Tuesday, September 4, 2012

What You Should Know about the FBI Apple UDID Breach

A hacker group "Anti-Sec" has released over 1 million UDID's they "found" on an FBI laptop. Before we begin an Apple UDID (Unique Device Identifier), which as the name states, is a unique alpha-numeric number that's tied to each iPhone, iPod Touch and iPad. This number, up until iOS 5.1, was taken without permission when a user would download certain apps and other activities. Having this information would allow advertisers to focus ads based off apps and experiences a user was running. With that said, here's the posting by Anti-sec:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."

It's one thing to have a privacy breach by advertisers, but what's the FBI doing with over 1 million Apple UDID's? Why is this on an agency laptop and what are they doing with this information? I'd be very interested to see what vendor was "asked" to cough this information up and what the FBI was using it for.

Also, it's very interesting to see that the Java fiasco is still in full blown and being exploited to the fullest. This is a problem for everyone, but I would have hoped the FBI would have taken this vulnerability more serious.

To verify that your Apple UDID isn't on the list of IDs released use the following link to verify: http://kimosabe.net/test.html. If you are on the list I'd be very interested in speaking with you in more detail. You can see my "About Me" page with contact details.

No comments:

Post a Comment