AntiSec Hackers Post 1 Million Apple Device IDs

  /     /     /  
Publicated : 22/11/2024   Category : security


AntiSec Hackers Post 1 Million Apple Device IDs


Hacker group says it got data off FBI laptop and released the file to call attention to the governments alleged possession of that information.



11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)
Hacking group AntiSec on Monday posted online a million and one Apple Unique Device Identifiers (UDIDs) that it claims to have obtained from an FBI laptop.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber ActionTeam and New York FBI Office Evidence Response Team, was breached using the
AtomicReferenceArray vulnerability
[in] Java, the group said in a post published on
PasteBin
. During the shell session some files were downloaded from his Desktop folder. One of them with the name of NCFTA_iOS_devices_intel.csv turned to be a list of 12,367,232 Apple iOS devices...
The group has published one million and one UDIDs from its list of 12 million, along with Apple Push Notification Service tokens. It has omitted additional data fields associated with the some of the UDIDs, including user names, zip codes, mobile phone numbers, and addresses. Nonetheless, the file includes the user-settable device name field, in which many users have entered their first name or full name.
NCFTA stands for the National Cyber-Forensics & Training Alliance. Since its creation in 1997, the FBI says, the NCFTA has become an international model for bringing together law enforcement, private industry, and academia to share information to stop emerging cyber threats and mitigate existing ones.
[ Apple has had its share of victories recently. Read
Apple Worked A Broken Patent System
. ]
So is Apple sharing user data with the NCFTA and FBI to help fight cybercrime?
Apple did not respond to a request for comment. The NCFTA did not immediately respond to a request for comment. After initially declining to comment, the FBI issued a statement disputing AntiSecs claim about the source of the file.
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed, the FBI said via email. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
But if Apple wanted to share customer information with the FBI, its privacy policy allows it to do so.
Apples privacy policy
states that the company may disclose customer information if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
Apple in March began rejecting apps that access UDID numbers and has made it clear that UDIDs are being phased out. In January 2011,
Apple was sued
in California over alleged privacy and state business law violations because it allowed developers to transmit UDID numbers. That case was
dismissed in December 2011
. A spokesperson for law firm Milberg LLP did not immediately respond to a request for further information about the litigation.
A study published in September 2010, cited in the case, found that 56 out of 101 apps tested transmitted UDID numbers. Unique identifiers are coveted by advertisers because they allow ads to be targeted to individuals and tracked across services.
Privacy concerns prompted Apple to deprecate the UDID API in iOS 5 and to suggest that developers
implement their own apps-specific ID schemes
rather than relying on a number tied to a specific device. Instead, Apple wants developers to use Core Foundation Universally Unique Identifier, which can be the same across multiple devices, making it less compelling for advertisers.
Crashlytics, a company that makes a developer analytics SDK, has developed an open-source alternative called
SecureUDID
.
Because AntiSec withheld some of the information in the alleged FBI file, the security risks to those whose UDID numbers have been exposed are significantly less than they would be with full names, addresses, and other personal data.
Its possible, however, that a skilled hacker will be able to use these identifiers, probably in conjunction with other information, to spoof Apples notification service or make a social engineering attack more credible. At the very least, users whose UDIDs have been exposed may be identifiable by name through future usage of apps that reveal a UDID--a simple database look-up can check to see if a UDID matches a name in the AntiSec file.
The exposed data may also pose an operational security risk for the FBI or others engaged in cybersecurity: Some of the devices on the list bear names like FBIs iPhone, FBI van#2, and FBI Surveillance. Presumably the FBI isnt keen to have its devices identified when they access a network with an app that reveals UDIDs.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
AntiSec Hackers Post 1 Million Apple Device IDs