Anonymous Leaks 1M Apple Device UDIDs 282
Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim."
Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"
So is apple... (Score:5, Interesting)
Re:So is apple... (Score:5, Insightful)
Yes, that seems like the larger issue here. What purpose does the FBI Cyber Action team have with 12M Apple UUIDs (from TFA: of which only 1M was leaked so far)?
This actually seems like a care of actual well-meaning hacktivism, as the purpose here is to inform users they are being tracked. It is only a matter of time before the remaining UUIDs are released. Unfortunately, most people have little more tech savvy than a newborn, so it is unlikely many people will even know how to compare their device to the list even if they care to do so.
The best we can hope for is that more of them wake up to the large-scale surveillance being undertaken and the abuse of power it represents. I wish I could be optimistic, but I know better by now.
Re:So is apple... (Score:5, Insightful)
The problem is that although Anonymous does have a list of Apple IDs (which I doubt has been verified yet), they don't have hard evidence attributing them to an FBI source. We have to just take their word on that one, unless the FBI admits to the breach.
Re: (Score:3)
I'd like someone with more specific expertise to follow up on this branch of the thread, but iirc one of those IDs is used to encrypt the data on the ipod/iphone, and is also used to encrypt the data backed up to the computer when synced, if you select to encrypt the backup. (itunes option)
So, having a big database of these IDs is also potentially
Re: (Score:3, Informative)
Not sure why you think this. If you have access to an iPhone backup (encrypted or not) you almost certainly have access to the UDID already since backups are store (on OS X) in ~/Library/Application Support/MobileSync/Backup/[iPhone UDID]/[Actual Data]
(It's similar on Windows in that it also includes the UDID in the folder name, but I don't know the full path off the top of my head.)
Anyone getting to the actual data would be able to see the UDID in the folder name that contains the data.
Also, let's not for
Re:So is apple... (Score:5, Informative)
What in the world are you even talking about? They didn't log "GPS Coordinates" and the logs that people did get all upset about that contained information about cell tower locations were stored on you phone and in the backups on your computer. That's not exactly "publicly accessible."
And you're confused about the ad thing. You can turn off location (GPS) based ads right on the device. Just to to Settings --> Location Services --> System Services and toggle "Location-Based iAds" to Off. You DO have to go to a website to opt out of interest-based ads from iAd, but this is no different than any other ad company.
And you are aware that iOS has supported complex passwords (i.e., any combination of letters, numbers, and special characters that you'd like) since iOS 4.0 which came out in June of 2010, right?
So basically not a single thing that you said is true.
Re:So is apple... (Score:5, Informative)
The UDID is not related to encryption on iDevices. Knowing the UDID will not help unlock a device if you have it.
The original function of the UDID was to allow stateless connections (like HTTP) to be able to coordinate sessions with the same device. Thus, you ask for something and cell data connection drops. The device connects back up and gets the response and everyone knows they are still talking to the same device. However, Apple has seen too many applications use this in inappropriate ways and has come out officially saying the API to retrieve it may be retired shortly.
There are other ways to make sure you are talking to the same device consistently and one thing that Apple wants is multiple device transparency when one account is involved. So I can make a request on my iPhone and retrieve the results on my iPad as well as having 100% of the data shared between the devices. The UDID isn't conducive to that at all.
So there are likely apps out there that have collected massive UDID databases... but have no idea what to do with the information. It is not externally visible. It could be used to do various types of tracking but mostly your app author isn't all that interested. I have no idea what the FBI might do with a database of maybe 1% of the iDevices out there but it isn't all that useful.
Forensic software for iDevices exists and much of it will work on locked devices. It will not decrypt otherwise encrypted data that is stored by applications in an encrypted form, but that is actually pretty rare. And again, having the UDID before you plug the device in is of no value and once you do plug it in, you have the UDID. So if an iPhone is confiscated by some law enforcement agency, they probably have access to the "right" software for dumping out the contents of the phone. Completely. If they are really up on things, they may have a portable device which will image the phone in minutes in the field. Your ability with an iPhone or Android phone to keep things out of law enforcement hands is (today) approximately zero. This was not previously the case but all the latest high-end cell phone forensic tools handle iDevices just fine.
