Attacks/Breaches
9/4/2012
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anonymous Dumps More Than One Million Apple iPhone, iPad Device IDs

'AntiSec' operatives claim to have hacked an FBI agent's computer, grabbing 12 million-plus Apple iOS UDIDs -- but there's no reason to panic, experts say

Anonymous' AntiSec operation appears to be back in action, dumping online yesterday more than 1 million unique device identifiers from Apple iOS devices the group says were stored on an FBI agent's laptop that they hacked.

Some users -- including a security expert -- say their UDIDs were among those exposed by the group of hackers. The hackers claim the FBI has more than 12 million of these iOS IDs in all, and that they were able to steal a file that contained UDIDs, user names, device names, Apple Push Notification Service tokens, Zip codes, cell phone numbers, addresses, and other personal information, as well. Their online posting includes UDIDs and some device names.

Peter Kruse, partner and security specialist with CSIS, says three of his five iOS devices were among the UDIDs in the Anonymous data dump. "The only thing I can say for sure at the moment is that three out of five of my 'iDevices' are found in the leaked data. I checked the UDID and the device names, and they match, so I assume this leak is very real," Kruse says.

UPDATE: In a tweet late today, the FBI press office said reports that one of its laptops had been hacked aren't true: "Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE," the press office said via its Twitter feed.

"At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," according to a statement issued by the FBI.

The hackers said in a Pastebin post yesterday that the laptop of supervisor special agent Christopher K. Stangl was breached via a Java attack in early March of this year.

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose," the Pastebin post says.

Robert Graham, CEO of Errata Security, says the hackers probably pilfered the information from an iOS app developer, which is who UDIDs are designed for. They aren't a "user thing," he says. But it's not out of the realm of possibilities that the group of hackers compromised an FBI laptop, he says.

Graham points out that the alleged breach occurred one month after members of Anonymous in February snuck onto an FBI conference call after intercepting an email that included the dial-in and codes for the call. "They were able to hack the conference call because they'd intercepted the announcement e-mail. This e-mail was also published. That e-mail was sent directly to all 40 agents, which means their e-mail addresses were all exposed. That means every hacker on the Internet now has a list of the 40 officers in charge of hunting down LulzSec," Graham wrote in a blog post today.

[ Apple is quietly making some subtle, incremental security moves in the face of new threats to its products. See 4 Signs That Apple's Sharpening Its Security Game. ]

Meanwhile, the good news is that a UDID alone isn't very valuable to an attacker. "It's not like a big password dump," Graham told Dark Reading. The attackers appear more interested in proving they had the information than in exposing the victim devices, he says. "UDIDs [alone] are not a big deal. If you also have an email with it, you could do some phishing," Graham adds.

CSIS' Kruse concurs. "If the statement associated to this leak is real, you can combine this data together with ... unique user [information, which,] from a privacy point of view, is a total nightmare. However, I have not seen the additional data, which should include full name, addresses, phone number," he says.

Rob Rachwald, director of security for Imperva, confirms that the agent mentioned in the Pastebin post is real. "He's a known recruiter in the FBI focused on getting white [hat] hackers to work for the feds," Rachwald said in blog post today, and noted that the dumped data looks authentic as well.

"If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user's online activity -- possibly even a user's location. To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users," Rachwald said.

The AntiSec hackers noted in their post that they wanted to expose the FBI for "a tracking people project," and criticized Apple's UDIDs. "We never liked the concept of UDIDs since the beginning indeed. Really bad decision from Apple. fishy thingie," they said.

So if your UDID was on the list, what should you do? "You can always panic," quips Errata's Graham. "After that, there's nothing more to do."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.