CYBEREYE

FBI, Apple leave users vulnerable after alleged AntiSec hack

If you use an Apple iOS device, you probably have asked yourself if unique identifiers for your device are included among a group of 12 million that the hacktivist group AntiSec this week claimed to have stolen from an FBI laptop. And you probably haven’t gotten much help from either the FBI or Apple.

Not to worry. There are sites popping up to help you find out if you are among the compromised.

“To check your device, just input your UDID (Unique Device Identifier)/UUID (Universally Unique Identifier) into the form and we’ll run it against the database” of exposed numbers, one site offers.


Related:

Dem, GOP platforms expose divide over cyber defense


Call me cynical, but if you are worried that identifiable information from your device has been stolen and exposed by hackers I don’t think it is a good idea to submit that information to strangers through an unsecured Web site.

The site in question appears to be legitimate, and users are advised that the information they submit is not encrypted and warns them not to use their entire identifier if they are concerned about security. But without using the entire identifier, it is difficult for the user to be sure of the results of the search. The user also has no way to determine if the site he is using for advice is legitimate or is just phishing for their info.

Another problem: AntiSec claims to have posted only about 1 million of more than 12 million stolen records, so even if you download the list yourself there still are more than 11 million that can’t be checked.

What have the FBI and Apple done to ease these concerns? So far, very little. The FBI has issued a non-denial denial, saying that “at this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” This is not an outright “no,” and the feds leave open the door that they could confirm this at some other time.

Some analysts think it is likely that the breach is real because of the details provided by the hackers and the difficulty of convincingly faking the large volume of identifiers they have released.

Apple on Wednesday afternoon belatedly issued a statement to the website AllThingsD saying only that it didn't give the FBI any identifiers and that the FBI hadn't asked for any. That's something, but it doesn't answer the whole question.

What should the FBI and Apple do? At the least, come clean — especially the FBI — with a clear, unambiguous statement about whether the breach is real, and, if it is, tell users about whether their device info has been compromised and offer advice about what they can do about it. Leaving users in the dark creates more risks that we shouldn’t have to worry about.

Reader Comments

Fri, Sep 7, 2012 Editor

Editor's note: To the reader who asked about the risk of having a UDID stolen. If this breach did occur, the real risk would likely be in what the hackers did not release. AntiSec has claimed that the information they took included user names, cell phone numbers, addresses and other device information, along the the UDIDs. They released just the purported UDID numbers as evidence that the hack took place.

Fri, Sep 7, 2012

The press has made a big deal out of this but no one has explained to me what is the risk of someone having my UDID. I understand the consequences of someone gaining access to my login ID/Password to my bank account, my credit card information or my iTunes id/password; but what damage is done by someone having my UDID?

Thu, Sep 6, 2012 DC

Please read the article before commenting. Nowhere does it say that anyone hacked the FBI or Apple server. It says "FBI laptop was compromised"

Thu, Sep 6, 2012

Thing is, if you are familiar with phone ID construction, you can generate these numbers on your own and then claim to have "hacked" them out of a company's servers. The hackers would have had to have provided evidence that they had names of account holders or phone owners attached to these numbers in order to show that they really did hack into either the FBI's or Apple's servers.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above