The hackers who found private information about iPad users through a security hole in AT&T Inc.'s website earlier this month turned up two pieces of data: email addresses and an obscure number called the ICC-ID.
Attention has focused on the thousands of email addresses that were released, particularly those belonging to high-profile members of the military and the government. But some computer security experts say the exposure of the ICC-ID numbers is troubling, as they are the starting point for tracking a user's rough location and intercepting encrypted data.
To be sure, this isn't the easiest information to exploit. Tracking subscribers requires using the ICC-ID to derive another number first and then getting help from someone with basic access to telephone networks. Capturing data transmissions—setting aside the idea of tough encryption—is only possible with equipment that is expensive and typically limited to uses like law enforcement. Some security experts, however, say the ICC-ID number isn't as harmless as AT&T has implied.
"If those numbers do get out, there are ways to leverage them," said Richard Mislan, assistant professor at Purdue University specializing in cyber forensics. "There are services that allow you to track phones" and devices like the iPad that interact with cellular networks.
AT&T apologized for the security lapse and said no information beyond the email addresses and ICC-IDs was compromised. Experts say plugging further leaks from the ICC-IDs is relatively simple: Give all iPad users who might have been affected new SIM cards, the chip that enables wireless service.
AT&T Chief Executive Randall Stephenson said in a recent interview that the company would give a new SIM card to any user who asked for one. "Our objective is to make it very comfortable and secure for you to go out and transact business on the Internet," he said. "If you are not secure with that, it will limit where consumers are willing to go with these devices."
The ICC-ID number is basically a serial number for every device's SIM card. They're often written inside a cellphone or printed on the boxes in which devices are shipped. AT&T, in a June 13 note to iPad users, said the ICC-IDs and email addresses were the only information exposed. "Your password, account information, the contents of your email, and any other personal information were never at risk," the company wrote.
Security experts say the chain doesn't necessarily end there. The ICC-ID number could help hackers learn another, more critical piece of the wireless security puzzle known as the international mobile subscriber identity, or IMSI, number.
IMSI numbers, usually 15 digits, are like a user's driver's license on wireless networks and are used in part so carriers know whom to bill. They identify users' home networks and link to databases containing personal details, such as name, address and phone number, and a device's latest location on the network.
Carriers consider IMSI numbers so sensitive that they are transmitted from devices to cell towers as infrequently as possible. To protect subscriber confidentiality, network operators instead generate temporary IMSI numbers to place calls, send data or update a subscriber's location when they move to a new area.
Lee Reiber, a former cellphone forensics examiner with the Boise Police Department who now trains law enforcement agencies to obtain data from mobile phones and networks, says carriers including AT&T have made it possible to calculate the IMSI number from the ICC-ID. He says it can be as easy as rearranging some of the ICC-ID's digits.
The IMSI numbers are critical pieces of data that help law enforcement agencies work backward from mobile devices to identify the suspects who use them. They can also be used to track suspects and listen in to their cellphone calls, Mr. Reiber says. With the IMSI number, he says, it may be possible to track a person down to the level of a city or area of a city.
Police, using court orders, obtain that information directly from carriers. But others could get it with help from a company with access to systems called SS7 networks, which carry the information needed to route and connect calls. The SS7 networks can be used to identify the area of a city where a device last pinged a cell tower.
A range of companies, including text-message marketing firms and some mobile-service retailers, have access to SS7 systems. Marketers and retailers have only limited access to the SS7 system, but security experts fear the system could be manipulated to skirt those limits.
"There are ways to manipulate protocols within the telephony network to subvert access controls and extract information," says Don Bailey, a consultant with computer security consulting firm iSEC Partners.Companies, for example, could pretend to want to send a text message to a subscriber in order to uncover information about that subscriber's location.