The iPad security breach earlier this month didn't just expose thousands of email addreses, but could also help hackers track down users' physical locations, says a growing chorus of security experts.
The Wall Street Journal today quoted cellular networking specialists saying that the iPad customer network IDs exposed by AT&T can be easily converted into a more valuable type of ID that could be used to look up a subscriber's location on the cellular network. The possibility of converting the exposed network ID, called an ICC ID, into the more valuable IMSI ID was first floated two weeks ago by security researcher Tom Paget in a blog post that summed up the dangers thusly:
Knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail.... AT&T should... issue all of these people new cellular identities
This security issue impacts only owners of the 3G iPad variant, and is only of concern to those who care if their approximate location is exposed. But that's no minor group; the iPad breach exposed network IDs for the mayor of New York, the commander of a B-1 strategic bomber squadron and apparently the White House chief of staff. AT&T should explain how it's locking down its subscriber location database — such databases are typically easy to tap into, the Journal says, if you have the ISMI — and own up to all the security implications of its breach, instead of just trying to minimize them.
[[Photo of customers waiting to buy iPads in Japan via AP]