Hackers Leak 1 Million Apple Device IDs
CREDIT: Sascha Burkard/Shutterstock.com/Apple, Inc. Image composite by SecurityNewsDaily.
This story was updated Wednesday, Sept. 5, at 2 p.m. ET with comment from Apple.
To cap off a summer of devastating corporate data breaches, hackers yesterday (Sept. 3) posted online what might be the crown jewel of 2012 data dumps: 1 million identification numbers for Apple iPhones, iPads and iPod Touch media players, all purportedly stolen from the laptop of an FBI agent.
There may also be an additional 11 million Apple device IDs yet to be released, many with users' full names, addresses and telephone numbers attached. At least some of the posted device IDs appear to be genuine.
"Why exposing [sic] this personal data?" asked the unnamed writer of the Pastebin posting announcing the data dump, who claimed to be affiliated with the anti-government hacktivist group AntiSec. "Well, we have learnt it seems quite clear nobody pays attention if you just come and say 'Hey, FBI is using your device details and info and who the [expletive] knows what the hell are they experimenting with that,' well sorry, but nobody will care."
The FBI has asked other websites to remove the link to the Pastebin posting on the grounds that the posting is spreading malware. SecurityNewsDaily can find no evidence of embedded malware in the Pastebin page, but reminds users to run an anti-virus scan on any material downloaded from file-sharing sites.
"If this story is true, then the real question becomes one of why an FBI agent is carrying this personally identifiable information on his laptop, and what sort of security practices the FBI is taking to protect that information," said Jennifer Granick, a digital-rights attorney who is currently the director of civil liberties at the Stanford Law School Center for Internet and Society.
In a statement released late today (Sept. 4), the FBI denied involvement in the affair.
"At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," two different FBI spokesmen told SecurityNewsDaily.
Safe … for now
Users of the 1 million affected devices are, for the moment, probably not in any danger of identity theft or account takeovers. However, they may want to know why the FBI supposedly had their device IDs on file.
"I'd say the owner has already been subject of theft, if Apple or a software manufacturer has been providing government agencies with the ability to track the identities of the devices' owners," said Jonathan Zdziarski, an iPhone forensics specialist with Chicago-based security firm ViaForensics. "I don't think the UDID itself could be used to attack the owner."
Apple unique device identification numbers (UDIDs) establish a single iOS device's identity in the Apple ecosystem, letting iTunes and app developers know which device is running what.
UDIDs are what lock most iOS devices into installing only software from the iTunes App Store, and what let game developers keep track of each user's high score.
"A UDID by itself isn't going to give you much," Granick said. "However, if you combine it with other user data, such as Web-surfing data or ad-trackers, you can create a pretty powerful user profile."
The 88-megabyte file posted by AntiSec on several file-sharing sites is heavily encrypted, but the Pastebin posting offers detailed instructions for decrypting it using open-source software.
"The bad guy here isn't AntiSec," Zdziarski said. "In fact, they went to great lengths to sanitize the data so that much of the significant personal data wasn't included. ... I happen to know some of the people who are on this list, and they are the most unlikely people to ever commit a crime or have any justifiable reason to be tracked by the FBI."
To check whether your iPhone, iPad or iPod Touch's UDID might be among those affected, a software developer based in Florida has already posted a tool at http://kimosabe.net/test.html.
Apple UDIDs can be found by plugging an iOS device into a computer, opening iTunes and clicking on the device serial number displayed.
Mac-centric website MacOS Rumors has verified that many of the UDIDs in the data dump are genuine, but notes that "UDIDs themselves are rather harmless in isolation."
New Zealand-based security researcher Aldo Cortesi has shown that due to a disregard of Apple's security guidelines by iOS game and app developers, it's possible to determine a user's identity through an UDID alone. (Apple has cracked down on developer misuse of UDIDs.)
