jets1961
09-05-2012, 02:43 PM
hxxp://www.thestar.com/business/article/1251052--apple-fbi-antisec
Internet activists claim to have hacked more than 12 million identification codes for Apple devices from an FBI agent’s laptop and have posted instructions on online bulletin board Pastebin on how to access one million of the user IDs.
Known as the Anti Security Movement, or Antisec, the group said on a Twitter account belonging to the Anonymous “hacktivist” collective that many of the IDs come complete with the device owner’s personal information.
In a blog post Tuesday that included attacks on security agencies, Antisec said it withheld information such as names, phone numbers and addresses, but left enough for “users to search for their devices.”
The group did not indicate that bank account numbers or passwords were included.
“During the second week of March 2012 a Dell Vostro notebook used by supervisor special agent Christopher K. Stangl from FBI regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” Antisec said in the post.
“Some files were downloaded from his desktop folder; one of them with the name of NCFTA_iOS_devices_intel.csv turned out to be a list of 12,367,232 Apple iOS devices including unique device identifiers (UDIDs), user names, name of device, type of device, Apple push notification service tokens, zipcodes, cellphone numbers, addresses, etc.”
Antisec said it published the alphanumeric IDs to call attention to the possibility that the FBI had used or was planning to use the information to track citizens.
The group has not verified that the FBI obtained the identification codes, explained how it did so, or why — but analysts said the bureau might be interested in assembling Apple device details in case it needs to track the location of a specific individual.
The FBI told the Los Angeles Times it was aware of the alleged hack but declined further comment and Antisec said it will not provide further statements after posting that “the original file contained around 12,000,000 devices. We decided a million would be enough to release.” Apple did not immediately respond to a request for comment.
Web pages have been set up to check whether IDs have been compromised and Apple users can look up an UDID using a confidential partial search at:
http://pastehtml.com/udid
Given their nature as random strings of letters and numbers, unique device identifiers offer little direct information on individuals, but the TechCrunch website said when cross-referenced with Apple’s developer resources the data can “potentially identify a unique user’s geographic location and other specific information.”
“The UDID leak is a privacy catastrophe,” New Zealand-based security consultant Aldo Cortesi added on a blog post.
“If your UDID is on the list, you have reason to be very concerned. When I looked at this issue in the past I showed how using only a UDID it was possible to get access to private user information including friends lists, geolocation, information on what games you were playing and who you were chatting to.
“I was even able to take over Facebook and Twitter accounts, again using just a UDID,” Cortesis added. “I’m worried that there may be similar issues out there waiting to be exploited, and that this database will give someone the ability to do so at a very large scale.”
Apple has been phasing out developer access to the UDID over privacy concerns and the developer community is adopting more secure means to store data about users. But enforcement has been gradual and Apple continues to approve apps with UDIDs, according to marketing technology company Fiksu.
Internet activists claim to have hacked more than 12 million identification codes for Apple devices from an FBI agent’s laptop and have posted instructions on online bulletin board Pastebin on how to access one million of the user IDs.
Known as the Anti Security Movement, or Antisec, the group said on a Twitter account belonging to the Anonymous “hacktivist” collective that many of the IDs come complete with the device owner’s personal information.
In a blog post Tuesday that included attacks on security agencies, Antisec said it withheld information such as names, phone numbers and addresses, but left enough for “users to search for their devices.”
The group did not indicate that bank account numbers or passwords were included.
“During the second week of March 2012 a Dell Vostro notebook used by supervisor special agent Christopher K. Stangl from FBI regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” Antisec said in the post.
“Some files were downloaded from his desktop folder; one of them with the name of NCFTA_iOS_devices_intel.csv turned out to be a list of 12,367,232 Apple iOS devices including unique device identifiers (UDIDs), user names, name of device, type of device, Apple push notification service tokens, zipcodes, cellphone numbers, addresses, etc.”
Antisec said it published the alphanumeric IDs to call attention to the possibility that the FBI had used or was planning to use the information to track citizens.
The group has not verified that the FBI obtained the identification codes, explained how it did so, or why — but analysts said the bureau might be interested in assembling Apple device details in case it needs to track the location of a specific individual.
The FBI told the Los Angeles Times it was aware of the alleged hack but declined further comment and Antisec said it will not provide further statements after posting that “the original file contained around 12,000,000 devices. We decided a million would be enough to release.” Apple did not immediately respond to a request for comment.
Web pages have been set up to check whether IDs have been compromised and Apple users can look up an UDID using a confidential partial search at:
http://pastehtml.com/udid
Given their nature as random strings of letters and numbers, unique device identifiers offer little direct information on individuals, but the TechCrunch website said when cross-referenced with Apple’s developer resources the data can “potentially identify a unique user’s geographic location and other specific information.”
“The UDID leak is a privacy catastrophe,” New Zealand-based security consultant Aldo Cortesi added on a blog post.
“If your UDID is on the list, you have reason to be very concerned. When I looked at this issue in the past I showed how using only a UDID it was possible to get access to private user information including friends lists, geolocation, information on what games you were playing and who you were chatting to.
“I was even able to take over Facebook and Twitter accounts, again using just a UDID,” Cortesis added. “I’m worried that there may be similar issues out there waiting to be exploited, and that this database will give someone the ability to do so at a very large scale.”
Apple has been phasing out developer access to the UDID over privacy concerns and the developer community is adopting more secure means to store data about users. But enforcement has been gradual and Apple continues to approve apps with UDIDs, according to marketing technology company Fiksu.