FBI hack would pose 'medium' risk to iPhone users

Hackers say they have published on the web the unique identification numbers of one million iPhones and iPads, posing what one expert said would be just a medium risk to some users of the devices.

The unique device identifiers (UDIDs) were allegedly taken from 12.4 million numbers stolen from the laptop of an FBI cyber-security agent, said a person who claimed to be from AntiSec, an affiliate of the anti-government hacktivist group Anonymous.

Instructions on where to find and how to decrypt the data dump were on the site Pastebin.

The FBI has released a statement denying the theft. "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the agency said. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

[In depth: Mobile device security: 5 questions to ask when creating policy (includes video)]

AntiSec claimed it stole the information in March via a Java vulnerability in the Dell Vostro laptop used by Christopher Stangl, an agent with the FBI cybersecurity team in New York. Stangl appears in a 2009 recruitment video encouraging cybersecurity experts to join the FBI.

The motive for the hack was to draw attention to the FBI's gathering of such tracking information.

"We have learnt it seems quite clear nobody pays attention if you just come and say 'Hey, FBI is using your device details and info," the Pastebin post said.

While only Apple would know for sure whether the UDIDs were authentic, data protection firm Imperva said it believed the data was real. "The structure and format of the data indicates that this is a real breach," Rob Rachwald, director of security for Imperva, said in a blog post. "It would be hard to fake such data."

The hacktivist group claimed it stripped the UDIDs of most of the associated personal information, such as names, cell phone numbers, addresses and ZIP codes. However, having such information made it possible to monitor users' online activity, and, possibly, their location.

"With the full information that hackers claim to have, someone can perform this type of surveillance," Rachwald said. "This implies that the FBI can track Apple users."

Cybercriminals with only the UDIDs would find it more difficult to steal from users. Starting with iOS 5, released nearly a year ago, Apple stopped giving developers access to the data, which they had used to identify users in apps or mobile ad and game networks.

Therefore, the greatest risk was to people still using iPhones that do not support the operating system, which includes the iPhone 3G and older models. Such users could have their Facebook or Twitter accounts hacked, said Daniel Ford, chief security officer for mobile security vendor Fixmo.

Another possible scenario would be to push a malicious application onto the phone using the same tools developers use to test apps on iPhones, said Lee Cocking, vice president of corporate strategy for Fixmo. If a person clicked on the app's icon, then the smartphone could become infected with data-stealing malware. The risk of such an infection would be greatest for jail broken iPhones.

While possible, neither scenario was likely. "I would be putting this in the medium [category,]" Ford said, basing his assessment on the vulnerability rankings set by the National Institute of Standards and Technology. "There is certainly something there. There is certainly something that's exploitable. But how damaging it could be is unknown."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Show Comments