Once in a while, I come across a situation that has me scratching my head. The story of the alleged breach of an FBI laptop and the alleged theft and publication of unique identification numbers (UDID) of 1 million iPhones and iPads may be one of the biggest head scratchers of all.
As Chris Valasek, senior security research scientist at Coverity, described it to me:
There appears to be a recent leak of Apple UDIDs. These identifiers are unique to an individual Apple device and cannot be changed. Many are concerned about having their UDIDs exposed. So exactly how worried should you be? The answer is, slightly concerned. Many times developers incorrectly use a user’s UDID to do certain types of tracking or worse, authentication. Having someone’s UDID alone does not permit an attacker to actively attack and control your phone. There may be personal privacy concerns, such as location tracking or account hijacking, but while a dump of UDIDs is not good it should not provoke panic.
OK, it appears that the breach is legitimate. But did it come from the FBI? The FBI is denying it. PC World printed the official statement from the FBI:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
Rob Rachwald, director of security strategy, Imperva, thinks the breach did involve the FBI because the agent implicated in the breach isn’t an ordinary agent. His job is to recruit white hat hackers to work for the FBI. Rachwald also thinks the data that was reported as breached is authentic.
Bring in Scully and Mulder from the “X-Files” because the truth is out there. What that truth is we don’t know right now, and I wonder what the security implications might be without it. If a laptop was stolen and breached, what other information might have been stolen. And have only 1 million UDIDs been released?
As we try to figure out what the heck happened, Rachwald made a very good observation. This is a whole new angle on hacktivism. He said in his blog post:
This breach resembles a new innovation by hacktivists. Specifically, they targeted an individual in the same way government-sponsored hackers (a.k.a., APT hackers) would attack. Sure, Anonymous/Lulzsec targeted HB Gary in the past but we haven’t seen this type of attack reappear until now. Is this part of a broader trend of hacktivists expanding their attack methods? Could be. For example, the recent Saudi Aramco breach used malware, a type of attack not normally associated with hacktivists.
It’s something to keep an eye on.