Monday, September 10, 2012

Florida publishing company says Apple device IDs leaked by Anonymous were stolen from its servers - @NBCNews

BlueToad.com's CEO, Paul DeHart talks with NBC's Kerry Sanders about a security breach at the company.

By Kerry Sanders and Bob Sullivan, NBC News

A small Florida publishing company says the million-record database of Apple gadget identifiers released last week by the hacker group Anonymous was stolen from its servers two weeks ago.  The admission, delivered by the company’s CEO exclusively to NBC News, contradicts Anonymous' claim that the hacker group stole the data from an FBI agent's laptop in March.

Anonymous’ accusations garnered attention because they suggested that the FBI was using the unique gadget identifiers -- called UDIDs -- to engage in high-level spying on American citizens via their iPhones, iPads, and iPod Touch devices. The FBI denied the claim, last week, and when asked to comment for this story, referred to last week’s denial.


Paul DeHart, CEO of the Blue Toad publishing company, told NBC News that technicians at his firm downloaded the data released by Anonymous and compared it to the company's own database. The analysis found a 98 percent correlation between the two datasets. 


Follow Kerry Sanders on Twitter.


"That's 100 percent confidence level, it's our data," DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

DeHart said an outside researcher named David Schuetz contacted his company last week and suggested the data might have come from Blue Toad. The company's forensic analysis then showed it had been stolen "in the past two weeks." He declined to provide further details, citing an ongoing investigation.

 “I had no idea the impact this would ultimately cause,” DeHart continued. “We're pretty apologetic to the people who relied on us to keep this information secure."

DeHart said he could not rule out the possibility that the data stolen from his company’s servers was shared with others, and eventually made its way onto an FBI computer.  He also said that he doesn’t know who took the data.

The discovery of the theft casts serious doubt on Anonymous’ claims that the data came from the FBI, and was pilfered in March.

"Timing-wise, (their) story doesn't make sense," he said.

Both Apple and the FBI were quick to deny that they were conspiring to use UDIDs to track U.S. citizens; the FBI said it never had the data, and Apple said in a statement it had never given the data to the FBI.

"As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type," Apple spokeswoman Trudy Mullter told NBC News on Monday. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer."

Blue Toad is a little-known privately held company, but its technology touches millions of users around the world.  It provides private-label digital edition and app-building services to 6,000 different publishers, and serves 100 million page views each month, DeHart said. He declined to discuss business partners, but said the list of clients includes household names.

DeHart said his firm would not be contacting individual consumers to notify them that their information had been compromised, instead leaving it up to individual publishers to contact readers as they see fit.

Schuetz, the researcher who discovered the source of the data, told NBC News that he was able to determine that Blue Toad was the source of the leak by tying together clues within the leaked data. In addition to the UDIDs, the data leaked by Anonymous also included the name given to each gadget by its owner.

“I spent most of Tuesday evening obsessing over this,” said Schuetz, who works for the Intrepidus Group, a New York-based mobile device security consulting firm.

Schuetz said that after pouring over the information, he found numerous devices within the data which had names that included the phrase Blue Toad or variations of that, such as “Blue Toad support.”  Some of the gadgets’ names also suggested they belonged to various departments within Blue Toad and were shared among multiple employees

“What I was seeing was that there were-- of the million devices that were in there --  there were a few devices that showed up multiple times with themes that were related to Blue Toad,” he said. “By the time I was done, late Tuesday night, I think I had 19 devices that … all belonged to Blue Toad.,” he said.  He contacted the company soon after.

The UDID -- which stands for Unique Device Identifier -- is present on Apple iPads, iPods and iPhones, and is similar to a serial number. During the past year, researchers have found that many app developers have used the UDID to help keep track of their users, storing the data in various databases and often associating it with other personal information. When matched with other information, the UDID can be used to track users' app usage, social media usage or location. It could also be used to "push" potentially dangerous applications onto users' Apple gadgets.

There is debate about how dangerous the release of the UDID data is without the other information. DeHart said he knew of no practical malicious use for the leaked data.

"Honestly, the UDID information by itself isn't harmful, as far as we know," he said.  "I can’t say anything is impossible, but the reality is, to push notifications to a device, you need certain keys, certain Apple credentials. You have to have a developer’s account with Apple. … So there are lots of processes in place, measures to keep the average ‘anybody’ from being able to take UDIDs and begin doing something with that information."

There is no way for users to check to see if their UDID information has been collected by Blue Toad, DeHart said.  He recommended that concerned Apple users visit websites that have created search engines where users can see if their UDID is in the data dump, such as this one.  But he said consumers should not overreact to news of the leak.

“I would hate to suggest that they need to go out and begin clearing off their device or removing or deleting apps-- just because of the concern that this,” he said. "Check one of these sites to see if your UDID was part of the database dump.  And if it is, use your own personal discretion on what you think is appropriate.  … One of the best things you could do at the moment is go in and upgrade that app if there's an upgrade available for it.”

Updating is important because, seeing the potential privacy issues, Apple earlier this year advised developers to discontinue use of the UDID to track users.  Blue Toad no longer uses UDIDs in its software, DeHart said, and updated versions of its software don’t collect it.

Aldo Cortesi, a security researcher who has been crusading against use of UDIDs for some time, disagreed with DeHart and said the release of the data represents a great risk to users. Cortesi has previously used UDIDs to log into consumers’ gaming accounts, access contact lists, and connect the ID numbers to real identities. He was then able to hijack device owners’ Twitter and Facebook accounts.

“The concern is that there may be a UDID-related problem out there of the kind I've described, which could now be exploited at a massive scale, by someone armed with a million UDIDs,” he told NBC News. “The type of information I was able to access would have been very valuable to scammers and identity thieves, for instance. With mischievous entities like Antisec and Anonymous about, you can even envision a massive public dump of users' private information, just for  the hell of it. We just don't know what the full impact might be.”

Users who are concerned their UDID might be in the leaked list really don’t have any good options for dealing with the issue – generally, the UDID cannot be changed in the way a user might change a password after that had been stolen by hackers.

“There's nothing you can do.  The UDID is permanently burned into the device,” Schuetz said.

He was measured in his assessment of the risk, saying the UDID was only one piece of information hackers might need to attack users.

“A journey of 1,000 miles starts with one step,” he said. “This could be the first step to a thousand- mile hack on a million different people.”

The hacker group Anonymous announced release of the data on Sept. 3 from its Twitter account, giving instructions on how to obtain the database. The instructions were accompanied by a statement accusing the FBI of using UDIDs to track Americans; in fact, the writer of the message said the data was being released exclusively to call attention FBI surveillance. Those statements drew the most attention after the release.

"Why exposing this personal data? ... We have learnt it seems quite clear nobody pays attention if you just come and say 'hey, FBI is using your device details and info and who the f&&& knows what the hell are they experimenting with that', well sorry, but nobody will care," says the Anonymous writer, in typical broken English. "So without even being sure if the current choice will guarantee that people will pay attention to this F&&& shouted 'F&&& FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME S&&& well at least it seems our best bet."

Schuetz, who discovered the source of the leaked data, said he couldn’t say conclusively if Anonymous claims about the FBI were false or true.

“It does raise questions,” he said. “I think people need to question what they see online, whether it comes from Anonymous or from a news organization or from a politician or from a corporation.  You need to not take things at face value right away and jump straight to what you think it says.  Somebody says, ‘Oh, this came from the FBI, everybody believes it. Well, let’s think about (it).” 

 * Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter.