0

Alleged Apple UDID Hack Raises Potential Privacy Questions for FBI

by | September 4, 2012

Hackers have allegedly stolen millions of Apple UDIDs from an FBI laptop, raising some potentially uncomfortable questions about privacy.

It could turn out to be a very bad week for Apple and the FBI.

On Sept. 4, news began to circulate around the Web that hackers associated with AntiSec had stolen more than 12 million Apple Unique Device Identifiers (UDIDs) for iOS devices from an FBI agent’s laptop. In a Sept. 4 posting via Pastebin, those attackers offered download links to what they claimed were 1 million of those IDs, which are linked to individual devices.

“The original file contained around 12,000,000 devices. We decided a million would be enough to release,” read that posting. “We trimmed out other personal data as, full names, cell numbers, addresses, [zip codes], etc.” The writer went on to claim the information came from the Dell Vostro laptop of an FBI agent with the FBI Regional Cyber Action Team and the New York FBI Office Evidence Response Team, “breached using the AtomicReferenceArray vulnerability on Java.”

The rest of the posting features callouts to Syrian rebels, a certain Russian punk-rock group, and various hackers either arrested or killed over the past couple decades.

Are these UDIDs authentic? That’s the question of the hour for pretty much everybody involved. Forbes writer Andy Greenberg, who covers data security and hacker culture, downloaded the file and poked around a bit:

“While there’s no easy way to confirm the authenticity or the source of the released data, I downloaded the encrypted file and decrypted it, and it does seem to be an enormous list of 40-character strings made up of numbers and the letters A through F, just like Apple UDIDs. Each string is accompanied by a longer collection of characters that Anonymous says is an Apple Push Notification token and what appears to be a username and an indication as to whether the UDID is attached to an iPad, iPhone or iPod touch.”

Meanwhile, TheNextWeb is offering a way to check whether one’s UDID ended up released by AntiSec. “Just input your UDID/UUID into the form and we’ll run it against the database,” the publication posted Sept. 4. “Of course, TNW won’t store your identifier.” Which is more than could be said for the FBI, if the information about the hack turns out to be true.

If the FBI is truly storing UDIDs, that raises some interesting privacy questions. First, how did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?

So far, the FBI has not issued an official response to the alleged leak. Apple had already started phasing out apps that relied on UDIDs to track users, reportedly because of privacy concerns; this hack could drive them to take additional steps to safeguard that data, especially if millions of Apple users’ personal data ends up spilled all over the Web.

 

Image: Rob Kints/Shutterstock.com

Post comment as
twitter logo facebook logo
Sort: Newest | Oldest
anonymous 152 pts

Florida-based web publishing and analytics company BlueToad claims that the UDID info was stolen from their databases much more recently than the hack date that AntiSec claims. It's even less certain now that the data came from the FBI.

 

http://www.washingtonpost.com/business/technology/publisher-says-udid-hack-matches-data-anonymous-claims-attack-on-godaddy/2012/09/10/eb3d5bc4-fb6e-11e1-b153-218509a954e1_story.html

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
TonyMillion 5 pts

The APNS token can be used by Apple to track which specific app / webservice this list came from. Because every APNS token is unique, they can take ONE token and find out.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
grouchomarxist 5 pts

<a href="http://edition.cnn.com/2012/09/04/tech/web/fbi-apple-id-hack/index.html?hpt=hp_t3">FBI response</a>:

"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs (unique device IDs) was exposed," according to an FBI spokesperson. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
anonymous 152 pts

just to clarify. The original file ANONYMOUS downloaded had everything about the user. Their full UUID, full NAME, ADDRESS, PHONE NUMBER. So the government is data mining your info and correlating to cases they are working on. For example, a gang robs a bunch of people. Said gang steals iphones. LEO looks up data on iphones. Then requests ping requests from AT&T. LEO then correlates where gang is.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
anonymous 152 pts

I thought that the notification tokens were different for each application that used notifications? Perhaps they could be different, but they are not? Or maybe these are the iMessage APN tokens? 

 

The FBI has the authority to track any message that enters or leaves the USA. So perhaps these are 'just' those phones?

 

Basically, since all notifications for iPhones go through apple in the US, any iMessage sent from outside the US is tracked and recorded.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
anonymous 152 pts

That "username" isn't. It is obviously the device-name as it would appear in iTunes. That coincidentally could have the original user's name in there. But it's not a username.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like