Anonymous Leaks 1M Apple Device UDIDs 282
Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim."
Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"
Re:So is apple... (Score:2, Informative)
There's an Axis group of predatory software companies comprising of largely of Apple, Microsoft, Oracle and Facebook. with a few smaller companies used mostly as proxies. They cooperate with US government agencies in exchange for favorable treatment in courts and legislature.
In this instance, the Facebook app on Apple's iOS was used to mine contact data from iPhone users.
Re:And the use of a UDID? (Score:4, Informative)
Re:And the use of a UDID? (Score:5, Informative)
So what can you do with an Apple UDID?
Yeah that's a good question. As to what a UDID is:
http://theiphonewiki.com/wiki/index.php?title=UDID [theiphonewiki.com]
UDID = SHA1(serial + IMEI + wifiMac + bluetoothMac)
So its not much more than a checksum of the serial num and the various RF ids. So given 5 pieces of information, the UDID is what amounts to a checksum of the other 4 parts proving that row of the database has no errors.
What it is, does not superficially seem to help much with what they do with it, but maybe it helps a little in isolating what it isn't (it isn't, for example, the itunes CC number for the account, or the owners SS number, so there's no point discussing those type of issues)
Re:How to lose friends and not infuence anyone (Score:5, Informative)
Linus Torvalds used a macbook pro with linux last I checked. Is he not a geek?
Re:My Reaction (Score:3, Informative)
And you're a nice example.
It's because the average IQ is about 100.
It's not "about" 100. It is 100, because that's how they are designed.
When modern IQ tests are devised, the mean (average) score within an age group is set to 100
Re:So is apple... (Score:3, Informative)
Not sure why you think this. If you have access to an iPhone backup (encrypted or not) you almost certainly have access to the UDID already since backups are store (on OS X) in ~/Library/Application Support/MobileSync/Backup/[iPhone UDID]/[Actual Data]
(It's similar on Windows in that it also includes the UDID in the folder name, but I don't know the full path off the top of my head.)
Anyone getting to the actual data would be able to see the UDID in the folder name that contains the data.
Also, let's not forget that before iOS 5 developers were able to use UDIDs as identifiers when apps were downloaded. So lots and lots of developers have this same information on lots and lots of users in databases of their own. In my mind, it seems pretty ridiculous to think that Apple would have given developers carte blanche to collect information that is an integral part of the phone's encryption protocol.
That's not to say this isn't a privacy problem, but I don't think it could affect the strength of the encryption on or off the phone in any ways, shape, or form.
Re:So is apple... (Score:5, Informative)
The UDID is not related to encryption on iDevices. Knowing the UDID will not help unlock a device if you have it.
The original function of the UDID was to allow stateless connections (like HTTP) to be able to coordinate sessions with the same device. Thus, you ask for something and cell data connection drops. The device connects back up and gets the response and everyone knows they are still talking to the same device. However, Apple has seen too many applications use this in inappropriate ways and has come out officially saying the API to retrieve it may be retired shortly.
There are other ways to make sure you are talking to the same device consistently and one thing that Apple wants is multiple device transparency when one account is involved. So I can make a request on my iPhone and retrieve the results on my iPad as well as having 100% of the data shared between the devices. The UDID isn't conducive to that at all.
So there are likely apps out there that have collected massive UDID databases... but have no idea what to do with the information. It is not externally visible. It could be used to do various types of tracking but mostly your app author isn't all that interested. I have no idea what the FBI might do with a database of maybe 1% of the iDevices out there but it isn't all that useful.
Forensic software for iDevices exists and much of it will work on locked devices. It will not decrypt otherwise encrypted data that is stored by applications in an encrypted form, but that is actually pretty rare. And again, having the UDID before you plug the device in is of no value and once you do plug it in, you have the UDID. So if an iPhone is confiscated by some law enforcement agency, they probably have access to the "right" software for dumping out the contents of the phone. Completely. If they are really up on things, they may have a portable device which will image the phone in minutes in the field. Your ability with an iPhone or Android phone to keep things out of law enforcement hands is (today) approximately zero. This was not previously the case but all the latest high-end cell phone forensic tools handle iDevices just fine.
An encrypted Blackberry remains a device that cannot be successfully examined - I believe you can get an image from the device but it is encrypted at a level that makes cracking the encryption unlikely. Once the device has been imaged, I believe trying selected passwords is possible without the "10 wrong guesses wipes the device" problem. But still, for the most part an encrypted Blackberry is secure. Any Blackberry device can be encrypted, BIS or BES, but it is sufficiently troublesome that only people required to do so - because of a BES profile - are going to do it. You can bet government Blackberries are set with the profile requiring encryption. The encryption is part of the device locking which then requires a password (text) to unlock and access the device.
Re:So is apple... (Score:4, Informative)
I'd like someone with more specific expertise to follow up on this branch of the thread, but iirc one of those IDs is used to encrypt the data on the ipod/iphone, and is also used to encrypt the data backed up to the computer when synced, if you select to encrypt the backup. (itunes option)
That's nonsense. Every iOS device has a Unique Device Identifier (UDID), which is used to identify the device and nothing else. Some idiot programmers used it to identify users, which is totally stupid because when you sell a used iOS device, the UDID stays with the device.
UUIDs (Universally Unique Identifiers) on the other hand are created repeatedly. A well-written app that wants to keep track of one user of that app will generate a UUID and store it in the app's preferences. 100 different apps on the same iOS device will create 100 different UUIDs. The good thing for privacy is that you cannot use UUIDs to gather information about a user, because the same UUID will only come up in one context.
Neither are used to encrypt information on an iOS device. (An application _could_ use a UUID that it created to encrypt information, but that would be information coming from that one application).
Re:My Reaction (Score:5, Informative)
Re:So is apple... (Score:5, Informative)
What in the world are you even talking about? They didn't log "GPS Coordinates" and the logs that people did get all upset about that contained information about cell tower locations were stored on you phone and in the backups on your computer. That's not exactly "publicly accessible."
And you're confused about the ad thing. You can turn off location (GPS) based ads right on the device. Just to to Settings --> Location Services --> System Services and toggle "Location-Based iAds" to Off. You DO have to go to a website to opt out of interest-based ads from iAd, but this is no different than any other ad company.
And you are aware that iOS has supported complex passwords (i.e., any combination of letters, numbers, and special characters that you'd like) since iOS 4.0 which came out in June of 2010, right?
So basically not a single thing that you said is true.