Risk
9/10/2012
01:21 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Device ID Leak Traced To BlueToad

Stolen IDs did not come from FBI, as claimed by AntiSec, but from a Florida-based app publisher that issued an apology and said it is no longer collecting UDID data.

The source of the database containing a million Apple device identifiers that was published online last week by hacking group AntiSec was identified on Monday as BlueToad, an app publisher and analytics provider based in Orlando, Florida.

AntiSec said it had obtained the database from the FBI, which subsequently disputed that claim.

Security researcher David Schuetz, who works for the Intrepidus Group, says he identified BlueToad from patterns in the database itself.

In a blog post published on Monday, he explains how he sorted the data, identified some 15,000 duplicated UDID numbers and then linked some of those numbers to BlueToad.

[ For more background on the Apple UDID leak, read FBI, AntiSec Spar On Apple IDs. ]

Schuetz found names in the database that were shared by BlueToad employees and also discovered passwords from the company that had been leaked online. "While searching, I stumbled on a partial password dump for the company!" he noted in his blog post. "And it was dated March 14, the same week that the hackers claimed they'd hacked into the FBI computer."

Last Wednesday, in response to queries, Hutch Hicken, BlueToad's CIO, contacted Schuetz and the company began working on a response. On Monday, CEO Paul DeHart acknowledged that Blue Toad's systems had been compromised last week and that the list of Apple UDIDs came from its servers.

"We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn't happen again," DeHart said in a blog post. "In doing so, we have engaged an independent and nationally-recognized security assurance company to assist in our ongoing efforts. We sincerely apologize to our partners, clients, publishers, employees and users of our apps."

DeHart claims that BlueToad does not collect sensitive personal information like credit card or social security numbers, and that the company, following Apple's recommendation earlier this year, modified its app code base to stop the reporting of UDID numbers. And now, he says, BlueToad has stopped storing UDID data sent to its servers by apps that have not yet incorporated BlueToad's new analytics code.

UDIDs are numbers used to uniquely identify iOS devices. The privacy implications of UDIDs were raised in news reports and lawsuits in 2010 and onward, and Apple has since designated the UDID API for discontinuation (through Apple itself may still choose to use UDIDs for its software). iOS devices have other identifiers like a serial number, and those with radio circuitry have other identifiers, such as International Mobile Equipment Identity (IMEI), Integrated Circuit Card ID (ICCID), or Mobile Equipment Identifier (MEID). Generally, these are not available to developers if they follow Apple's rules.

UDID numbers may not in and of themselves be considered personal information under privacy laws, but security researcher Aldo Cortesi has shown that they can be de-anonymized and linked to usernames, email addresses, GPS locations, and even Facebook profiles.

Back in 2006, when AOL released data on 20 million search queries, researchers were similarly able to connect the dots and identify people from anonymous information. The BlueToad breach underscores the fact that even seemingly anonymous information can pose a privacy risk.

When it comes to the battle against distributed denial-of-service attacks, you're not alone. With the increasing use of third-party service providers, your organization likely has a huge arsenal of bandwidth and know-how at its disposal. In our Using Service Providers To Manage DDoS Threats report, find out how to effectively marshal the resources among your providers and integrate them with your own security measures into a strategic and comprehensive DDoS protection plan. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
9/15/2012 | 9:34:38 PM
re: Apple Device ID Leak Traced To BlueToad
I thought it was quite ironic that the FBI Supervisor would let his computer be compromised. I wonder why AntiSec would claim that, possibly for more publicity. The group probably would have got away with the claim, maybe I fit wasn't so bold as to antagonize investigation. David Scheutz has a remarkable eye for detail by picking up on the pattern of his companies work. I have an Apple product and would not be happy in the least had my UDID was publicly released. It makes sense that Blue Toads would hire a security insurance company to make a public statement that they are addressing the issue, and in hopes to gain back some sort of trust from their customers.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.