Who's watching your smartphone?
Last night hacktivist group Antisec released one million and one Apple iOS IDs, device names and push notification tokens it claims were taken from an FBI laptop.
Antisec said it was releasing the details as a publicity stunt to make people stop and realize the level of state surveillance that is going on in the modern world.
While some mainstream media quickly reported it as a hacker attack on privacy and Apple’s security, it was neither. Antisec said it removed any personally identifiable information from the subset released, and gained access to the file in March from a Dell Vostro notebook owned by a special agent, Christopher Strangl. The group claims to have used a known Java exploit to access the notebook, and while browsing through its contents found a file named, “NCFTA_iOS_devices_intel.csv.”
This purportedly turned out to be a list of 12 million Apple iOS devices including the unique device identifiers (UDID), device name, and Apple push notification service tokens, along with the postal codes, telephone numbers, addresses and other personal details of the smartphone owners
The list leaked, it must be stressed, only includes three fields without the personal information. I downloaded the file, unencrypted it with the key that was posted, and got a huge plain text file with those three fields.
As long as you know how to use a Linux command line, all of that was trivial.
Had this file been released before May last year, that same query would also give out the GPS coordinates and in some cases, the Facebook profile of that same user. However, those glaring breaches of privacy were plugged by OpenFeint – a mobile social gaming network for iOS devices that I used to access the UDIDs.
The UDID is collected by many apps, not just Apple’s own, but OpenFeint, DropBox, Amazon and many others who specialize in analytics.
The other nugget of information is the Apple Push Notification (APN) token. APN was announced in iPhone OS 3 in 2008 to allow a much more battery friendly way of pushing real time notifications to the phone rather than rely on background processes to pull information, which by nature are very battery intensive.
The system works through having the phone maintain a single open connection with Apple’s servers at all times for all push notifications. An app that wishes to push information to a phone will need the APN token (generated when the app was first used) and to send that and the payload to Apple’s servers, which will then push messages of up to 256 bytes to the phone.
Since the connection to Apple’s servers is encrypted, access to the APN token should not be a problem. At most, it should mean that a rogue software developer could sign up and then use the token to send a push notification to your phone that you were not expecting, triggering some app that is in that phone.
Actually, judging from the discussions on developer website StackOverflow, this is already a problem with developers where notifications for one device are pushed to other devices and apps by mistake. Contrary to Apple’s own documentation guidelines, the APN token is the sometimes the same for every app on the phone and in some cases, across phones belonging to the same person.
Of course, the real question we should be asking is what is the FBI doing with 12 million records of this nature?
We are rapidly moving towards a surveillance society. The question is: can we entrust our privacy to the big corporations? Or do we forgo the ease and take responsibility into our own hands by using proper computers that are self-contained and do not rely on the cloud?
When the BlackBerry craze took hold I, for one, shuddered at the thought of surrendering my email credentials to a third party to aggregate. At the time, I was branded an old-school refusik, but it took scandals in the Middle East and India to make people wake up and realize the danger.
Today’s leak highlights not just the enormous amount of data that Apple has on its users, but that someone, FBI or not, is actively collecting that information. It is a wake-up call. Question is, how many people will take heed?
[EDITOR’S NOTE: Since the time of writing, the FBI has denied collecting the information or that the agent’s computer was compromised.]