Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anonymous Leaks 1M Apple Device UDIDs

Posted by timothy on from the don't-forget-the-one dept.

Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim." Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"

21 of 282 comments (clear)

  1. So is apple... by santax · · Score: 4, Interesting

    Going to explain why they gave all the UID of their devices to the FBI?

    1. Re:So is apple... by h4rr4r · · Score: 5, Insightful

      Why is that more likely?
      You think if the FBI asks Apple or AT&T won't cough up such a list?

    2. Re:So is apple... by ATMAvatar · · Score: 5, Insightful

      Yes, that seems like the larger issue here. What purpose does the FBI Cyber Action team have with 12M Apple UUIDs (from TFA: of which only 1M was leaked so far)?

      This actually seems like a care of actual well-meaning hacktivism, as the purpose here is to inform users they are being tracked. It is only a matter of time before the remaining UUIDs are released. Unfortunately, most people have little more tech savvy than a newborn, so it is unlikely many people will even know how to compare their device to the list even if they care to do so.

      The best we can hope for is that more of them wake up to the large-scale surveillance being undertaken and the abuse of power it represents. I wish I could be optimistic, but I know better by now.

      --
      "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
    3. Re:So is apple... by Dan+East · · Score: 4, Insightful

      The problem is that although Anonymous does have a list of Apple IDs (which I doubt has been verified yet), they don't have hard evidence attributing them to an FBI source. We have to just take their word on that one, unless the FBI admits to the breach.

      --
      Better known as 318230.
    4. Re:So is apple... by h4rr4r · · Score: 4, Insightful

      The fact that it is facebook?

      Facebook exists for basically this sort of thing. Tracking devices or not, anything you post to it you should consider public knowledge. Sure you have privacy settings, which do not apply to the three letter agencies. At some point they may not apply to anyone.

      I am not saying don't use it, but consider anything you say on facebook the same as printing it on a billboard.

    5. Re:So is apple... by GNious · · Score: 4, Funny

      So Apple can now drag both the FBI and Anonymous to court over copyright infringement? Nice ...

      1 million UIDs, value at [price of iPad or iPhone], should be pretty nice income for Apple's legal department.

    6. Re:So is apple... by Sique · · Score: 4, Interesting

      Regulation does imply a more powerful goverment. If someone runs afoul the regulation, the government steps in and hands out punitive fees, prison time or exclusion from government contracts. This amounts to actively reign into formerly autonomous business processes or personal decisions.
      Each regulation gives the government more power. Before the regulation, the government had no right to interfere. Regulation gives the right to the government. And each additional regulation forces the government to actively administer the regulation, and thus to add governmental jobs.
      There is no point in regulation if there is no one to enforce it.

      --
      .sig: Sique *sigh*
    7. Re:So is apple... by Rob+the+Bold · · Score: 4, Insightful

      I think you do not understand the separation of powers: legislative power (congress) would make a law prohibiting collecting arbitrary data about individual citizens without reason and companies to provide them that information without due process. Executive power (government) is not allowed to subvert that law.

      There isn't much bi-partisan common ground in the US. But on the subject of Congress being unwilling and/or unable to prevent the Executive Branch from violating laws in such areas as arrest, detention, search, seizure and privacy, the parties are of one mind. There are perhaps a handful of Senators and Representatives willing to speak up about it, but even they're too scared to actually point fingers and name names.

      --
      I am not a crackpot.
    8. Re:So is apple... by cdrguru · · Score: 5, Informative

      The UDID is not related to encryption on iDevices. Knowing the UDID will not help unlock a device if you have it.

      The original function of the UDID was to allow stateless connections (like HTTP) to be able to coordinate sessions with the same device. Thus, you ask for something and cell data connection drops. The device connects back up and gets the response and everyone knows they are still talking to the same device. However, Apple has seen too many applications use this in inappropriate ways and has come out officially saying the API to retrieve it may be retired shortly.

      There are other ways to make sure you are talking to the same device consistently and one thing that Apple wants is multiple device transparency when one account is involved. So I can make a request on my iPhone and retrieve the results on my iPad as well as having 100% of the data shared between the devices. The UDID isn't conducive to that at all.

      So there are likely apps out there that have collected massive UDID databases... but have no idea what to do with the information. It is not externally visible. It could be used to do various types of tracking but mostly your app author isn't all that interested. I have no idea what the FBI might do with a database of maybe 1% of the iDevices out there but it isn't all that useful.

      Forensic software for iDevices exists and much of it will work on locked devices. It will not decrypt otherwise encrypted data that is stored by applications in an encrypted form, but that is actually pretty rare. And again, having the UDID before you plug the device in is of no value and once you do plug it in, you have the UDID. So if an iPhone is confiscated by some law enforcement agency, they probably have access to the "right" software for dumping out the contents of the phone. Completely. If they are really up on things, they may have a portable device which will image the phone in minutes in the field. Your ability with an iPhone or Android phone to keep things out of law enforcement hands is (today) approximately zero. This was not previously the case but all the latest high-end cell phone forensic tools handle iDevices just fine.

      An encrypted Blackberry remains a device that cannot be successfully examined - I believe you can get an image from the device but it is encrypted at a level that makes cracking the encryption unlikely. Once the device has been imaged, I believe trying selected passwords is possible without the "10 wrong guesses wipes the device" problem. But still, for the most part an encrypted Blackberry is secure. Any Blackberry device can be encrypted, BIS or BES, but it is sufficiently troublesome that only people required to do so - because of a BES profile - are going to do it. You can bet government Blackberries are set with the profile requiring encryption. The encryption is part of the device locking which then requires a password (text) to unlock and access the device.

