The iPhone is by far the most secure device around. But please don’t be complacent, as criminals, governments and criminal governments work really hard to subvert device security, no back door required.
Featured Resource
Presented by Tibco Software
10 Best Practices for Cloud Business Intelligence: Enabling the Business
Business driven Business Intelligence (BI) and analytics represent a shift in the enterprise that is
Learn More
Big brother data
We already know the surveillance arsenal includes fake cellphone masts, dodgy exploits delivered through doctored cables and complex packet injection attacks.
Now Der Spiegel has revealed additional techniques in its latest leak from Edward Snowden, a GCHQ document called "iPhone target analysis and exploitation with unique device identifiers."
This shows agencies have been using device UDID numbers to help them keep track of individuals who may have hit their surveillance lists.
These surveillance lists seem rather extensive: In 2012, activist hackers from AntiSec published 1,000,001 UDIDs, saying these were extracted from a list of 12 million UDID numbers they had stolen from the FBI.
(They claimed the list included user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses and more.)
The agency denied the claim and a relatively unknown firm called Blue Toad eventually claimed it had lost this data (which doesn’t really explain why it had it).
Apple has now ceased using UDID in its devices in order to protect customer privacy.)
UDID IT?
Der Spiegel reveals three ways in which GCHQ could exploit UDID:
- GCHQ would use the UDID number to track the device as it synced with a GCHQ-compromised computer.
- The agency could track the user’s Safari sessions using UDID and its own Safari exploit.
- It could track events as data using the UDID number as it was transferred to ad-tracking agencies such as AdMob.
Featured Resource
Presented by Tibco Software
Business driven Business Intelligence (BI) and analytics represent a shift in the enterprise that isLearn More
GCHQ would be able to identify the user by correlating their device number, which it acquired in some cases at the time the person purchased the device, presumably by tracking their payment card.
Security consultant Aldo Cortesi in 2011 showed that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account.
Privacy controls
Given the deep information sharing arrangements that exist between the US, UK and other security services, it seems reasonable to assume they all use similar exploits. The NSA has certainly used similar tricks to compromise ad cookie networks in order to track users across the Web.
Apple no longer uses UDID in its devices in order to better maintain user privacy – though this has upset advertisers, who prefer Google’s more laissez-faire approach to customer privacy.
The Der Spiegel report tells us agencies routinely use keyloggers to collect information, and, in order to reduce the evidential footprint of their actions, often use unwitting third parties to carry data from place to place by investing the information onto their devices, only to remove it at a later point.
The latter is a particular threat to large enterprises seeking to keep business secrets, and undermines the potential of the cloud devices and services most major tech firms are currently betting their future on.
This is the context in which demands from security agencies for a dilution in mobile device security – principally Apple’s – needs to be understood.
Tim Cook’s going to be under pressure. Given Apple this morning published a picture of Dr. Martin Luther King Jr. on its Website, with the phrase: "Today we reflect on the life and vision of Dr. Martin Luther King Jr. and the work that continues in service of the broader concerns of humanity," it will be interesting to see what Apple does in this.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?
Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me
0 comments:
Post a Comment