Alleged FBI Hack: Much Ado about NothingWhy Infosec Practitioners Shouldn't Worry about Theft of Apple IDs
Owners of Apple iPad, iPhone and iPod Touch devices whose unique device identifiers might have been exposed in an alleged breach of an FBI computer would face little, if any, potential harm as a result, some security experts say.
The Anonymous-affiliated hacktivist group called AntiSec claims it breached last spring the computer of an FBI agent and downloaded 12 million Apple unique device identifiers, or UDIDs, a string of 40 characters given to each Apple mobile device. AntiSec claims it posted 1 million UDIDs on the website Pastebin.
[The New York Times reported Sept. 10 that a company in Orlando, Fla., BlueToad, was the source of a file hackers posted online that contained the UDIDs. BlueRoad, which works with publishers to translated printed content into digital formats, says hackers had breached its system more than a week ago and stolen the files, the paper reported.]
A hacker with a UDID wouldn't be able to breach the device without other forms of authentication, such as a password and encrypted key. "Unless you have the other two steps, it's really not going to help you a whole lot," says former CIA Chief Information Security Officer Bob Bigman, who runs the IT consultancy 2BSecure.
UDIDs identify specific devices and are used to synchronize e-mail, music or security patches when an Apple mobile device is linked to a computer, though it also can be used as one of three forms of identification to gain access to the device. Apple plans to phase out UDIDs, according to a number of published reports.
Although this specific alleged breach shouldn't pose a security problem for most organizations - few support Apple mobile products - it does send a signal to security leaders that they should review their practices to prevent such intrusions.
Dwayne Melancon, chief technology officer at Tripwire, a provider of IT security and compliance solutions, says the same kinds of weaknesses that could have allowed hackers to pilfer UDIDs from a laptop computer could be used to steal similar types of sensitive data.
"Do we have the same kind of weakness that they exploited in this case to get that information?" Melancon says. "You should reevaluate your security posture and see where you can strengthen controls to make it less likely that they'll use that same tactic to get access to other information."
Weighing Claims about What Happened
When this story broke earlier this week, it raised a significant question: Did hacktivists breach the FBI computer? AntiSec claims in an Internet posting that during the second week of March it hacked into the notebook computer of an FBI supervisory special agent it identifies as Christopher Stangl and downloaded a file that listed nearly 12.4 million Apple iOS devices and included UDIDs, user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses and other data.
But, in a statement issued Sept. 4, the FBI said: "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data." And an Apple spokeswoman tells the Los Angeles Times: "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization."
The Los Angeles Times report says some security experts believe the computer of an application developer who had access to the Apple UDIDs, and not the one used by the FBI agent, might have been the hackers' target.
Still, some security experts clearly see the FBI as being the victim of the digital assailants. In a blog, Rob Rachwald, the director of security strategy at application and data security provider Imperva, suspects the breach occurred because the FBI agent is real and the downloaded files seems authentic.
Tripwire's Melancon says he finds claims by hacktivists of the likes of AntiSec, Anonymous and LulzSec to be believable. "I definitely don't approve of their tactics, but I usually think when they report and disclose things it's pretty credible," he says. "They put a lot of things on Pastebin and other sites, so you can actually take a good look at it and see they got what they said they got."
However, Bigman remains skeptical. The former CIA CISO questions why the FBI would have - or want - 12 million UDIDs. He suspects that if the breach occurred, it might not have been hacktivists, but cyberthieves behind it, adding: "The more I think about this, it could be part of a larger phishing or other type of event we haven't yet seen."