Allegedly, 1M, of 12M stolen iPhone Unique Device IDs (UDIDs), have been released into the wild. These IDs, by themselves, are one factor in a multi-factor security process tied to other systems, but their release into the wild removes an entire level of security on iPhones. What is more troubling is that these IDs came from a notebook computer (why they had those remains a big question) owned by an FBI agent that was compromised using a known Java vulnerability.
Given the IDs alone aren’t very useful, it shouldn’t be surprising that this laptop also contained usernames, zip codes, addresses and other information, which, combined with the ID, might make them far more capable of being used to steal a user’s identity and gain access to a bank account or corporate user account and breach security. AntiSec has apparently gone to war with the FBI (this is sourced to them) and it would have likely been wise for the FBI to stop doing stupid things with secure data before effectively challenging this group to a dual.
There are a lot of cautions here; let’s go through some of them.
Not only is the fact that law enforcement had collected these iPhone IDs (without apparent warrant) and co-located them with other information that could be used to breach privacy an issue, but the fact that they didn’t adequately secure the result is negligent. Recognize that AntiSec is out to embarrass the FBI, but a normal criminal organization, or foreign hostile government, that likely has gained similar access, wouldn’t be motivated to announce it had acquired the data. It would instead sell or exploit it. Also recognize that this means that the disclosed data likely is only the tip of the iceberg.
In short, I think the prudent position is to just assume identity information has been broadly compromised and in the hands of organizations or people who may want to do us harm and that it is our tax dollars that likely funded this problem.
The biggest issue here is that this data wasn’t kept secure and agents were allowed to download it onto laptops, which do not have security adequate enough to protect data that could be used to create a national threat. There is no legitimate reason why data of this type shouldn’t be protected on a host, protected with RSA-level security and monitored to flag any large-scale access to it.
By their nature, most smartphones and personal devices (like tablets) are relatively unsecure, largely because they focus on ease of use and consumer tasks that don’t work well with multi-factor security methods and generally don’t require them.
There has been a move to make smartphones a factor in financial transactions and even with this breach they are likely still in line with a credit card number for this task. But, like credit cards, they shouldn’t be the only factor for large-scale transactions and they should also be monitored for high volumes of small ones, particularly if these transactions occur online.
Panasonic has stepped out from the tablet crowd to create and market a tablet designed to be secure with its ToughPad and RIM continues as the only smartphone vendor of scale focused on creating a secure solution. Both may better provide alternatives to consumer-based hardware in market and while the trend is away from RIM at the moment, maybe it would be wise to pause for a moment and think before you leap. This latest exposure showcases just how unwise it is to use a consumer device for any kind of secure transaction or to hold confidential information.
Hosting the information or using desktop virtualization not only helps with this mess of consumer devices that have come to market, but it also provides an avenue to protect it. I spoke on this topic last week and on the EMC/Cisco solution that appears to be uniquely tuned for these third-party products.
I don’t know what upsets me personally more: that the FBI got this information or that it didn’t adequately protect it. I’m of the age where you were only allowed to acquire personal information in connection with an actual case and this broad breach of privacy scares me deeply. However, no matter how we get there, this also once again reminds us that secure data should not be kept on client devices and that the device itself can only be a factor in a multi-factor authentication process and never should be the only factor.
At the very least, if you were madly looking forward to swapping your BlackBerry for an iPhone 5, you might want to take a breath and consider who else will likely know your personal business.