Topic: Security

FBI denies it was responsible for Apple ID leak

Summary: The FBI is claiming that it has nothing to do with the leaked list of over a million Apple device IDs, because it never had the information to begin with.

By AAP and Michael Lee | September 5, 2012 -- 01:29 GMT (18:29 PDT)

Follow @mukimu

The FBI is disputing a hacker group's claim that it stole personal identification data of more than a million Apple device owners from an FBI agent's laptop.

Apple has not yet responded to repeated requests for comment, but the FBI has said that it never asked for and never possessed the list that the group, which is affiliated with the AntiSec movement, has posted on a website.

The group released a link to a text file containing more than a million Apple device identification numbers.

The identification data includes Apple devices' Unique Device IDs (UDIDs), which New Zealand coder and security consultant Aldo Cortesi has repeatedly warned is a ticking privacy time-bomb. According to Cortesi, many iOS applications regularly send the UDIDs to servers on the internet and often over insecure communication channels.

Cortesi's own experiments found that many companies, especially those in the social gaming ecosystem, are abusing the use of UDIDs in a manner that could result in serious privacy breaches. At the time of one of his experiments, he found that certain social gaming sites would allow attackers to log in with the knowledge of a stolen UDID alone.

"Some of the companies mentioned in my posts still have unfixed problems (they were all notified well in advance of any publication)," Cortesi wrote on his site yesterday.

"When speaking to people about this, I've often been asked 'What's the worst that can happen?' My response was always that the worst case scenario would be if a large database of UDIDs leaked ... and here we are."

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments

Log in or register to join the discussion

It's not denial

It's non non-denial... Look at wikipedia for that...

AmediaN
5 September, 2012 01:50

Reply 1 Vote
Peering into the fractal

If we bother to read about the security consultant's work, what we find is that Apple had an API, now deprecated, that would return an ID unique to the machine. By itself this is nothing more than a long hex string; there is no data coded into it. It's no more -- and no less -- scary than a browser cookie.

The security comes when application developers -- the consultant especially points the finger at social gaming outfits -- and analytics firms tie this ID to actual personal identity data. One outfit, for example, had an API that would return a link to your Facebook page if presented with your UDID. They shouldn't do that, Apple told them not to do that, but this is the real world where people are lazy so they used the UDID API to grab a handy user handle. In hindsight Apple should have seen that coming. Apparently they didn't.

This is also the real world where we have seen that the ad trackers and the analytics guys, if deprived of cookies, will find all sorts of ingenious new ways to track and analyze us. And so it will be here. The UDID API is going away, it won't be in iOS 6, but anybody who thinks that the trackers and the analysts are just going to say, "Oh, OK, we'll just go out of business" is smoking rope.

The security issue isn't 32-character hex strings. It's databases. Take away a convenient way to populate a key field, and they'll find a slightly less convenient key.

Robert Hahn
5 September, 2012 03:08

Reply Vote
Some careful wording there

"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," said an FBI spokesperson. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

Hmmm....

There is a curious anecdote involving the FBI and how they feel about these "hactivists," especially Anonymous, in an Australian TV investigative report titled "Sex, Lies and Julian Assange." See: http://www.abc.net.au/4corners/stories/2012/07/19/3549280.htm

Fast forward to the 36:00 mark to get to the curious bit in question.

JustCallMeBC
5 September, 2012 03:47

Reply Vote
Would you believe Eric Holder?

Fast & Furious denial, huh...

Cylon Centurion
5 September, 2012 04:29

Reply 1 Vote
- Please....
  
  Find a way to "chock yourself out" and make no effort to revive yourself. Seppuku is an honorable way to go for the likes of you.
  
  Cayble
  5 September, 2012 04:51
  
  Reply Vote
  - I wouldn't dream of doing that, Cabal
    
    After all, what would you do around here without me, hmm?
    
    lol...
    
    Cylon Centurion
    5 September, 2012 20:57
    
    Reply 1 Vote
- No i wouldn't, I think he's a racist
  
  and a liar. And I think his virtually ignoring if not covering up the security leaks in the Whitehouse is probably even worse than fast and furious. That said the DOJ isn't the FBI.
  
  Johnny Vegas
  5 September, 2012 04:55
  
  Reply Vote
- Not exactly comparable
  
  Fast & Furious was part of a complicated overall operation to track and control gun running that ended up being parsed out and then grossly politicized and lied about by Congressional Republicans like Darrell Issa and Charles Grassley. Whatever you may have heard or read about it bears virtually no resemblance to reality.
  
  This Anonymous thing seems more like an embarrassing hack. As far as tracking smartphone users, that's being done by both companies and governments, and has been for a while. If you use a smartphone, you will be tracked in some way, whether for just marketing purposes or for big brother surveillance.
  
  JustCallMeBC
  5 September, 2012 15:03
  
  Reply 1 Vote
  - JustCallYouBS
    
    That's a good name for you.
    
    Cylon Centurion
    6 September, 2012 00:17
    
    Reply 1 Vote
    - Someone needs Google training
      
      As well as a spanking. Pray tell -- how am I incorrect? Be aware, though, that I won't be kind when you fail to come up with a coherent, reality-based answer.
      
      JustCallMeBC
      6 September, 2012 22:23
      
      Reply 1 Vote
      - Because your partisanship shows, JustCallYouBS
        
        Don't you know it's bad form to do that?
        
        lol...
        
        Cylon Centurion
        7 September, 2012 00:18
        
        Reply 1 Vote
      - Typical internet pinhead and d-bag
        
        When asked to put up or shut up, you useless fools either dummy up or dummy out with some random BS. The bottom line is that you have nothing to offer because you don't know anything due to being hopelessly clueless or being just too willfully ignorant to look things up (if you knew how to look things up, that is.)
        
        JustCallMeBC
        7 September, 2012 01:16
        
        Reply 1 Vote
      - And your petulant response
        
        Was just what I was hoping for.
        
        lol...
        
        Cylon Centurion
        7 September, 2012 23:12
        
        Reply 1 Vote
      - And your chickensh*t response
        
        Is what everyone expected.
        
        JustCallMeBC
        8 September, 2012 13:54
        
        Reply Vote
  - F&F
    
    The two whisleblower ATF agents that broke the story weren't lying.
    
    berkprivate
    19 September, 2012 15:56
    
    Reply Vote