mobile Network Code(MNC)
  4. Match the MNC with the ITU prefix country to find the Mobile Country Code (MCC).
e.g. if I have an ITU prefix of 01 meaning the US, I then look at the list of MNCs for that country and find the corresponding MCC to get the MCC for the IMSI
  • So at this point we have the MCC, the MNC, and are only missing the subscriber number to form an IMSI getting the subscriber number out of an ICC-ID is vendor specific so it's different between AT&T and T-Mobile
  • To get an AT&T subscriber number simply take the next 9 digits after the MNC
ex: if I have a ICC-ID of 89014101234567891 the subscriber number is 123456789
  • To get a T-Mobile subscriber number you need the take the two digits before the double 00 and concatenate them with the seven digits following the zero
ex: if I have an ICC-ID 0f 8901260390012345679 the subscriber number is 391234567

Honestly this is pretty lame technically but it proves the point that ICC-ID disclosure is equivalent to an IMSI disclosure for AT&T and T-Mobile. In case anyone is wondering, yes we've checked the derrived IMSI values against the true IMSI values with OpenBootTS, and the USRP.