Anonymous Leaks 1M Apple Device UDIDs

← Back to Stories (view on slashdot.org)

Anonymous Leaks 1M Apple Device UDIDs

Posted by timothy on Tuesday September 4, 2012 @12:49AM from the don't-forget-the-one dept.

Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim." Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"

35 of 282 comments (clear)

So is apple... by santax · 2012-09-04 00:51 · Score: 4, Interesting

Going to explain why they gave all the UID of their devices to the FBI?
1. Re:So is apple... by h4rr4r · 2012-09-04 00:56 · Score: 5, Insightful
  
  Why is that more likely?
  You think if the FBI asks Apple or AT&T won't cough up such a list?
2. Re:So is apple... by ATMAvatar · 2012-09-04 01:01 · Score: 5, Insightful
  
  Yes, that seems like the larger issue here. What purpose does the FBI Cyber Action team have with 12M Apple UUIDs (from TFA: of which only 1M was leaked so far)?
  This actually seems like a care of actual well-meaning hacktivism, as the purpose here is to inform users they are being tracked. It is only a matter of time before the remaining UUIDs are released. Unfortunately, most people have little more tech savvy than a newborn, so it is unlikely many people will even know how to compare their device to the list even if they care to do so.
  The best we can hope for is that more of them wake up to the large-scale surveillance being undertaken and the abuse of power it represents. I wish I could be optimistic, but I know better by now.
  
  --
  "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
3. Re:So is apple... by __aaltlg1547 · 2012-09-04 01:06 · Score: 3, Insightful
  
  From that comment I gather that you believe an anonymous person who claims to be a hacker who claims to have gotten what he claims is Apple UDIDs from what he claims was an FBI computer.
4. Re:So is apple... by h4rr4r · 2012-09-04 01:16 · Score: 3, Insightful
  
  Oh please, all the big boys play this game. Any major firm is not going to do anything other than send a bill when any three letter agency asks for data. Nothing to do with favors, just typical amoral corporate behavior that we need to regulate against.
5. Re:So is apple... by gandhi_2 · 2012-09-04 01:25 · Score: 3, Funny
  
  I'm more interested in why a high-budget outfit like the FBI is buying Vostros!
  
  --
  THL phish sticks
6. Re:So is apple... by Dan+East · 2012-09-04 01:26 · Score: 4, Insightful
  
  The problem is that although Anonymous does have a list of Apple IDs (which I doubt has been verified yet), they don't have hard evidence attributing them to an FBI source. We have to just take their word on that one, unless the FBI admits to the breach.
  
  --
  Better known as 318230.
7. Re:So is apple... by gandhi_2 · 2012-09-04 01:29 · Score: 3, Insightful
  
  We need government rules against a company cooperating with the government?
  On one hand you argue for regulation, which is more powerful government. On the other hand, you bemoan the government using any power.
  Companies and governments don't go to heaven. They don't act morally or amorally. They just do what is necessary to get thru the day.
  
  --
  THL phish sticks
8. Re:So is apple... by h4rr4r · 2012-09-04 01:37 · Score: 4, Insightful
  
  The fact that it is facebook?
  Facebook exists for basically this sort of thing. Tracking devices or not, anything you post to it you should consider public knowledge. Sure you have privacy settings, which do not apply to the three letter agencies. At some point they may not apply to anyone.
  I am not saying don't use it, but consider anything you say on facebook the same as printing it on a billboard.
9. Re:So is apple... by GNious · 2012-09-04 02:09 · Score: 4, Funny
  
  So Apple can now drag both the FBI and Anonymous to court over copyright infringement? Nice ...
  1 million UIDs, value at [price of iPad or iPhone], should be pretty nice income for Apple's legal department.
10. Re:So is apple... by ToastedRhino · 2012-09-04 02:17 · Score: 3, Informative
  
