Slashdot Mirror
Apple Denies FBI Had Access To UDIDs
First time accepted submitter WIn5t0n writes "Just a day after the alleged leak of 12million Apple UDID's, both Apple and FBI have denied the story that Anonymous, a global hacking community, gained access to the files by hacking into an FBI laptop through a Java vulnerability. Earlier this morning the FBI claimed that, even though the agent cited in Anonymous's story is an actual FBI operative, neither he nor anyone else in the agency has or has had access to Apple device information. This afternoon Apple followed up on the FBI's statement, with an unidentified Apple representative claiming that, 'The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.' It should also be noted that while the hackers claim to have accessed 12 million UDID's, only 1 million were publicly released. The Apple representative who made the previous statements also said that, 'Apple has replaced the types of identifiers the hackers appear to have gotten and will be discontinuing their use.' Even though neither Anonymous nor the FBI/APPLE will admit where the data actually came from, it does appear that at least some of the leaked UDID's are legit and can be tied back to current, privately owned devices. So far no information besides the devices UDID, DevToken ID, and device name has been released, however the original hackers claimed that some devices were tied to details as exact as phone numbers and billing addresses."
So Apple says that the FBI doesn't have access to UDIDs but a bunch of script kiddies do? Is this a really poor reflection on the abilities of the FBI or do Apple's PR people have an IQ matching the number of buttons on the magic mouse?
Of course that is what they would say.
You are not allowed to say one way or the other if you have a National Security letter (demand) issued...
Got it. Everybody denies everything. Any chance of this being subjected to any form of toothful scrutiny?
but the point is still the same.
So what types of identifiers do the use now, and what's the purpose of them anyway?
Is it for advertisers to do behavioral tracking? Can you override/deactivate them?
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Someone's not being truthful about all this. Scary that my first thoughts are Apple and the FBI first over anonymous hackers! So they've got a million from /somewhere/ then. If not the FBI, next logical guess would be Apple, where else could they be from? (maybe a carrier? Are they all on the same network I wonder?)
Waiting for an amusing sig.
Anonymous claims to be a bunch people with like aims and no leadership. So this may be just some person who happened to get hold of the info and published it claiming to be Anonymous or Anti-sec or whomever. The claim that the data came from the FBI is unsupported - proof would be some additional data from the same system such as logs, etc. which have not been produced.
My personal guess is that the most likely source is some social networking site and the guy is saying it's the FBI as some sort of disinformation. It's possible but unlikely that both Apple and the FBI are outright lying about the source. There are all sorts of other possibilities.
It is also possible that your link and many others like it are intentionally written to cast doubt.
http://yro.slashdot.org/story/12/09/05/129217/fbi-denies-it-held-iphone-udids-stolen-by-antisec
It seems that we just can't trust anyone.
Exactly what I'd expect someone who gave millions of unique device identifiers to the FBI to do! They must be guilty!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
With all the government scrutiny over the FB IPO, perhaps they traded the data collected by their iPhone app, even if this was obtained from a government computer? Possibly some similar scenario with a different company? These IDs could have come from anywhere, any app. Maybe AT&T?
today is spelling optional day.
Is it possible that the hackers generated the UDIDs using a script similiar to using a credit card generator to create credit card numbers?
Once you understand the series, patterns, or algorithms, you can self generate these numbers. This is a technique used by hackers to create credit card numbers, Long Distance carrier dialing codes, AT&T calling cards, and Software key generators, albeit they are laced with Trojan Horses.
I am suspicious on the the timing of the release of the UDID numbers, two weeks before the iPhone 5 product announcement and two weeks after Samsung loses a court verdict to Apple.
If the Hackers did indeed get real UDID numbers, it would be interesting to find out the percentage breakdown between carriers, models, and whether they are US and/or Foreign.
I am surprised that they did not release all 12 million UDID numbers.
Just for the record, I have an iPhone, an iPad, and several Android Tablets.
The next few weeks will be interesting.
So Apple says that the FBI doesn't have access to UDIDs but a bunch of script kiddies do?
