Welcome Guest | Sign In

Anonymous Dumps Trove of 1 Million Stolen Apple IDs

By Richard Adhikari TechNewsWorld ECT News Network
Sep 4, 2012 12:46 PM PT

The hacktivist group Anonymous has published 1 million universally unique identifiers (UDIDs) belonging to Apple devices.

Anonymous Dumps Trove of 1 Million Stolen Apple IDs

These were among more than 12 million UDIDs stolen from the laptop of FBI Special Agent Christopher K. Stangl, the group said.

Anonymous deleted personal data, including the names, mobile phone numbers, addresses and ZIP codes of the devices' users before releasing the data on the Internet.

However, the hacker collective left enough information to help users check to see whether their UDIDs were among those the FBI had. It also included device tokens for mobile hackers' possible use.

Targeted Attack

However, the video appears to have been taken down.

Anonymous members gained access to Stangl's Dell Vostro Notebook in March using the AtomicReferenceArray vulnerability in Java, the group said.

A video on this vulnerability was released in March on the Real Hacker blog.

The release of the UDID data was meant to expose the FBI's gathering of data on American citizens, Anonymous stated.

The UDID Dilemma

UDIDs are tied to specific devices, which means that once the device is upgraded, lost or stolen, it cannot be tied to the user any more. On the other hand, possession of a device's UDID does expose lots of information about its user. Stangl's lists had users' personal data tied to the UDIDs, for example.

However, the problem may be confined to older iDevices -- Apple in March began rejecting apps that use UDIDs, and began phasing out developer access to UDIDs with iOS 5, released in May, sparking discussion on Quora forums.

"The average user is probably not going to be at very much risk," Randy Abrams, a research director at NSS Labs, told TechNewsWorld. "However, in a targeted attack, the data could be used by sophisticated attackers to perform impersonation attacks."

Neither Apple nor the FBI responded to requests for comment on the incident.

Keeping America Safe

Java vulnerabilities have been exploited in a number of data breaches, and perhaps the FBI should have been aware of this and acted accordingly.

"Recognizing that Java makes a device vulnerable would have implied that the agent would have then known not to keep Java on the device, or else not put sensitive information on the device," NSS Labs' Abrams said.

"Organizations really need to assess their need for Java, keep important data away from devices with Java, and figure out a timely migration strategy."

Facebook Twitter LinkedIn Google+ RSS
How do you feel about accidents that occur when self-driving vehicles are being tested?
Self-driving vehicles should be banned -- one death is one too many.
Autonomous vehicles could save thousands of lives -- the tests should continue.
Companies with bad safety records should have to stop testing.
Accidents happen -- we should investigate and learn from them.
The tests are pointless -- most people will never trust software and sensors.
Most injuries and fatalities in self-driving auto tests are due to human error.