    9. Re:So is apple... by BlueStrat · · Score: 5, Funny

      From the article I read the laptop was owned by the agent not the FBI which raises a whole pant load of other questions.

      No, it's actually quite simple.

      The agent was in the process of collecting data, etc for the purpose of starting his own FBI.

      With blackjack.

      And hookers.

      But the Secret Service got mad because blackjack & hookers were their gig, and so they hacked this FBI agent's computer and released the data to Anonymous.

      The SS doesn't want to have their agents blow into town only to find all the blackjack and hookers are already booked solid by these new-FBI agents.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    10. Re:So is apple... by anagama · · Score: 4, Interesting

      And then there is the judicial branch, which rolls over and asks the Feds to scratch its tummy at any mention of the State Secrets Doctrine.

      There's a whole sordid history to the State Secrets Doctrine involving the deaths of three geeks in a military plane in the 50s and the Air Force covering up its negligence by claiming it would harm national security if an accident report was released. Decades later that accident report was declassified and showed nothing of any national security import -- just some lousy maintenance on the plane and failure to make manufacturer recommended upgrades. Had the widows been allowed to have it, they would have likely done well at trial. Anyway, keeping it secret enabled the Air Force to short change the widows by settling the case cheap.

      http://www.thisamericanlife.org/radio-archives/episode/383/origin-story?act=2#play

      Oh yeah, and Obama is the worst offender in applying the state secrets doctrine. Just search for obama state secrets doctrine --- the examples are ridiculously numerous for one who promised openness in government.

      --
      What changed under Obama? Nothing Good
    11. Re:So is apple... by ToastedRhino · · Score: 5, Informative

      What in the world are you even talking about? They didn't log "GPS Coordinates" and the logs that people did get all upset about that contained information about cell tower locations were stored on you phone and in the backups on your computer. That's not exactly "publicly accessible."

      And you're confused about the ad thing. You can turn off location (GPS) based ads right on the device. Just to to Settings --> Location Services --> System Services and toggle "Location-Based iAds" to Off. You DO have to go to a website to opt out of interest-based ads from iAd, but this is no different than any other ad company.

      And you are aware that iOS has supported complex passwords (i.e., any combination of letters, numbers, and special characters that you'd like) since iOS 4.0 which came out in June of 2010, right?

      So basically not a single thing that you said is true.

  2. udid by watice · · Score: 5, Interesting

    UDID's aren't allowed to be used by apple anymore. Well maybe not disallowed but strongly discouraged, & depreciated in ios5, as far as I can tell.

  3. catchy job title by Anonymous Coward · · Score: 5, Funny

    > Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team

    This guy must have business cards 2 feet wide.

  4. FS by Altanar · · Score: 5, Funny

    Eh, if the FBI wants to know where I am at all times, they can follow me on Foursquare like everyone else.

  5. Re:And the use of a UDID? by vlm · · Score: 5, Informative

    So what can you do with an Apple UDID?

    Yeah that's a good question. As to what a UDID is:

    http://theiphonewiki.com/wiki/index.php?title=UDID

    UDID = SHA1(serial + IMEI + wifiMac + bluetoothMac)

    So its not much more than a checksum of the serial num and the various RF ids. So given 5 pieces of information, the UDID is what amounts to a checksum of the other 4 parts proving that row of the database has no errors.

    What it is, does not superficially seem to help much with what they do with it, but maybe it helps a little in isolating what it isn't (it isn't, for example, the itunes CC number for the account, or the owners SS number, so there's no point discussing those type of issues)

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  6. Re:How to lose friends and not infuence anyone by h4rr4r · · Score: 5, Informative

    Linus Torvalds used a macbook pro with linux last I checked. Is he not a geek?

  7. Everything is in place for Big Brother to step in by dna_(c)(tm)(r) · · Score: 4, Interesting

    Review the permissions of the app. It can read and write contact information and it can take pictures and video, access phone state and identity, determine your location and record audio. At any time. Anybody actually read 1984? But at least Android tells you about it.

  8. "... on the laptop of one special agent?" Har har. by walter_f · · Score: 4, Insightful

    "Why did all that personal data reside on the laptop of one special agent?"

    Probably it didn't and doesn't.
    Reside on the laptop of *just one* special agent, that is.

    Whenever one of these special agents gets something particular from the boss, all the others want that, too.

  9. Re:So which application? by Anubis+IV · · Score: 5, Interesting

    The current theory (as mentioned by Marco Arment) is that it may be from AllClear ID's iOS app, given that AllClear officially joined the NCFTA in the second week of March. Since the leaked file's name had NCFTA in it, it's pretty clear that it came from the NCFTA, and it would make sense that AllClear would have started providing some data prior to when they actually announced they had joined, so that may explain (but certainly not justify) why someone had something like that on their desktop on the week of the attack.

    If AllClear is indeed the source, that would be some rather delightful irony, given that they would be directly responsible for causing more damage to their customers than they will ever likely prevent.

    Also, if AllClear sounds familiar, it may be because they were the the company providing a year of free identity theft protection to Sony customers after the hacks last year that compromised millions of PSN accounts.

  10. Re:My Reaction by DVega · · Score: 5, Informative

    When the IQ tests were created, they did not evaluate every single individual, just a small sample. So it is fair to say that the average IQ of the population is near 100, but not exactly 100.

    --
    MOD THE CHILD UP!