  Not sure why you think this. If you have access to an iPhone backup (encrypted or not) you almost certainly have access to the UDID already since backups are store (on OS X) in ~/Library/Application Support/MobileSync/Backup/[iPhone UDID]/[Actual Data]
  (It's similar on Windows in that it also includes the UDID in the folder name, but I don't know the full path off the top of my head.)
  Anyone getting to the actual data would be able to see the UDID in the folder name that contains the data.
  Also, let's not forget that before iOS 5 developers were able to use UDIDs as identifiers when apps were downloaded. So lots and lots of developers have this same information on lots and lots of users in databases of their own. In my mind, it seems pretty ridiculous to think that Apple would have given developers carte blanche to collect information that is an integral part of the phone's encryption protocol.
  That's not to say this isn't a privacy problem, but I don't think it could affect the strength of the encryption on or off the phone in any ways, shape, or form.
11. Re:So is apple... by Sique · 2012-09-04 02:28 · Score: 4, Interesting
  
  Regulation does imply a more powerful goverment. If someone runs afoul the regulation, the government steps in and hands out punitive fees, prison time or exclusion from government contracts. This amounts to actively reign into formerly autonomous business processes or personal decisions.
  Each regulation gives the government more power. Before the regulation, the government had no right to interfere. Regulation gives the right to the government. And each additional regulation forces the government to actively administer the regulation, and thus to add governmental jobs.
  There is no point in regulation if there is no one to enforce it.
  
  --
  .sig: Sique *sigh*
12. Re:So is apple... by Rob+the+Bold · 2012-09-04 02:45 · Score: 4, Insightful
  
  I think you do not understand the separation of powers: legislative power (congress) would make a law prohibiting collecting arbitrary data about individual citizens without reason and companies to provide them that information without due process. Executive power (government) is not allowed to subvert that law.
  There isn't much bi-partisan common ground in the US. But on the subject of Congress being unwilling and/or unable to prevent the Executive Branch from violating laws in such areas as arrest, detention, search, seizure and privacy, the parties are of one mind. There are perhaps a handful of Senators and Representatives willing to speak up about it, but even they're too scared to actually point fingers and name names.
  
  --
  I am not a crackpot.
13. Re:So is apple... by cdrguru · 2012-09-04 03:12 · Score: 5, Informative
  
  The UDID is not related to encryption on iDevices. Knowing the UDID will not help unlock a device if you have it.
  The original function of the UDID was to allow stateless connections (like HTTP) to be able to coordinate sessions with the same device. Thus, you ask for something and cell data connection drops. The device connects back up and gets the response and everyone knows they are still talking to the same device. However, Apple has seen too many applications use this in inappropriate ways and has come out officially saying the API to retrieve it may be retired shortly.
  There are other ways to make sure you are talking to the same device consistently and one thing that Apple wants is multiple device transparency when one account is involved. So I can make a request on my iPhone and retrieve the results on my iPad as well as having 100% of the data shared between the devices. The UDID isn't conducive to that at all.
  So there are likely apps out there that have collected massive UDID databases... but have no idea what to do with the information. It is not externally visible. It could be used to do various types of tracking but mostly your app author isn't all that interested. I have no idea what the FBI might do with a database of maybe 1% of the iDevices out there but it isn't all that useful.
  Forensic software for iDevices exists and much of it will work on locked devices. It will not decrypt otherwise encrypted data that is stored by applications in an encrypted form, but that is actually pretty rare. And again, having the UDID before you plug the device in is of no value and once you do plug it in, you have the UDID. So if an iPhone is confiscated by some law enforcement agency, they probably have access to the "right" software for dumping out the contents of the phone. Completely. If they are really up on things, they may have a portable device which will image the phone in minutes in the field. Your ability with an iPhone or Android phone to keep things out of law enforcement hands is (today) approximately zero. This was not previously the case but all the latest high-end cell phone forensic tools handle iDevices just fine.
  An encrypted Blackberry remains a device that cannot be successfully examined - I believe you can get an image from the device but it is encrypted at a level that makes cracking the encryption unlikely. Once the device has been imaged, I believe trying selected passwords is possible without the "10 wrong guesses wipes the device" problem. But still, for the most part an encrypted Blackberry is secure. Any Blackberry device can be encrypted, BIS or BES, but it is sufficiently troublesome that only people required to do so - because of a BES profile - are going to do it. You can bet government Blackberries are set with the profile requiring encryption. The encryption is part of the device locking which then requires a password (text) to unlock and access the device.
14. Re:So is apple... by ISoldat53 · 2012-09-04 03:16 · Score: 3, Insightful
  
  From the article I read the laptop was owned by the agent not the FBI which raises a whole pant load of other questions.
15. Re:So is apple... by gnasher719 · 2012-09-04 03:34 · Score: 3, Informative
  
  I'd like someone with more specific expertise to follow up on this branch of the thread, but iirc one of those IDs is used to encrypt the data on the ipod/iphone, and is also used to encrypt the data backed up to the computer when synced, if you select to encrypt the backup. (itunes option)
  That's nonsense. Every iOS device has a Unique Device Identifier (UDID), which is used to identify the device and nothing else. Some idiot programmers used it to identify users, which is totally stupid because when you sell a used iOS device, the UDID stays with the device.
  