An encrypted Blackberry remains a device that cannot be successfully examined - I believe you can get an image from the device but it is encrypted at a level that makes cracking the encryption unlikely. Once the device has been imaged, I believe trying selected passwords is possible without the "10 wrong guesses wipes the device" problem. But still, for the most part an encrypted Blackberry is secure. Any Blackberry device can be encrypted, BIS or BES, but it is sufficiently troublesome that only people required to do so - because of a BES profile - are going to do it. You can bet government Blackberries are set with the profile requiring encryption. The encryption is part of the device locking which then requires a password (text) to unlock and access the device.
Re: (Score:3)
The UDID is not related to encryption on iDevices.
That's not entirely true. If you're a developer (or a tester for a developer), your phone's UDID is used in the certificate signing process when doing ad hoc distribution of an app. If the app is not signed for your device, you can't run it. I know that signing and encryption aren't exactly the same thing, but in this context, they're definitely related.
But yes, for most users, I believe your statement holds true.
Re:So is apple... (Score:4, Informative)
I'd like someone with more specific expertise to follow up on this branch of the thread, but iirc one of those IDs is used to encrypt the data on the ipod/iphone, and is also used to encrypt the data backed up to the computer when synced, if you select to encrypt the backup. (itunes option)
That's nonsense. Every iOS device has a Unique Device Identifier (UDID), which is used to identify the device and nothing else. Some idiot programmers used it to identify users, which is totally stupid because when you sell a used iOS device, the UDID stays with the device.
UUIDs (Universally Unique Identifiers) on the other hand are created repeatedly. A well-written app that wants to keep track of one user of that app will generate a UUID and store it in the app's preferences. 100 different apps on the same iOS device will create 100 different UUIDs. The good thing for privacy is that you cannot use UUIDs to gather information about a user, because the same UUID will only come up in one context.
Neither are used to encrypt information on an iOS device. (An application _could_ use a UUID that it created to encrypt information, but that would be information coming from that one application).
Re: (Score:3, Insightful)
From that comment I gather that you believe an anonymous person who claims to be a hacker who claims to have gotten what he claims is Apple UDIDs from what he claims was an FBI computer.
Re: (Score:2, Insightful)
This is considered "insightful"? If Shavano had taken the 5 seconds required to verify that those UDID are, in fact, valid, he wouldn't be saying silly things like this.
Sure, we have no idea of the source of this (FBI, Apple, random person with 1M+ harvested UDIDs, etc.), but it's trivial to verify that (at least a good part of the data) is valid.
Maybe google for "Apple UDID deanonymize" and you'll get there.
Re:So is apple... (Score:4, Funny)
I'm more interested in why a high-budget outfit like the FBI is buying Vostros!
Re: (Score:2)
Don't quote me on this but I think the Vostro is one of the few laptops with a matte finish nowadays.
So the remainder of the Apple (obviously) and Dell stock is pretty much defective by design. Thank the lord for the Vostro.
Re:So is apple... (Score:4, Insightful)
Re:So is apple... (Score:5, Funny)
From the article I read the laptop was owned by the agent not the FBI which raises a whole pant load of other questions.
No, it's actually quite simple.
The agent was in the process of collecting data, etc for the purpose of starting his own FBI.
With blackjack.
And hookers.
But the Secret Service got mad because blackjack & hookers were their gig, and so they hacked this FBI agent's computer and released the data to Anonymous.
The SS doesn't want to have their agents blow into town only to find all the blackjack and hookers are already booked solid by these new-FBI agents.
Strat
Let's ignore... (Score:2, Insightful)
... the possibility that the FBI was doing its job.
The only possibilities here are that the FBI or Apple are in the wrong, there is NO possibility that criminals did something wrong.
Remember that simple rule... the FBI and Apple sometimes make mistakes, therefore they are ALWAYS responsible for things. /groan
Re: (Score:3, Interesting)
Ok, yes yes, the crazy mugger (cracker) was clearly in the wrong. That does leave the question of why an unconnected, shady character (the FBI) was walking around with everyone's paychecks (Apple info for which the FBI has no clearly demonstrated need).
