Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/4/2012
02:56 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

AntiSec Hackers Post 1 Million Apple Device IDs

Hacker group says it got data off FBI laptop and released the file to call attention to the government's alleged possession of that information.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Hacking group AntiSec on Monday posted online a million and one Apple Unique Device Identifiers (UDIDs) that it claims to have obtained from an FBI laptop.

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber ActionTeam and New York FBI Office Evidence Response Team, was breached using the AtomicReferenceArray vulnerability [in] Java," the group said in a post published on PasteBin. "During the shell session some files were downloaded from his Desktop folder. One of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices..."

The group has published one million and one UDIDs from its list of 12 million, along with Apple Push Notification Service tokens. It has omitted additional data fields associated with the some of the UDIDs, including user names, zip codes, mobile phone numbers, and addresses. Nonetheless, the file includes the user-settable device name field, in which many users have entered their first name or full name.

NCFTA stands for the National Cyber-Forensics & Training Alliance. Since its creation in 1997, the FBI says, the NCFTA "has become an international model for bringing together law enforcement, private industry, and academia to share information to stop emerging cyber threats and mitigate existing ones."

[ Apple has had its share of victories recently. Read Apple Worked A Broken Patent System. ]

So is Apple sharing user data with the NCFTA and FBI to help fight cybercrime?

Apple did not respond to a request for comment. The NCFTA did not immediately respond to a request for comment. After initially declining to comment, the FBI issued a statement disputing AntiSec's claim about the source of the file.

"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the FBI said via email." At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

But if Apple wanted to share customer information with the FBI, its privacy policy allows it to do so. Apple's privacy policy states that the company may disclose customer information "if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate."

Apple in March began rejecting apps that access UDID numbers and has made it clear that UDIDs are being phased out. In January 2011, Apple was sued in California over alleged privacy and state business law violations because it allowed developers to transmit UDID numbers. That case was dismissed in December 2011. A spokesperson for law firm Milberg LLP did not immediately respond to a request for further information about the litigation.

A study published in September 2010, cited in the case, found that 56 out of 101 apps tested transmitted UDID numbers. Unique identifiers are coveted by advertisers because they allow ads to be targeted to individuals and tracked across services.

Privacy concerns prompted Apple to deprecate the UDID API in iOS 5 and to suggest that developers implement their own apps-specific ID schemes rather than relying on a number tied to a specific device. Instead, Apple wants developers to use "Core Foundation Universally Unique Identifier," which can be the same across multiple devices, making it less compelling for advertisers.

Crashlytics, a company that makes a developer analytics SDK, has developed an open-source alternative called SecureUDID.

Because AntiSec withheld some of the information in the alleged FBI file, the security risks to those whose UDID numbers have been exposed are significantly less than they would be with full names, addresses, and other personal data.

It's possible, however, that a skilled hacker will be able to use these identifiers, probably in conjunction with other information, to spoof Apple's notification service or make a social engineering attack more credible. At the very least, users whose UDIDs have been exposed may be identifiable by name through future usage of apps that reveal a UDID--a simple database look-up can check to see if a UDID matches a name in the AntiSec file.

The exposed data may also pose an operational security risk for the FBI or others engaged in cybersecurity: Some of the devices on the list bear names like "FBI's iPhone," "FBI van#2," and "FBI Surveillance." Presumably the FBI isn't keen to have its devices identified when they access a network with an app that reveals UDIDs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
9/10/2012 | 3:13:23 AM
re: AntiSec Hackers Post 1 Million Apple Device IDs
I have to agree with N5RMJ that I have also not heard of any actual matches, but nonetheless it still would be quite the breach . It makes sense that the FBI would deny the claim, seeing as how it would bring the question of how the laptop was accessed. The irony that it was the supervisor of the FBI's Regional Cyber ActionTeam did bring a chuckle out of me. That would suck on the other hand if your information was released out there without your consent.

Paul Sprague
InformationWeek Contributor
N5RMJ
50%
50%
N5RMJ,
User Rank: Apprentice
9/5/2012 | 12:46:36 AM
re: AntiSec Hackers Post 1 Million Apple Device IDs
You know, lots of folks name their wireless networks "FBI's iPhone," "FBI van#2," and "FBI Surveillance." Those are some of the most common SSIDs in use in the USA. The idea that the FBI would actually use something like that (or even broadcast an SSID, for that matter) is rather silly.

See http://f3v3r.com/2012/01/19/na...

I have not yet heard of any confirmed matches between the published list and real iOS devices so I am not convinced that this data breach is even real at this point.
kamikrazee
50%
50%
kamikrazee,
User Rank: Apprentice
9/4/2012 | 8:36:29 PM
re: AntiSec Hackers Post 1 Million Apple Device IDs
It wouldn't surprise me if one were not an active collaborator with the other in an effort to keep an eye on the proletariat masses. The question is who is collaborating with whom?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.