  UUIDs (Universally Unique Identifiers) on the other hand are created repeatedly. A well-written app that wants to keep track of one user of that app will generate a UUID and store it in the app's preferences. 100 different apps on the same iOS device will create 100 different UUIDs. The good thing for privacy is that you cannot use UUIDs to gather information about a user, because the same UUID will only come up in one context.
  
  Neither are used to encrypt information on an iOS device. (An application _could_ use a UUID that it created to encrypt information, but that would be information coming from that one application).
16. Re:So is apple... by BlueStrat · 2012-09-04 04:29 · Score: 5, Funny
  
  From the article I read the laptop was owned by the agent not the FBI which raises a whole pant load of other questions.
  No, it's actually quite simple.
  The agent was in the process of collecting data, etc for the purpose of starting his own FBI.
  With blackjack.
  And hookers.
  But the Secret Service got mad because blackjack & hookers were their gig, and so they hacked this FBI agent's computer and released the data to Anonymous.
  The SS doesn't want to have their agents blow into town only to find all the blackjack and hookers are already booked solid by these new-FBI agents.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
17. Re:So is apple... by anagama · 2012-09-04 04:48 · Score: 4, Interesting
  
  And then there is the judicial branch, which rolls over and asks the Feds to scratch its tummy at any mention of the State Secrets Doctrine.
  There's a whole sordid history to the State Secrets Doctrine involving the deaths of three geeks in a military plane in the 50s and the Air Force covering up its negligence by claiming it would harm national security if an accident report was released. Decades later that accident report was declassified and showed nothing of any national security import -- just some lousy maintenance on the plane and failure to make manufacturer recommended upgrades. Had the widows been allowed to have it, they would have likely done well at trial. Anyway, keeping it secret enabled the Air Force to short change the widows by settling the case cheap.
  http://www.thisamericanlife.org/radio-archives/episode/383/origin-story?act=2#play
  Oh yeah, and Obama is the worst offender in applying the state secrets doctrine. Just search for obama state secrets doctrine --- the examples are ridiculously numerous for one who promised openness in government.
  
  --
  What changed under Obama? Nothing Good
18. Re:So is apple... by ToastedRhino · 2012-09-04 05:09 · Score: 5, Informative
  
  What in the world are you even talking about? They didn't log "GPS Coordinates" and the logs that people did get all upset about that contained information about cell tower locations were stored on you phone and in the backups on your computer. That's not exactly "publicly accessible."
  And you're confused about the ad thing. You can turn off location (GPS) based ads right on the device. Just to to Settings --> Location Services --> System Services and toggle "Location-Based iAds" to Off. You DO have to go to a website to opt out of interest-based ads from iAd, but this is no different than any other ad company.
  And you are aware that iOS has supported complex passwords (i.e., any combination of letters, numbers, and special characters that you'd like) since iOS 4.0 which came out in June of 2010, right?
  So basically not a single thing that you said is true.
udid by watice · 2012-09-04 01:05 · Score: 5, Interesting

UDID's aren't allowed to be used by apple anymore. Well maybe not disallowed but strongly discouraged, & depreciated in ios5, as far as I can tell.
catchy job title by Anonymous Coward · 2012-09-04 01:14 · Score: 5, Funny

> Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team
This guy must have business cards 2 feet wide.
Re:And the use of a UDID? by O('_')O_Bush · 2012-09-04 01:15 · Score: 3, Informative

A lot of apps use it, and with one, you could spoof requests using a simulator. It isn't a secure form of identity, but at least a good way to troll.