Nobody is declaring Anonymous innocent, but why the HELL does the FBI need a list of UDIDs? Are they tracking TERRISTS via their iPhones now, or is it more likely that the FBI just likes reading your mail, watching you in the shower, and knowing all your pass
Re:Let's ignore... (Score:4, Insightful)
So - why does a cop car need a million bucks worth of Heroin in their boot ?
One option is - they nabbed a criminal.
Re: (Score:2)
doesn't explain why it's on his laptop (Score:3)
Any evidence should have gone to the lab, not onto a laptop.
Re: (Score:3)
There are 1 million terrorist or criminal iPhone users?
Does that not seem high?
Only USA Apple ID's or others (Score:2, Interesting)
Was the leak only for USA ID numbers, or are we talking major criminal action in foreign countries here?
It's always tempting to think the USA is the world police, but Apple do not have immunity from foreign courts if they've been handing over data like that.
Re: (Score:2)
Going to explain why they gave all the UID of their devices to the FBI?
Considering that we were talking about UDIDs here, and UDIDs are something totally different than UUIDs or GUIDs, any post referring to UIDs should never be marked as "interesting", but "imbecile".
Re: (Score:2)
Probably not.
http://en.wikipedia.org/wiki/National_security_letter [wikipedia.org]
Re:So is apple... (Score:5, Insightful)
Why is that more likely?
You think if the FBI asks Apple or AT&T won't cough up such a list?
Re: (Score:2, Informative)
There's an Axis group of predatory software companies comprising of largely of Apple, Microsoft, Oracle and Facebook. with a few smaller companies used mostly as proxies. They cooperate with US government agencies in exchange for favorable treatment in courts and legislature.
In this instance, the Facebook app on Apple's iOS was used to mine contact data from iPhone users.
Re:So is apple... (Score:4, Insightful)
Oh please, all the big boys play this game. Any major firm is not going to do anything other than send a bill when any three letter agency asks for data. Nothing to do with favors, just typical amoral corporate behavior that we need to regulate against.
Re:So is apple... (Score:4, Insightful)
We need government rules against a company cooperating with the government?
On one hand you argue for regulation, which is more powerful government. On the other hand, you bemoan the government using any power.
Companies and governments don't go to heaven. They don't act morally or amorally. They just do what is necessary to get thru the day.
Re: (Score:3)
Yes, much like we have government rules limiting what the police can do.
Regulation does not imply a more powerful government, it can be done with the same level of power it has now.
No one goes to heaven, it does not exist. They act amorally, since that is what the people who make them up do.
Re:So is apple... (Score:5, Interesting)
Regulation does imply a more powerful goverment. If someone runs afoul the regulation, the government steps in and hands out punitive fees, prison time or exclusion from government contracts. This amounts to actively reign into formerly autonomous business processes or personal decisions.
Each regulation gives the government more power. Before the regulation, the government had no right to interfere. Regulation gives the right to the government. And each additional regulation forces the government to actively administer the regulation, and thus to add governmental jobs.
There is no point in regulation if there is no one to enforce it.
Re: (Score:2)
Not true. Some regulation limits government, like police may not just search your house at random. This is the kind of thing I am proposing. The end result would just be such evidence could never be used in court and at that point existing administrative actions could be taken against those who collected it.
Re: (Score:3)
The police aren't really regulated. In theory they are, but all they have to do is claim it's part of the War on Drugs or War on Terror and they're free to do whatever they want.
Re: (Score:3)
Lose in court? The point is not whether they win or lose. It's about keeping people in line. Look at recent stories where the US government seized websites, servers, etc. Shut down businesses. A year later, they quietly drop the case. Lives have been ruined, companies closed. What then? Sue the US government? Good luck with that. Do you really want to spend your entire life for the next several years trying to sue the government?
Sorry to shatter your view of the world, but there's no accountability in gover
Re: (Score:2)
No one goes to heaven, it does not exist.
Your hypothesis is untestable, yet you are certain it's true? There's a bit of a logical disconnect there, you can't see it?