Yes, that's in fact very easy to believe. All it would take is for the script kiddies to break into some server of an app that used UDID's for tracking users logged into an application that transmitted UDID's to the server as a kind of cookie... many developers used to do that, which is why Apple stopped allowing UDID's to be used by developers. It's really easy to believe a script kiddie stumbled on to such a list on some server.
The FBI wouldn't have a lit of UDID's unless they had some kind of official request for them, but then why only 12 million? Why would they be on a laptop instead of back in some server somewhere? I have no doubt the FBI could get such a list if they had a reason to, but really the UDID is of such little use to do anything with why would they?
In the end the thing that makes me doubt the source, the number of devices in the list is pretty small compared to the number of devices around, but is just about right to be the records from some application using the UDID as weak authentication...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Of course apple track, log, sell, and divulge information to FBI and anybody else. that came out with the GPS tracking and logging info that was caught being sent back to Apple. Do a data trap on any Apple device and you find a constant stream of data back to their servers. Check files out like consolidated.db and the numerous log files. Yet alone the constant chatter between ios and Apple and the CarrierIQ software previously used for monitoring and logging phone use.
U.S. being U.S. and the FBI being the FBI then nothing is private.
So what types of identifiers do the use now
They don't. Each app has to use it's own, that way they are not the same across applications on the same device.
and what's the purpose of them anyway?
Mostly they are useful to permit specific devices to run development builds.
Over time some applications started to use the UDID as a weak kind of authentication, so a user would not have to log in or create an account. That's fine at first, but then you run into the problem if someone sells a device it would seem like the original user to the application.
Some did use it for simple tracking, to try and understand the chain of commands a single user was doing across sessions. I believe some advertising systems did use them also, and then they could use them to track who was the same person across apps... that cannot be done anymore in iOS6.
Can you override/deactivate them?
Before, no. In the new system if you delete an app it should have to regenerate a new unique ID (if it even uses one).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Sorry guys, this should have been in the original post but somehow (whether by my revisions or another's) it was left out. First of all the Apple representative has been identified as Natalie Kerris. Kerris, while discussing Apple's removal of the UDID, says this, "Additionally, with iOS 6, we introduced a new set of A.P.I.’s meant to replace the use of the U.D.I.D. and will soon be banning the use of U.D.I.D.” . So currently all devices are still operating with UDID's, and will continue too do so until the entire program is removed once the GM of iOS 6 is approved and released, probably around early October
Which is more likely, that these guys were able to break into a specific FBI laptop, or into one of scores of servers that had this kind of list on it?
The simplest answer is they did not get it from the FBI at all, they just want to hurt the FBI by claiming they did. And they have lots of cause to want to screw over the FBI.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Any old fart app can pull the UDID and send it to a central server. It does NOT take much to push an app through, grab yourself some UDIDs, Google the name of some random FBI agent with a very important-sounding title, and attribute everything to your 1337 skillz.
I don't know what's more worrying: the fact that people still can't grasp this concept, or the fact that people take everything AntiSec says as gospel.
This is the third fucking Apple UDID story in 24 hours. Can we please move on to shit that actually matters?
"We didn't give it to them" is not the same as "They couldn't have gotten it." 3rd parties were able to collect UDIDs for a long time, and it's quite easy to believe the FBI could get them from there.
Those who fail to understand communication protocols, are doomed to repeat them over port 80.
That's not the allegation that Apple gave the FBI that information. They never said that Apple gave it over to the FBI. The filename allegedly stolen was NCFTA_iOS_devices_intel.csv , which means it came from the NCFTA, not from Apple.
Why won't they ask Apple if they handed it to the NCFTA or that the NCFTA requested it? Then let's see what they have to say...
Just get a developers account and sell access to Apple beta software - people will have to give you their UDID and pay you money for it.
Of course news about a fake are Fake News.
So your saying that the FBI probably create an "old fart app"? ;-)
;-)
Googling "Old Fart App" leads to a link with a Google ad as follows:
"Ads by Google:
Government Transformers www.govtransformers.com
Enhance Productivity, Collaboration Moblity, Transparency, & Lower Cost
So are you covertly trying to imply that Google is in on it with Apple?
