One million and one Apple device IDs leaked

AntiSec – part of Anonymous – obtained the data by hacking an FBI agent's laptop.

The AntiSec group of hackers – one of many spun off from the sprawling leviathan that is the Anonymous movement – have released what they claim is a set of 1,000,001 unique device identifiers (UDIDs) for iPhones, iPads and iPod touches, which were stolen from the FBI.

The release also contains the device names and APNS tokens, which are key to getting push notifications onto devices, is in itself a pretty big security breach. It's bigger still given the fact that the default device name for Apple products is "[full name]'s iPhone". Even worse, AntiSec claim that the data is just a small part of a much large trove of personal information, which includes the UDIDs of 12,000,000 devices, and "full names, cell numbers, addresses, zipcodes, etc" for a smaller subset of them.

The group explain (at length) why they've leaked the data, and it boils down to trying to get people's attention that "FUCKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT [sic]", though they are also aggreived at what they call the "hypocritical attempt made by the system" to encourage hackers to sign up:

You are forbidden to outsmart the system, to defy it, to work around it. In short, while you may hack for the status quo, you are forbidden to hack the status quo. Just do what you're told. Don't worry about dirty geopolitical games, that's business for the elite. They're the ones that give dancing orders to our favorite general, [NSA's general] Keith [Alexander], while he happily puts on a ballet tutu. Just dance along, hackers. Otherwise... well...

The method by which they claim to have got hold of the data is concerning as well – quite aside from whether or not the FBI ought to have the info, if they do, one would hope that they would store it more securely:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

AntiSec also expressed their desire that the leak would expose the flaws with the UDID system itself. Even without any extra info leaked, that breach exposes victims to a fair degree of damage. As one programmer, Aldo Cortesi, writes:

If you use an Apple device regularly, it's certain that your UDID has found its way into scores of databases you're entirely unaware of. Developers often assume UDIDs are anonymous values, and routinely use them to aggregate detailed and sensitive user behavioural information.

Apple has been quietly killing the methods by which developers can access UDIDs for the last year or so, removing their ability to directly read them; but that won't prevent at least some users suffering from this leak. A number of older apps and unsecure networks still allow users to log in using just the UDID as identification. Although this hasn't been recommended practice for some time, not everyone runs their companies the way they ought to.

Unfortunately, we won't be able to hear anything else from AntiSec until Gawker journalist Adrian Chen dresses up in a tutu with a shoe on his head. Yes, those are their demands:

no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.

The AntiSec logo, in ASCII-art form.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

“A disaster waiting to happen”: Can you trust the government to digitise your personal data?

Privacy and security experts warn against the lesser-scrutinised Part 5 of the Digital Economy Bill, claiming bulk data sharing could be vulnerable to hacks.

Last week, the government’s Digital Economy Bill hit the news because of a proposed ban on pornographic websites that didn’t comply with its planned age verification rules. The news was just the right amount of shocking and yes, sexy, to grab the nation’s attention, but in the meantime other parts of the Bill remained unscrutinised. A distinctly un-sexy aspect of the Bill – Part 5, “Digital Government” – aims to completely revolutionise the way your personal data is shared.

In essence, Part 5 allows the government to digitise your data and bulk-share it without informing you or asking for your permission. This data includes your birth, death, and marriage certificates, as well as information on your taxes, court appearances, benefits, student loans, and even parking tickets. If the Bill passes, your information will be shared with local councils, charities, and even businesses – initially, gas and electricity companies.

Today, the Bill will undergo its third reading in the House of Commons. Last Friday, 26 privacy experts wrote to the Daily Telegraph to call for Part 5 to be removed from the Bill due to the lack of technical and legal safeguards in place.

“It's horrid and it's complex and it's going to impact all of us,” says Renate Samson, the chief executive of Big Brother Watch, an organisation that scrutinises the government to protect individual privacy. Big Brother Watch was invited by the government to work on the Bill as part of the government’s Open Policy Making, but Samson feels it was ignored when discussing the need for strong safeguards in the Bill. “Holding civil registration documents in bulk and sharing them in bulk is without a doubt a data disaster waiting to happen.”

Samson and her team worry that the Bill does not do enough to protect our personal data. “They tell a little story in one of their documents about mothers being able to click and access their baby’s birth certificate instead of having to go and get a copy, which sounds brilliant except they haven’t defined how they’ll know the mother is who she says she is, and how she will know who she can trust on the other end,” she says. “In a perfect, idyllic utopia, it works, but it doesn’t take hacking into consideration.”

According to the National Audit Office, in 2014-15, there were 9,000 data breaches across government departments. The subsequent inquiries revealed that many officials did not know how to report a breach and there was not enough guidance for the authorities involved. “The government is already failing to look after our data,” says Samson. “Fundamentally [Part 5] will lead to data breaches. People’s data will get lost and we won't ever know how or why.”

Though the government denies it, there are additional fears that this digitisation of data is the beginning of an ID database, a policy that was scrapped in 2011. At the time, then-Home Office minister Damian Green said that ending the proposed National Identity Register demonstrated “the government’s commitment to scale back the power of the state and restore civil liberties”.

Whether or not a register is created, however, Samson and other privacy experts, as well as the British Medical Association, take issue with the fundamental justifications for bulk data sharing. “The reason that they've given for wanting to do all this is ‘wellbeing’, which is crap, frankly,” she says. “In the summer, the Scottish Parliament dropped the Named Person Scheme because the supreme court found that ‘wellbeing’ is simply not a strong enough reason to share people’s personal information. Of course they’re trying to do something great but they’re going about it in a really cack-handed fashion.”

One example of this is that the government intends to share your personal information with the Troubled Families programme to identify people who may be at risk. Although this is ostensibly positive, this information will also be used to determine anti-social behaviour. “On the one hand, they’re saying that they’ll make sure that families who need help will get it, but on the other, if it transpires that you’re noisy or you’re difficult on your estate, they will now share that data so you can have an Asbo.”

Fundamentally, then, although the aims of the Bill seem admirable, there are simply not enough safeguards and rules in place currently for it to safely become law. While this partially might be a simple error on the government’s part, Samson argues that the language of the Bill is “as open and broad and woolly as you can possibly imagine”, causing concern about how it might actually be used in practice. In theory, hundreds or thousands of businesses and authorities could have access to your data without your consent.

“No one is opposing the idea of data sharing,” says Samson, “But a) tell us why, b) keep us informed if you’re using our data, and c) let us control our data. That’s the only way this is all going to move forward.”

Amelia Tait is a technology and digital culture writer at the New Statesman.