Re: (Score:2)
Certainty is in the eye of the beholder. How many of the people unable to disprove the existence of unicorns bother with leaving out hay for them in cold winters? They simply assume unicorns do not exist - maybe even going to the extent of saying they do not exist...
Re: (Score:3)
Unicorns do not live in the artic ocean. Vikings used to hell narwhal tusks to suckers who thought unicorns existed though.
Homo floresiensis is not a Leprechaun, just another hominid. A leprechaun would have a pot of gold at the end of a rainbow and would be from Ireland not indonesia. Be amazed by reality, not try to make it appear that myths are anything more.
The amazing thing is that every atom in your body came from a star that exploded. And, the atoms in your left hand probably came from a different st
Re: (Score:3)
That's not how it works. Not for an individual, and not for a complex organization like a company or government. Regulations are not reducible to more/less powerful.
There are separation of powers, multiple levels of checks and balances, etc, that do counteract such forces.
For example, not that long ago a project by our government for installing a bunch of CCTVs was struck down by a different government commission that's responsible for protecting personal data.
Re: (Score:2)
I think you do not understand the separation of powers: legislative power (congress) would make a law prohibiting collecting arbitrary data about individual citizens without reason and companies to provide them that information without due process. Executive power (government) is not allowed to subvert that law.
Re:So is apple... (Score:5, Insightful)
I think you do not understand the separation of powers: legislative power (congress) would make a law prohibiting collecting arbitrary data about individual citizens without reason and companies to provide them that information without due process. Executive power (government) is not allowed to subvert that law.
There isn't much bi-partisan common ground in the US. But on the subject of Congress being unwilling and/or unable to prevent the Executive Branch from violating laws in such areas as arrest, detention, search, seizure and privacy, the parties are of one mind. There are perhaps a handful of Senators and Representatives willing to speak up about it, but even they're too scared to actually point fingers and name names.
Re:So is apple... (Score:5, Interesting)
And then there is the judicial branch, which rolls over and asks the Feds to scratch its tummy at any mention of the State Secrets Doctrine.
There's a whole sordid history to the State Secrets Doctrine involving the deaths of three geeks in a military plane in the 50s and the Air Force covering up its negligence by claiming it would harm national security if an accident report was released. Decades later that accident report was declassified and showed nothing of any national security import -- just some lousy maintenance on the plane and failure to make manufacturer recommended upgrades. Had the widows been allowed to have it, they would have likely done well at trial. Anyway, keeping it secret enabled the Air Force to short change the widows by settling the case cheap.
http://www.thisamericanlife.org/radio-archives/episode/383/origin-story?act=2#play [thisamericanlife.org]
Oh yeah, and Obama is the worst offender in applying the state secrets doctrine. Just search for obama state secrets doctrine [google.com] --- the examples are ridiculously numerous for one who promised openness in government.
Re: (Score:2)
Re: (Score:2)
Have you been paying ANY attention the last 4 years? The last 40? Of course the executive can subvert the law with impunity.
I have. But viewing it from this side of the Atlantic pond, I think gandhi_2 is not the only one that does not understand the importance of separation of powers. I suppose a two party system is only marginally better than a one party system, people in the three powers are bound to come from one or the other background or identify with one or the other party. Freedom and democracy lose.
You do know even the Romans implemented separation of powers?
Mind you, on this side of aforementioned pond, we have our own
Re: (Score:2)
Re: (Score:2)
That's exactly what the Bill of Rights was intended to do.
Re: (Score:2)
Not one bit.
I dispute the fact that only a limited set of companies are doing this or that they gain favors by doing it. Big companies like telcos have nice simple request for data forms pre made, so long as they get paid they are more than happy to share any and all data.
Re:So is apple... (Score:5, Insightful)
The fact that it is facebook?
Facebook exists for basically this sort of thing. Tracking devices or not, anything you post to it you should consider public knowledge. Sure you have privacy settings, which do not apply to the three letter agencies. At some point they may not apply to anyone.
I am not saying don't use it, but consider anything you say on facebook the same as printing it on a billboard.