On a serious note though, just what makes you so determined to divert us from the known fact that the FBI has a history of lying through their teeth? If you read the statement the FBI doesn't even claim they didn't have the data, only that at this time there is no evidence. If I destroyed evidence then I too can truthfully say that at this time there is no evidence. If there was never any data to compromise, wouldn't it be much more accurate and clear to say it is not possible that such an attack occurred.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
They did not deny that they had this information, they actually denied that it was on any FBI laptops. (Carefully worded to exclude personally owned laptops by FBI officials)
Zing!
So, the FBI says "we didn't have that information". Apple says "The FBI never requested that information from us". Anonymous says "The FBI had the information".
What I'm getting from this:
* You can't trust any of these organizations to be 100% honest, but they all frequently integrate a bit of truth with each lie, so you can't completely disregard what any one of them says.
* Any, and up to two of them concurrently, could be telling the whole truth, but given their individual track records with honesty, you can't take what they're saying at face value.
One possibility is that the FBI did have the information, that they did not go about getting it through "legal" channels, and that Apple did not know that the FBI had the information. Anonymous "liberating" the information could be their way of forcing everybody's hands about dishonesty, government-instigated corporate espionage, and information security on a massive scale.
Another possibility is that the FBI acquired the information via legal channels and that Apple and the FBI don't want to admit it because the social and political repercussions. Again, Anonymous plays the same role as in the above scenario.
Yet another possibility is that Anonymous "acquired" the information from sources other than the FBI and are using it to rattle somebody's cage or play some type of misdirection.
In the end, data that was thought to be secure was made public, and this has put more than a few people's feet on the fire for it.
The sad thing is that it probably won't be known for sure who's telling the truth because each organization won't want to show more of their hand than they already have. This means that the problems that led to this, whatever and wherever they may be, probably won't be fixed.
Expecting them to tell the truth is so naive it is tragic.
If these files had anything of any use to anyone, I would be suspicious right there with you.
But these files are basically useless. For around a year now applications cannot eve access the UDID or submissions to the app store will be blocked. In iOS6 it's totally blocked. That's the thing in the end that convinces me the FBI is not involved, because this data is of no real use to them at all, not even for keeping tabs of future mobile device use. And again, the number of devices they have here also makes very little sense in terms of being something the FBI would have collected - the FBI should have a complete list of hundreds of millions of devices, not just 12 million.
When things are confused, the simplest answer is usually correct. There is no simple answer as to how they were obtained from an FBI laptop or why the FBI would have such a pointless list of data, whereas anon skimming these files off some hapless server IS a very simple aswer as to how they have this data.
If it had names & addresses & SSN for everyone, then I'd start wondering. But this scattershot file of mostly useless identifiers is just pointless to risk the furor of Congress (who they will have to answer to if lying) to acquire.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If hackers owned (in the domination sense) that FBI laptop to pull files off, then it could be possible to plant files too. While it may be typical for govt and corp to deny everything which plays well into the public's suspicion, hackers that have a goal of embarrassing both entities can plant evidence to achieve this. It is nearly equally believable that a hacker group might be in possession of these lists to begin with. I don't see what value a government investigative agency would even have in this data because it can relate to so many uninteresting devices. It really fits the M.O. of hacker groups, however, to poke around the realm of popular consumer electronics. The fact that these UDID's are considered deprecated might support the case that security concerning their safekeeping has become lax as well... and as a result were taken.
So the main possibilities are: Apple provided the data. The FBI "acquired" the data. The particular agent "acquired" the data (Apple mole, or perhaps from hackers in the dark net). Hackers planted the data.
I suppose it is not too far fetched to think that maybe the lists were taken by hackers and circling some underground file exchange. Perhaps the agent is tasked for monitoring these exchanges, grabbed a copy, was observed getting a copy, and the hackers followed up by owning the agent's laptop because he didn't give the secret handshake. The hackers discover it is an FBI laptop and can't resist disclosing that fact.
This all a bunch of nonsense! This was probably just a list from a given vendor. Track this down by doing the following:
Look for the ID's and find the most recent date one that you can. That gives you the date range that this is relevant for.
Look at the ID's and match them to locations? Are they all from the US? That might give credence to FBI angle (which I think is bullocks).
