Anonymous group leaks 1m Apple IDs from FBI laptop | SC Media
Architecture, Network security, Strategy, Threat intelligence

Anonymous group leaks 1m Apple IDs from FBI laptop

September 4, 2012

In another brazen attack, the Anonymous-connected AntiSec hacking group has published one million Apple unique device identifier numbers, or UDIDs, which it claimed it lifted from a file on an FBI laptop.

UDIDs consist of a combination of unique numbers and letters, which allows Apple and app developers to identify or track devices that run on the iOS platform, like iPhones and iPads.

On Sunday, the hacktivists posted a message taking responsibility for the breach, saying they stole a list of more than 12 million Apple iOS devices, which included UDIDs and Apple Push Notification (APN) Service tokens, from the Dell Vostro notebook belonging to Special Agent Christopher Stangl.

In addition, the intruders said they removed personal information of users, including addresses, cell phone numbers, ZIP codes and other details. Anonymous said it “trimmed out” that information, and that the one million UDIDs and APNS tokens “would be enough to release.”

In the message, Anonymous said Stangl, ironically, works in the FBI's New York office as a cyber investigator. His laptop was raided in March thanks to a Java exploit, which allegedly led to the Apple UDID leak, the hackers said.

Anonymous said it exposed the information because the public should be suspicious as to why the FBI is maintaining a massive collection of private data that can be used to track people.

“Even in this case we will probably see their damage control teams going hard lobbying media with bull**** to discredit this, but well, whatever, at least we tried and eventually, looking at the massive number of devices concerned, someone should care about it,” the group wrote in a message, which was posted to document site Pastebin.

On Tuesday afternoon EST, the FBI emailed a statement to SCMagazine.com regarding the claims by Anonymous. The agency said that at present, there is no evidence that the FBI requested or received Apple UDIDs or that an agent's laptop was hacked.

“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the statement said. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

On the claimed leak, Anonymous said that considering Apple may be seeking an alternative to UDIDs, now was a suitable time to release the information. An Apple rep did not return an email seeking comment.

Calling the incident a "privacy catastrophe," Aldo Cortesi, a coder and founder of New-Zealand based security consulting firm Nullcube, said the use of UDIDs continues to be a pervasive problem.

He said in a Tuesday blog post that a number of companies are misusing the numbers, which can lead to a slew of issues, from de-anonymization to the takeover of users' social networking accounts.

If Anonymous' claims are true, then the recent leaks are a worst-case scenario, Cortesi said.

“When speaking to people about this, I've often been asked ‘What's the worst that can happen?' My response was always that the worst-case scenario would be if a large database of UDIDs leaked... and here we are,” wrote Cortesi.

In an email to SCMagazine.com on Tuesday, Cortesi said that his research was specifically on social gaming networks and the use of UDIDs.

"Many of the companies I looked at would use the UDID to automatically log the user in to their gaming social network accounts, as if the UDID somehow proved who the requesting user was," he said. "One obvious way in which this can go wrong is if a device is sold. The device UDID is permanent, and can't be changed even if the device changes hands, so the effect is that the new device owner is suddenly able to log in to the old device owner's accounts.

Apple has begun rejecting apps that try to access UDIDs, Cortesi said, though the Anonymous incident exemplifies the need for the issue to have been tackled from the outset.

This wouldn't be the first time Anonymous infiltrated the computer of an FBI agent. Earlier this year, a member compromised the email account of an Irish police agent to retrieve the dial-in details for an FBI-Scotland Yard conference call. The discussion, which the group recorded and posted online, centered on the ongoing cases of several members of Anonymous and LulzSec accused of hacking and launching denial-of-service attacks.

Earlier this year, Irish-born Donncha O'Cearrbhail was charged with the hack after being ratted out by the former leader of LulzSec-turned-FBI informant, Hector Monsegur, aka "Sabu."
prestitial ad