Re: (Score:3)
Not at all. The walled garden merely means that any app needs to not be evil while being tested. This is trivial to do. If asked however Apple would cooperate.
The normal facebook app yes, the one that comes packaged with so many android phones out of the box would not.
Everything is in place for Big Brother to step in (Score:5, Interesting)
Re:Everything is in place for Big Brother to step (Score:4)
Install CM or an app that lets you block permissions you do not like. You will need to root of course.
Re: (Score:3)
Re: (Score:2)
Re:So is apple... (Score:5, Funny)
So Apple can now drag both the FBI and Anonymous to court over copyright infringement? Nice ...
1 million UIDs, value at [price of iPad or iPhone], should be pretty nice income for Apple's legal department.
Re: (Score:2)
So much for the walled garden, huh?
udid (Score:5, Interesting)
Re: (Score:2)
So is there anything you need to do just in case your device is on the list? Upgrade to iOS6 if you can, I'd assume.
For older devices that can't upgrade (thinking of my original AppleTV here), is there any risk? Is it likely someone would use your UDID to simulate being you so they can jailbreak their devices?
Re: (Score:2)
Yes, they're likely just to be only used internally as the seed to the encryption algorithm. That's the most plausible reason for the FBI to have the list, so that they can plug the UDID into a key generator that will decrypt the phone. How else do you think those LEO phone crackers work in minutes.
I give this stunt one thumb up the A** (Score:2)
Dear Georg Orwell... (Score:2)
Re: (Score:2)
catchy job title (Score:5, Funny)
> Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team
This guy must have business cards 2 feet wide.
FS (Score:5, Funny)
Re: (Score:3)
It is the execution of the list that would result in bad things. Fortunately, the government doesn't have the gusto to use a list in the ways you describe...
Except for republican and democratic campaign coordinators... that's real fucking scary...
All your UUIDs are belong to us (Score:2)
Re: (Score:2)
Soda bread
Pork schnitzel in the style of Vienna
Sweet Potato Pie
German chocolate cake
Home made ravioli (stuffed with bison, venison, beef, 3 cheeses, and spinach) in creme sauce
Beef and Guinness stew
Bacon wrapped venison roast slow cooked and smoked in my barbeque
Spicy chili
7 bea
Re: (Score:2, Funny)
Those health insurance premiums... increased lately?
Re: (Score:2)
Re: All your UUIDs... recipes are belong to us (Score:2)
I'll go for the home made bison and cheese stuffed ravioli, thank you.
As to the garlic soup, don't bother. ;-)
Relations between humans tend to be difficult enough even w/o garlic.
So which application? (Score:4, Interesting)
It sounds like this is a dump of data from an application vendor to the FBI: Apps have (in the past) used UUID for identification, and the push-notification tokens also suggest application, not apple, as the source.
So which application is responsible?
In a self followup, push notification token... (Score:2)
If one finds a phone which is in the list, is there a way to find out which application is associated with the push notification token? If so, this would help identify the application vendor responsible for dumping this data onto the FBI.
Re:So which application? (Score:5, Interesting)
The current theory (as mentioned by Marco Arment [marco.org]) is that it may be from AllClear ID's iOS app, given that AllClear officially joined the NCFTA [greensheet.com] in the second week of March. Since the leaked file's name had NCFTA in it, it's pretty clear that it came from the NCFTA, and it would make sense that AllClear would have started providing some data prior to when they actually announced they had joined, so that may explain (but certainly not justify) why someone had something like that on their desktop on the week of the attack.
If AllClear is indeed the source, that would be some rather delightful irony, given that they would be directly responsible for causing more damage to their customers than they will ever likely prevent.
Also, if AllClear sounds familiar, it may be because they were the the company providing a year of free identity theft protection to Sony customers after the hacks last year that compromised millions of PSN accounts.
"... on the laptop of one special agent?" Har har. (Score:5, Insightful)
"Why did all that personal data reside on the laptop of one special agent?"
Probably it didn't and doesn't.
Reside on the laptop of *just one* special agent, that is.
Whenever one of these special agents gets something particular from the boss, all the others want that, too.
