Hackers leak 1M iOS device IDs supposedly taken from FBI agent's laptop
Hackers from AntiSec on Tuesday claim to have leaked 1,000,001 iPhone and iPad identifiers the group allegedly obtained from a hacked FBI laptop holding over 12 million such Apple device IDs and corresponding personal information.
According to AntiSec, the unique device identifiers (UDID) of 12,367,232 Apple iPhones and iPads were discovered and lifted during the breach of an FBI agent's notebook, reports The Next Web. UDIDs are unique 40-character codes assigned to iDevices with cellular connectivity, their primary use being app registration and tracking by developers.
From AntiSec's post:
AntiSec noted the UDIDs had varying amounts of personal data, with some having just basic personal information while others were more comprehensive and included full names and addresses. When the group published the UDID sample set, it stripped out identifying data but left Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type data intact for users to "look if their devices are listed there or not."
It should be noted that some of the information provided in the leaked data sets are commonly available to iOS app developers as a requirement for push notifications, however private data like phone numbers and addresses are usually blocked.
Apple recently began taking steps to block UDID app access amid increased scrutiny of privacy practices from both consumers and the government. In August 2011, the company warned developers that it would be ending UDID access with iOS 5, effectively ending an easy solution to OS-wide user tracking.
According to AntiSec, the unique device identifiers (UDID) of 12,367,232 Apple iPhones and iPads were discovered and lifted during the breach of an FBI agent's notebook, reports The Next Web. UDIDs are unique 40-character codes assigned to iDevices with cellular connectivity, their primary use being app registration and tracking by developers.
From AntiSec's post:
If the alleged attack and subsequent UDID leak is legitimate, it is unclear how or why the FBI secured the Apple UDIDs.During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
AntiSec noted the UDIDs had varying amounts of personal data, with some having just basic personal information while others were more comprehensive and included full names and addresses. When the group published the UDID sample set, it stripped out identifying data but left Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type data intact for users to "look if their devices are listed there or not."
It should be noted that some of the information provided in the leaked data sets are commonly available to iOS app developers as a requirement for push notifications, however private data like phone numbers and addresses are usually blocked.
Apple recently began taking steps to block UDID app access amid increased scrutiny of privacy practices from both consumers and the government. In August 2011, the company warned developers that it would be ending UDID access with iOS 5, effectively ending an easy solution to OS-wide user tracking.
Comments
Quote:
Originally Posted by AppleInsider
Hackers from AntiSec...
It should be noted that most of the information provided in the leaked data sets are commonly available to iOS app developers as a requirement for push notifications, among other uses...
Most of the information, or all of the information?
Well, let's assume there is a valid reason for the FBI to keep such a ridiculous amount of private and confidential data on a cheap-ass laptop (can't think of one, but what do I know), this is still rather worrisome. I would expect some Supervisor Special Agent working for FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team (of all people), to know that such data does not belong on a mobile device, and that running something as unsafe as Java on the same device is approaching grossly negligent territory. These incompetent creatures might be more dangerous than what they are fighting.
Quote:
It should be noted that most of the information provided in the leaked data sets are commonly available to iOS app developers as a requirement for push notifications, among other uses.
Well, that is a bit misleading / euphemistic. Developers would get some of that for/from their own app, but certainly not for all of them on any phone; and certainly not any ZIP codes, phone numbers or addresses without user consent. Even if this just lands in the hands of online marketing spammers, this is 12 million of the most sought-after contact details. Real addresses, belonging to real people with considerable income. No need to downplay that.
Your homeland security hard at work. Lets see. If they have such information then maybe they have a list of all the rolls of toilet paper and their serial numbers ever sold to Osama Bin Laden. Also I have built a bridge to London out of sharp cheddar cheese and green beans. Yes green beans!
The FBI has all this shit on a cheap-assed Windows laptop and didn't even think to encrypt it????!!!!!
The person who sues first will end up in a ditch somewhere mysteriously killed. With their identity wiped and replaced with a wanted fugitive posting.
Or is that the CIA's job?
LOL
Seriously, a embarrassment such as this will result in a manhunt costing not only our information, but millions if not billions of tax dollars (since your essentially sueing for money you paid for this dept work)
Of course the PC boys will laugh at the idea of Mac's replacing the PC's because they are "Less secure" in PC hardcore user's eyes.
Bingo.
Crap laptop
Crap OS
Crap Java
Crap security
Crap CSV file
Crap (no) Encryption
FBI annual budget: 8 Billion USD.
What's wrong with this picture?
And to think that Apple got complains for removing Java from Mac OS X. There are a couple of desktop apps I still run that use Java, but I'd never allow it to run in the browser.