Look at the ID's and start matching users.
Look for commonality between said users, this far too large of a list of users to simply be a list of OWS protestors (sorry, if OWS was ever that large on just apple users alone OWS would have succeeded instead of being a punch line). Your doing this just to exclude conspiracy theories like a national we spy on people with shiny toys conspiracy theory.
Once you've concluded that there isn't anything in common between most of these people you can't start the real work:
Start matching the common thing or applications between those users. You will probably discover something really benign like they they all have AT&T accounts that belong to the western part of the US or they all have the Twitter application or something really boring.
Why would anyone believe anything the FBI says?
When they're not simply wrong, they are lying to protect state secrets and the security of their agents.
SELECT * INTO agents_tbl FROM all_iphones_tbl WHERE ;
Apple doesn't HAVE any way to query against that condition. They have ID's and names.
Which right away tells you the list was not from Apple, or ALL of them would have names.
So then you have some other large set of UDID's and names. Only that's all they have, ID's and names.
The only marginal use you could gain from such a list is if you have AS MANY ID/name pairings as possible, so on some future date if you had an ID you could look it up in your database.
Of course as noted, there is no possible future use of such a list since there will be no UDID to query against going forward.
Nothing about this list + the FBI makes any sense.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The actual official press release from the FBI, the only statement that matters, didn't deny it, it says "at this time there is no evidence". It was a non denial denial. Apple are simply trying to fix the non-denial denial.
But I agree with you, it is likely a rogue app, or an App with a very bad EULA captured the data. It is also likely the FBI got it as part of an investigation into that app.
Now they should try to match up the common app and then we will know more.
What are these UDIDs used for?
In testing you use them to select who can run test builds.
You USED to be able to use them in an app to tell when a person on the same device was contacting your server, as a shortcut for having them log in. But Apple ended that practice about a year ago.
Some ad networks were using them for tracking, again stopped about a year ago.
They are not used for anything anymore because Apple rejects apps that try and access the UDID.
That's the reason why the list is utterly pointless. It cannot be used going forward to correlate anything.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
APPLE CAN USE A *SINGLE* APNS TOKEN TO TRACK WHICH APP THE UDIDS/APNS/ETC CAME FROM, JUST DO THAT AND OUT THE WEB SERVICE THAT WAS OBVIOUSLY HACKED.
you only get a apns token when an app wants to receive push notifications..... think about that
also this is to defeat the fucking stupid yelling feature thing.
even if it was a state sponsored conspiracy.
Ugh, my UDID is in that list. What should I do?
If any of the released stuff actually works, it'll put the lie to both of them, which is as embarassing as it is funny.
It is not only embarrassing / funny, but also EXTREMELY WORRYING !!
It's entirely possible that the anonymous has somehow caught both Apple and FBI red handed, and accidentally revealed the secret relationship between FBI and Apple.
This time around they (Apple / FBI) can deny anything and everything - but what makes you think they won't do it again ?
What makes you think that Apple won't give FBI millions and millions more new UDIDs to enable FBI to snoop on iPhone / iPAD users?
Muchas Gracias, Señor Edward Snowden !
I find it interesting that they were able to start and complete an investigation after only one day, yet in other times the FBI says they don't have manpower or time to work on missing person cases where lives are involved.
and Sandusky denied touching little boys.
Apple, and the federal government. Two of the lyingest organizations left, now that the USSR has folded. Of course the FBI had anything they wanted from apple, and the ability to easily compromise i-gadgets is something they would definitely want. It serves anyone who would buy apple products right, if they were spied on. Owning apple products is like being in a prison. What do the expect in a prison?
Oh the delicious irony. The faceless, nameless and unscrupulous... yet I believe them before I'll ever believe the likes of Apple or the FBI. See, Anonymous has no reason to lie. The bold truth is just fun enough without needing to embellish.
Are we sure Samsung didn't orchestrate this whole thing to make Apple look bad ahead of Samsung's appeal of the recent $1 billion judgement?
Apparently there was not breach at the time frame the news articles describe. The details are in the server access logs. Unfortunately, for his safety and job security, he can only tell me this without providing hard copies of the server logs - so this can only be viewed as hearsay.