OMG: HolyShit Batman... (Score:2)
Calm down, everyone with an Apple device, there's more than one Dark Knight with a laptop. You don't see your UDID, you're on another laptop darkly. Each device has GPS, a mic, front-facing camera and wireless connection for your safety.
Solved question (Score:4, Interesting)
Ok, this is weird... (Score:2)
But slashdot? How is anyone surprised? Haven't we seen the news about the official spyware installed on all iPhone (yes and a lot of Android phones too)? Aren't we ranting all day long about the circulation of privacy data without overseeing?
There is one thing that ou
Is this geographically limited? (Score:2)
Just completed an entirely unscientific look at the data - I checked the UDID's of the iPads we have registered here (at a large financial company in the UK) and none are in the list. Given that this is 1m of 12m records, what ratio is 12m of the total population size for iphones and ipads?
i.e. if I checked 20 UDIDs, none of the came up, can we say that (allbeit with a low degree of confidence) the sample does not include UK registered devices? is it just USA registered devices? has anyone outside of the
Re: (Score:2)
I'm still trying to decode the file, and my iphone is in my desk at home, off. So I'll have to look later.
But it makes no sense for the FBI to have UK UUIDs. FBI only operates in a domestic capacity. The CIA would be the ones to have UK UUIDs.
Re: (Score:3)
So no, you're not in the clear with any confidence, though you are more likely than not.
ugh. what's with this third-person BS? (Score:3)
"A piece at SlashCloud points out...."
Jeez. You mean "Us, standing over there." Why pretend it's an unrelated entity?
How to decode the file? (Score:2)
It looks base64 but not quite. But I did only try a portion of the file.
Help?
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Re:How to lose friends and not infuence anyone (Score:5, Informative)
Linus Torvalds used a macbook pro with linux last I checked. Is he not a geek?
Re: (Score:2)
Permitted?
How can they do anything about it?
I have linux running on a macbook air and I have seen android on a 3GS.
Maybe you should learn about technology... (Score:2, Insightful)
if you are going to post to a tech site. There are plenty of beginner sites out there, this one is for people who know basic technical info like "You can put any OS you want on a MacBook".
Re: (Score:2)
You might not have permission (especialy for Apple) to run a software you obtained a license to, on each hardware you wanted to do so. You cannot run iOS image you have lifted of your iPhone on a Nokia or God forbid, on a Samsung. However when you buy a hardware (and assuming it is not a Ferrari), you can run any software on it. You can use it as a door-stop if you like. Thus if like to do so and able to do so, you can run Android,
Re: (Score:2)
Whoooosh.....
Re:And the use of a UDID? (Score:4, Informative)
Re:And the use of a UDID? (Score:5, Informative)
So what can you do with an Apple UDID?
Yeah that's a good question. As to what a UDID is:
http://theiphonewiki.com/wiki/index.php?title=UDID [theiphonewiki.com]
UDID = SHA1(serial + IMEI + wifiMac + bluetoothMac)
So its not much more than a checksum of the serial num and the various RF ids. So given 5 pieces of information, the UDID is what amounts to a checksum of the other 4 parts proving that row of the database has no errors.
What it is, does not superficially seem to help much with what they do with it, but maybe it helps a little in isolating what it isn't (it isn't, for example, the itunes CC number for the account, or the owners SS number, so there's no point discussing those type of issues)
Re: (Score:2)
Doesn't seem that far fetched that it could be a single column from a larger database referencing oodles of more data allowing one to spy on and track any individual at anytime using such a device.
Re: (Score:2)
Re: (Score:2)
The UDID is used by developers to provision an app for a phone so it can be installed without going through the app store (see here [tutsplus.com].)
Re: (Score:2)
Re: (Score:3)
kind of like those password security checkers "not secure: reason: you typed it into a random site on the internet"
Re: (Score:3, Informative)
And you're a nice example.
It's because the average IQ is about 100.
It's not "about" 100. It is 100, because that's how they are designed.
When modern IQ tests are devised, the mean (average) score within an age group is set to 100
Re: (Score:2)
Thanks for playing
Re:My Reaction (Score:5, Informative)
Comment removed (Score:4, Insightful)
Re: (Score:2)