iPhone, iPad security breach claimed

To view this site, you need to have Flash Player 9.0.115 or later installed. Click here to get the latest Flash player.

September 4, 2012, 7:47 pm
Print Article

(NECN: Peter Howe, Boston) - If you own an Apple iPhone or iPad, it’s possible information about your device is now floating around the Internet in ways that hackers could use to target you with a highly personalized, credible identity-theft scam.

Late Monday, hacker group AntiSec said it had taken 12.3 million "unique device identifier" numbers from an FBI agent’s computer, accompanied by lots of e-mail addresses and phone numbers and other identifiable personal information, and posted 1 million of them on the Web to document the risk. AntiSec speculated that the "FBI is using your device info for a tracking people project or some [expletive]."

The IDs are 40-character codes, kind of like a vehicle identification number on your car or truck, that are the unique digital fingerprint of your iPhone or iPad. Despite warnings it opens up significant security and privacy risks, the alphanumeric codes have also come to be widely used by application developers as ID cards for people using smartphone apps, so a hacker who knows your UDID could also obtain extensive information about websites or online services you’ve used with that UDID number.

Late Tuesday, the FBI said:  "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

However, numerous technology websites reported that UDIDs posted by AntiSec are real, indicating that some number of the ID numbers have, whether from the FBI or elsewhere, been gleaned and aggregated.

“There’s an enhanced risk of fraud now with this breach," said Sarah Downey, online privacy analyst with Abine, a Boston internet security firm. While just knowing a device number alone won’t directly lead to, say, a hacker stealing your identity or breaking into your bank account, it’s a key starting point.

"Because of this breach, app developers or hackers have the means to really hyper-target people with fraudulent attacks" says Downey, by cross-referencing UDIDs with other information available from data-mining companies. "If you have one piece of information, and you can tie it to these other pieces, you're very, very close to accessing somebody's bank account or committing identity theft against them."

Website TheNextWeb.com is among many places offering a secure way for you to cross-check your UD ID number against the list published by AntiSec.

Mike Tuchen, CEO of Rapid7, a Boston firm that analyzes network-security risks for companies and organizations, said if your device shows up on the list, you’re stuck with a permanently compromised device because the ID number can’t be changed in the device.

"You might want to talk to Apple to see if you can swap your device for another one given that you've been compromised," Tuchen said. "For that one device, there's nothing that you can do."

By airtime, Apple had made no comment on the situation, which comes a week before it’s set to roll out the iPhone 5 to huge hype – with the likelihood not many people will refuse to buy an iPhone 5 because of perceived security risks around Apple products.

Despite the FBI’s apparent blanket denial of AntiSec’s explanation of how it came to be in possession of 12 million UDIDs, speculation was rampant Tuesday about whether it reflected some new program of FBI monitoring of certain people’s communications, Apple acceding to a government request for communications data (which companies like AT&T and Verizon do thousands of times a day), or something else.

"Are they starting some sort of broad surveillance program for people with Apple mobile devices? That's one area of speculation that may or may not be true," Tuchen said. Another possibility, he said, is the agent from whose computer AntiSec said it took the information "may've actually been investigating someone else's breach. Someone else may have actually lost these 12 million ID's, and he had it on his machine as some of the evidence that he was collecting."

While the "the FBI got hacked" angle of the story now hangs in dispute, all signs are that for some number of iPhone and iPad owners, there are now good reasons to worry that a key piece of information hackers could use to build a personalized scam against them is now out in public.

With videographer Dan Valente.

Tags: Apple, Peter Howe, hackers , hacking, information, Federal Bureau of Investigation, AntiSec, personalized scams, Apple IDs, Apple products
The runners will race against the train from Boston College to Blandford Street
From cashiers to store managers, baggers to warehouse workers, the loyalty for ousted CEO Arthur T. Demoulas is palpable
Newton Superintendent David Fleishman is facing a fine after he reportedly admitted to using parts of a speech given by Governor Deval Patrick