"Apple has only cracked down on it verbally, and not prevented the technical capability," Zdziarski said. "It's very unlikely that [Apple would] be able to detect [app developers] trying to hide their use of the UDID. Combine this with the [apps'] ability to read the address book, and the Path debacle from earlier this year could become much more serious."
The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force.
Stangl has spoken publicly on matters of cybersecurity, appearing in February 2011 on a panel discussion on cybercrime attended by SecurityNewsDaily. Two years earlier, he starred in a FBI recruitment video posted on Facebook.
Stangl was also among 44 American and European law-enforcement personnel copied on an email, sent in January 2012, inviting recipients to join a conference call to discuss efforts against the hacktivist groups Anonymous and LulzSec.
Anonymous intercepted the email and used it to eavesdrop on and record the conference call, which they then posted online in February 2012.
According to yesterday's Pastebin post, hackers used a then-new Java exploit to get into Stangl's machine.
"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java," the posting says. "During the shell session some files were downloaded from his Desktop folder one of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts."
"No other file on the same folder makes mention about this list or its purpose," adds the writer of the Pastebin post.
"CSV" is the Windows file type associated with a list of comma-separated values, which separate database entries with a comma and can be read by Microsoft Excel and many other applications.
"NFCTA" may refer to the National Cyber-Forensics & Training Alliance, a Pittsburgh-based nonprofit organization that, in its own words, "functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cybercrime."
It is not clear why an FBI agent would have a database of 12.4 million iOS device UDIDs on his laptop, nor why the NFCTA would have provided them to him.
"It would not surprise me if either a large social or financial network (e.g. Twitter, Facebook, PayPal, etc) or possibly even Apple had some kind of agreement to provide this data on a contractual basis," Zdziarski said. "As far as why the FBI would want this information — it could be used [in] a number of different ways to track individuals."
Requests for comment by SecurityNewsDaily to Apple and the NFCTA were not immediately returned.
Sprechen Sie Deutsch?
In a blog posting this morning, Errata Security CEO Robert Graham theorizes that the hackers may have used the intercepted FBI email to "spear phish" the email's recipients, luring them to a rigged website that would have loaded the brand-new, or "zero-day," Java exploit onto their machines.
"If I have an email list of victims, and a new [zero]-day appears, I'm immediately going to phish with it," wrote Graham. "It's not Chinese uber APT [advanced persistent threat] hackers, it's just monkeys mindless[ly] following a script."
Graham Cluley, a security researcher with the British firm Sophos, pointed out today (Sept. 4) that the Pastebin writer may be a native German speaker because of an impolite message in German to Mitt Romney at the end of the post. The stilted English grammar, frequent use of the preposition "so" to begin sentences, a reference to Austrian banks and a Goethe quotation also indicate a German-language connection.
As might be expected, the writer makes shout-outs to Anonymous, WikiLeaks, the Syrian rebels and the imprisoned Russian punk band Pussy Riot, and criticizes National Security Agency head Gen. Keith Alexander's appeal in July to hackers to join the government.
But the writer also cites Jack Henry Abbott, the prison-based writer who was paroled in 1981 as a result of the efforts of author Norman Mailer. Abbott killed another man six weeks into his parole and spent the rest of his life in prison.
The writer also uses the Latin phrase "argumentum ad baculum," or "appeal to the stick," the proposition that arguments, however flawed, can be won through use of force.
In a dig at the press, the writer also demands that Adrian Chen, a technology reporter at the gossip blog Gawker who has written extensively on Anonymous, humiliate himself on camera.
"No more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head," the posting says. "No Photoshop."
UPDATE: Apple on Wednesday (Sept. 5) issued a statement denying that it had provided the UDIDs to the FBI or anyone else.
"The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs [application-platform interfaces] meant to replace the use of the UDID and will soon be banning the use of UDID."
On the lighter side, Gawker's Adrian Chen did indeed put on the tutu. No word yet on whether he'll get an interview with the hackers.