Anonymous Dumps More Than One Million Apple iPhone, iPad Device IDs

  /     /     /  
Publicated : 22/11/2024   Category : security


Anonymous Dumps More Than One Million Apple iPhone, iPad Device IDs


AntiSec operatives claim to have hacked an FBI agents computer, grabbing 12 million-plus Apple iOS UDIDs -- but theres no reason to panic, experts say



Anonymous AntiSec operation appears to be back in action, dumping online yesterday more than 1 million unique device identifiers from Apple iOS devices the group says were stored on an FBI agents laptop that they hacked.
Some users -- including a security expert -- say their UDIDs were among those exposed by the group of hackers. The hackers claim the FBI has more than 12 million of these iOS IDs in all, and that they were able to steal a file that contained UDIDs, user names, device names, Apple Push Notification Service tokens, Zip codes, cell phone numbers, addresses, and other personal information, as well. Their
online posting
includes UDIDs and some device names.
Peter Kruse, partner and security specialist with CSIS, says three of his five iOS devices were among the UDIDs in the Anonymous data dump. The only thing I can say for sure at the moment is that three out of five of my iDevices are found in the leaked data. I checked the UDID and the device names, and they match, so I assume this leak is very real, Kruse says.
UPDATE
: In a tweet late today, the FBI press office said reports that one of its laptops had been hacked arent true: Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE, the press office said via its Twitter feed.
At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data, according to a statement issued by the FBI.
The hackers said in a Pastebin post yesterday that the laptop of supervisor special agent Christopher K. Stangl was breached via a Java attack in early March of this year.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of NCFTA_iOS_devices_intel.csv turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose, the Pastebin post says.
Robert Graham, CEO of Errata Security, says the hackers probably pilfered the information from an iOS app developer, which is who UDIDs are designed for. They arent a user thing, he says. But its not out of the realm of possibilities that the group of hackers compromised an FBI laptop, he says.
Graham points out that the alleged breach occurred one month after members of Anonymous in February snuck onto an FBI conference call after intercepting an email that included the dial-in and codes for the call. They were able to hack the conference call because theyd intercepted the announcement e-mail. This e-mail was also published. That e-mail was sent directly to all 40 agents, which means their e-mail addresses were all exposed. That means every hacker on the Internet now has a list of the 40 officers in charge of hunting down LulzSec, Graham
wrote in a blog post today
.
[ Apple is quietly making some subtle, incremental security moves in the face of new threats to its products. See
4 Signs That Apples Sharpening Its Security Game
. ]
Meanwhile, the good news is that a UDID alone isnt very valuable to an attacker. Its not like a big password dump, Graham told
Dark Reading
. The attackers appear more interested in proving they had the information than in exposing the victim devices, he says. UDIDs [alone] are not a big deal. If you also have an email with it, you could do some phishing, Graham adds.
CSIS Kruse concurs. If the statement associated to this leak is real, you can combine this data together with ... unique user [information, which,] from a privacy point of view, is a total nightmare. However, I have not seen the additional data, which should include full name, addresses, phone number, he says.
Rob Rachwald, director of security for Imperva, confirms that the agent mentioned in the Pastebin post is real. Hes a known recruiter in the FBI focused on getting white [hat] hackers to work for the feds, Rachwald
said in blog post today
, and noted that the dumped data looks authentic as well.
If the hackers have what they claim, they may be able to cross reference the breached data to monitor a users online activity -- possibly even a users location. To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users, Rachwald said.
The AntiSec hackers noted in their post that they wanted to expose the FBI for a tracking people project, and criticized Apples UDIDs. We never liked the concept of UDIDs since the beginning indeed. Really bad decision from Apple. fishy thingie, they said.
So if your UDID was on the list, what should you do? You can always panic, quips Erratas Graham. After that, theres nothing more to do.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Anonymous Dumps More Than One Million Apple iPhone, iPad Device IDs