Simply Security - News, Views, and Opinions from Trend Micro

Posted on September 5th, 2012 in Underground Economy by Simply Security | Be the first to comment | Tags: Underground Economy

AntiSec has suggested that the FBI may be tracking the mobile device data of millions of private citizens.

AntiSec, a collaborative partnership between members of the notorious hacktivist sects Anonymous and LulzSec, has resurfaced this month to level a bold charge against one of its most formidable opponents. In its latest release to online forums, the group posted 1 million unique device identifiers (UDIDs) for iPhones and iPads and claimed to have 11 million more in its possession. But most importantly, AntiSec claims that this information was stolen from an FBI database that was likely used to track the activities of private citizens.

An ironic oversight

Although the true identities of the hackers remain shrouded in mystery, there is very much a face to associate with this controversy. According to the AntiSec post, the laptop of Supervisor Special Agent Christopher Stangl was breached in March 2012 by exploiting a Java vulnerability. One of the file folders illicitly downloaded from the machine during this attack contained a list of more than 12 million iPhone and iPad UDIDs and was labeled with an acronym (NCFTA) that suggests it was being used for the purposes of the National Cyber-Forensics Training Alliance – an FBI-associated group created to more proactively address cybercrime.

According to CNET, UDIDs are numeric codes used by application developers to help track installation and usage rates across the iOS ecosystem. Speculation has run rampant, however, as to why such a large set of these UDIDs was stored on a government computer and what they were being used for. Additionally, the files stolen by AntiSec contained zip codes, phone numbers and even street addresses.

AntiSec's account of events could hold more weight than usual, according to Ars Technica. The same month as the alleged UDID breach, hackers demonstrated their ability to subvert FBI defenses by intercepting and posting the transcript to a conference call between American and European cybersecurity intelligence experts. Also, the Java bug which ultimately allowed access to Stangl's systems was only discovered and patched by Oracle in late February, leaving several weeks in which the vulnerability could have gone unnoticed or unaddressed.

Next steps

AntiSec's primary objective in this matter seems to be raising awareness for potentially nefarious surveillance programs being conducted by the FBI. According to its online posting, the group has been consistently expressing its frustrations with the government over the past 18 months but knew it needed more substantial evidence – such as the 12 million UDIDs allegedly in its possession – before truly awakening the public to the problem.

But while imparting lasting change in government operations may be a loftier, long-term goal, there is evidence to suggest AntiSec could be making a significant impact in the private sector. Several times throughout the posting, the group made mention of its distaste for the fundamental ideas behind Apple's UDID system. And these comments come at a time when Apple is seemingly willing to respond to privacy concerns expressed by both government regulators and end users.

"In this case, it's too late for those concerned owners on the [breached] list," AntiSec representatives wrote. "We always thought it was a really bad idea. That hardware coded IDs for devices concept should be eradicated from any device on the market in the future."

As a result, the duality of AntiSec is on full display once again. While infiltrating government computer systems cannot be described as anything besides criminal behavior, the hackers – at least in their own minds – are staying true to their expressed goal of pointing out vulnerabilities in the hopes of inspiring Internet security progress.

Security News from SimplySecurity.com by Trend Micro