Laptop Data Security: Anonymous Releases 1 M Apple UDIDs, Says FBI Hacked (Updated: BlueToad Admits To Data Breach).
It’s being reported all over the internet that an FBI special agent’s laptop was hacked and that over 12 million Apple UDIDs were stolen from it by hackers belonging to the hacktivist group Anonymous. While the incident raises a number of questions, it’s also an example that clearly shows that mobile data security can be undone by third parties.
Updated (10 Sept 2012): Blue Toad, an app developer, has stepped forward to claim that the leaked UDID data is a match with their own client UDID list. Link to admission and apology interview with NBC at the bottom.
A Little Dubious
The story, as it was originally reported: members of Anonymous hacked a laptop computer owned by “Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team” (net-security.org). The computer, a Dell Vostro, was attacked using a Java vulnerability (AtomicReferenceArray):
“During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. No other file on the same folder makes mention about this list or its purpose.” [net-security.org]
Of the 12 million-plus references, one million and one were posted to pastebin.com, a popular data dumping ground. The stunt was pulled, according to the hackers, to bring attention to the fact that the FBI was tracking people, and done in such a way as to maximize exposure (in other words, create a scandal).
According to forbes.com, which has been updating its article as new developments occur, the FBI has shot down the hacker’s claims via Twitter, noting that they never had the information to begin with. Where did the information originate from, assuming that the FBI is telling the truth?
Some think that the information may have come from a compromised app developer, although it’d be hard to point out which one. It hasn’t stopped people from speculating, however. One thing is for certain: the information appears to be international in nature. A Dutch researcher has confirmed that his three Apple devices’ UDIDs show up on the list.
If you’d like to see if you’ve been affected, you can use a handy tool at thenextweb.com. Of course, with only 1/12th of the compromised UDIDs released by Anonymous, the fact that you don’t show up on the leaked list doesn’t really mean much.
Much Ado About Nothing?
There is also talk about what the data breach means. Experts’ opinions range from the incident being nearly insignificant — from the perspective of the breach as well as the claims that the FBI was using this data — to being calamitous, especially as it relates to civil rights.
I won’t get into speculating on specifics. I’ll just note that, since time immemorial, a large list of any data represented an opportunity for further action. For example, the telephone’s yellow and white pages were used as devices for planning scams because it represented a large concentration of marks’ names and addresses. The leak of valid email addresses also represents such an opportunity in the internet era.
Could the UDIDs also be used for nefarious purposes? Who knows? I’m willing to bet that the answer tilts towards “yes,” though.
A Blow to Data Security? A Clarion Call for Data Security?
Some may view the above incident as an ominous sign representing the dangers of mobile devices in the workplace. I would have to disagree.
Not that the spread of mobile devices and the BYOD trend doesn’t represent an increase in systematic risk when it comes to data security mishaps. However, the question has never been of whether total risk is increased; rather, it’s whether the cost benefit ratio makes sense when taking into account the increase in risk. Kind of like, well, you’re probably safest if you hole up in your house all day, but really miss out on life if you literally spend all of your time on earth inside a house.
Philosophical rambling aside, the fact that the FBI agent’s laptop was (supposedly) hacked is immaterial in this case, and hence it does not represent an impending global doom brought by mobile devices.
Be the device a laptop, smartphone, tablet, desktop computer, or the world’s oldest mainframe machine, the hack happened over the wires, meaning that any type of device could have been compromised. If the hack was perpetrated via other means — such as someone stealing an FBI agent’s laptop and getting past any data encryption software — then one could be excused for feeling morose about the information security status of the world as it pertains to mobile devices.
For now, one’ll just have to feel morose about the information security status of the world in general.
Related Articles and Sites: