FBI hack would pose 'medium' risk to iPhone users

Hackers say they have published on the web the unique identification numbers of one million iPhones and iPads, posing what one expert said would be just a medium risk to some users of the devices.

The unique device identifiers (UDIDs) were allegedly taken from 12.4 million numbers stolen from the laptop of an FBI cyber-security agent, said a person who claimed to be from AntiSec, an affiliate of the anti-government hacktivist group Anonymous.

Instructions on where to find and how to decrypt the data dump were on the site Pastebin.

The FBI has released a statement denying the theft. "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the agency said. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

[In depth: Mobile device security: 5 questions to ask when creating policy (includes video)]

AntiSec claimed it stole the information in March via a Java vulnerability in the Dell Vostro laptop used by Christopher Stangl, an agent with the FBI cybersecurity team in New York. Stangl appears in a 2009 recruitment video encouraging cybersecurity experts to join the FBI.

The motive for the hack was to draw attention to the FBI's gathering of such tracking information.

"We have learnt it seems quite clear nobody pays attention if you just come and say 'Hey, FBI is using your device details and info," the Pastebin post said.

While only Apple would know for sure whether the UDIDs were authentic, data protection firm Imperva said it believed the data was real. "The structure and format of the data indicates that this is a real breach," Rob Rachwald, director of security for Imperva, said in a blog post. "It would be hard to fake such data."

The hacktivist group claimed it stripped the UDIDs of most of the associated personal information, such as names, cell phone numbers, addresses and ZIP codes. However, having such information made it possible to monitor users' online activity, and, possibly, their location.

"With the full information that hackers claim to have, someone can perform this type of surveillance," Rachwald said. "This implies that the FBI can track Apple users."

Cybercriminals with only the UDIDs would find it more difficult to steal from users. Starting with iOS 5, released nearly a year ago, Apple stopped giving developers access to the data, which they had used to identify users in apps or mobile ad and game networks.

Therefore, the greatest risk was to people still using iPhones that do not support the operating system, which includes the iPhone 3G and older models. Such users could have their Facebook or Twitter accounts hacked, said Daniel Ford, chief security officer for mobile security vendor Fixmo.

Another possible scenario would be to push a malicious application onto the phone using the same tools developers use to test apps on iPhones, said Lee Cocking, vice president of corporate strategy for Fixmo. If a person clicked on the app's icon, then the smartphone could become infected with data-stealing malware. The risk of such an infection would be greatest for jail broken iPhones.

While possible, neither scenario was likely. "I would be putting this in the medium [category,]" Ford said, basing his assessment on the vulnerability rankings set by the National Institute of Standards and Technology. "There is certainly something there. There is certainly something that's exploitable. But how damaging it could be is unknown."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place