From a poster on Mac Rumors:
IT sure does beg the question what the FBI is doing with that many UDID's to begin with….. I suppose we could have 12 million "suspected terrorists" and "felony suspects" and "drug-related criminals" in the US… but no doubt mixed in among those; "political activists" and "journalists" and "certain practitioners of selected religions" and so on… after all, Hoover may be long gone, but much of his culture remains...
I'd wager a good half those UDIDs are what we would consider unjustified, and crossing some legal lines...
The next big question would be, where did they get them? The same AT&T that helps the NSA monitor EVERYONE'S phone calls perhaps? Or maybe the NSA just shared...
No matter what, this is why I have a problem with laws like the Patriot Act… abuse of power is easy…. recovering the reins of power from the abusers, not so much...
Quote:
The laptop probably was encrypted, but encryption doesn't protect you from an exploit that occurs while your computer's running.
Why? Because when you're using the computer, the decryption keys are already there. (otherwise your computer wouldn't be running; can't boot an encrypted laptop without providing the keys)
This is not exactly true; actually, it is all wrong. In high sensitivity areas you would normally either not use disk-level encryption, or at least file-level encryption in addition. Systems like Apple's FileVault only protect entire disks and that results in exactly the described problem.
In sensitive areas, like research, nuclear technology etc. you normally have a proper PKI-based file-level encryption in place that is even able to detect/log file alterations. Such a system would still work (i.e. ask for a password, biometric information, a token etc.), even if the user is already logged in properly. Actually OS X works the same way for e.g. software installations and keychain access. Even if you are logged in, you still need to re-enter your password for several transactions.
Quote:
Originally Posted by tribalogical
IT sure does beg the question what the FBI is doing with that many UDID's to begin with….. I suppose we could have 12 million "suspected terrorists" and "felony suspects" and "drug-related criminals" in the US… but no doubt mixed in among those; "political activists" and "journalists" and "certain practitioners of selected religions" and so on… after all, Hoover may be long gone, but much of his culture remains...
I'd wager a good half those UDIDs are what we would consider unjustified, and crossing some legal lines...
The next big question would be, where did they get them? The same AT&T that helps the NSA monitor EVERYONE'S phone calls perhaps? Or maybe the NSA just shared...
No matter what, this is why I have a problem with laws like the Patriot Act… abuse of power is easy…. recovering the reins of power from the abusers, not so much...
Exactly. 12 million records tying device id to user, enabling tracking of push notifications to boot - and this file wasn't even worth encrypting! Let's get this straight - Congress will call company executives up to testify as to why apps can access your address book - because, you know, that's a huge privacy violation! - while they're of course authorizing spying on all of us anyways? (Or is it 12 million terrorists now?)
An app hitting our address book is the least of our worries at this point, and these fake demonstrations of 'we're concerned about the privacy of our citizens' on the part of our leaders is pure theater. They've already authorized full scanning of all internet communications & phone traffic (little things like Echelon / Carnivore / NSA 'anti-terrorism' hooks into internet traffic hubs), and here's a lovely reminder. I'm sure the UDID replacement is traceable by the FBI as well. Who exactly is violating our rights? Well, that's of course harder to trace because that information is of course 'secret' for our protection. It's a truly disgusting state of affairs.
You can check if your UDID is leaked here: http://pastehtml.com/udid , partial search accepted.
This is just a small example of why iCloud will see only limited utility and adoption outside the US. No corporation, government, or anyone with work related sensitive information will use the service. All the data is kept on servers in the US with complete and free access provided to the US intelligence services like the NSA.
The NSA is well known for stealing confidential business information from foreign corporations and handing it over to US corporations to give them a 'helping hand'.
Quote:
Originally Posted by cnocbui
This is just a small example of why iCloud will see only limited utility and adoption outside the US. No corporation, government, or anyone with work related sensitive information will use the service. All the data is kept on servers in the US with complete and free access provided to the US intelligence services like the NSA.
The NSA is well known for stealing confidential business information from foreign corporations and handing it over to US corporations to give them a 'helping hand'.
Sure, but you better also hope that your traffic doesn't pass through the US. Or England. Or Australia. Or China. Or anywhere in the Mideast. Or...
But I agree, in general keep your data on your own machine unless you want it ending up on a government laptop. Totally screwy - all while proclaiming how free we are and how those other governments are evil for keeping tabs on their citizens.
Take a look at the "security" app in the terminal some time. There isn't nearly as much security or control as you would think from the keychain GUI.
ah, c'mon. facebook probably has more udids.