--
while(1) attack(People.Sandy);
FS by Altanar · 2012-09-04 01:16 · Score: 5, Funny

Eh, if the FBI wants to know where I am at all times, they can follow me on Foursquare like everyone else.
Re:And the use of a UDID? by vlm · 2012-09-04 01:17 · Score: 5, Informative

So what can you do with an Apple UDID?
Yeah that's a good question. As to what a UDID is:
http://theiphonewiki.com/wiki/index.php?title=UDID
UDID = SHA1(serial + IMEI + wifiMac + bluetoothMac)
So its not much more than a checksum of the serial num and the various RF ids. So given 5 pieces of information, the UDID is what amounts to a checksum of the other 4 parts proving that row of the database has no errors.
What it is, does not superficially seem to help much with what they do with it, but maybe it helps a little in isolating what it isn't (it isn't, for example, the itunes CC number for the account, or the owners SS number, so there's no point discussing those type of issues)

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:How to lose friends and not infuence anyone by h4rr4r · 2012-09-04 01:19 · Score: 5, Informative

Linus Torvalds used a macbook pro with linux last I checked. Is he not a geek?
So which application? by nweaver · 2012-09-04 01:59 · Score: 3, Interesting

It sounds like this is a dump of data from an application vendor to the FBI: Apps have (in the past) used UUID for identification, and the push-notification tokens also suggest application, not apple, as the source.
So which application is responsible?

--
Test your net with Netalyzr
1. Re:So which application? by Anubis+IV · 2012-09-04 03:53 · Score: 5, Interesting
  
  The current theory (as mentioned by Marco Arment) is that it may be from AllClear ID's iOS app, given that AllClear officially joined the NCFTA in the second week of March. Since the leaked file's name had NCFTA in it, it's pretty clear that it came from the NCFTA, and it would make sense that AllClear would have started providing some data prior to when they actually announced they had joined, so that may explain (but certainly not justify) why someone had something like that on their desktop on the week of the attack.
  If AllClear is indeed the source, that would be some rather delightful irony, given that they would be directly responsible for causing more damage to their customers than they will ever likely prevent.
  Also, if AllClear sounds familiar, it may be because they were the the company providing a year of free identity theft protection to Sony customers after the hacks last year that compromised millions of PSN accounts.
Re:My Reaction by icebraining · 2012-09-04 02:01 · Score: 3, Informative

And you're a nice example.

It's because the average IQ is about 100.
It's not "about" 100. It is 100, because that's how they are designed.

When modern IQ tests are devised, the mean (average) score within an age group is set to 100

--
Dilbert RSS feed
Everything is in place for Big Brother to step in by dna_(c)(tm)(r) · 2012-09-04 02:18 · Score: 4, Interesting

Review the permissions of the app. It can read and write contact information and it can take pictures and video, access phone state and identity, determine your location and record audio. At any time. Anybody actually read 1984? But at least Android tells you about it.
"... on the laptop of one special agent?" Har har. by walter_f · 2012-09-04 02:27 · Score: 4, Insightful

"Why did all that personal data reside on the laptop of one special agent?"
Probably it didn't and doesn't.
Reside on the laptop of *just one* special agent, that is.
Whenever one of these special agents gets something particular from the boss, all the others want that, too.
Re:Let's ignore... by craznar · 2012-09-04 02:28 · Score: 3, Insightful

So - why does a cop car need a million bucks worth of Heroin in their boot ?
One option is - they nabbed a criminal.

--
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
Re:Everything is in place for Big Brother to step by h4rr4r · 2012-09-04 02:49 · Score: 3

Install CM or an app that lets you block permissions you do not like. You will need to root of course.
Solved question by gmuslera · 2012-09-04 03:19 · Score: 3, Interesting

I suppose that anonymous getting access to FBI computers (and making it public) answers the old question of who watches the watchers.
Re:LOLOLOL by Ash-Fox · 2012-09-04 04:22 · Score: 3, Insightful

Serves you right, walled garden sheep. My computers can only be identified with serials that you'll need root access to read, and they never leave the computer.
That's okay, we already know you are 1153867, we don't need computer serials to identify you.

--
Change is certain; progress is not obligatory.
Re:My Reaction by DVega · 2012-09-04 04:23 · Score: 5, Informative

When the IQ tests were created, they did not evaluate every single individual, just a small sample. So it is fair to say that the average IQ of the population is near 100, but not exactly 100.

--
MOD THE CHILD UP!