It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Apple’s Persistent Device ID is a Threat to Privacy via aclu.org
prior knowledge of a device’s UDID is required for government agencies that wish to infect a particular surveillance target’s iOS device with the FinFisher mobile spyware tool.
"Unique, unchangeable UDIDs are not necessary for the functioning of a smartphone. Although Apple’s customer can never escape their UDID, Google’s Android operating system resets the Android ID (which is equivalent to Apple’s UDID) when a user performs a factory reset of their device."
FinFisher Mobile Spyware Tracking Political Activists via informationweek.com
The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via "silent calls," as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs' Citizen Lab.
The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs. Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch. Promotional videos used by the firm at trade shows which illustrate how to infect a computer with the surveillance suite were released by Wikileaks in December, 2011.
Feds Say Mobile-Phone Location Data Not ‘Constitutionally Protected via wired.com
The Obama administration told a federal court Tuesday that the public has no “reasonable expectation of privacy” in cellphone location data, and hence the authorities may obtain documents detailing a person’s movements from wireless carriers without a probable-cause warrant.
FinSpy Mobile: iOS and Apple UDID leak
CrowdStrike analyzed the iOS version of FinSpy to identify details of any attacks against the iOS platform itself which would facilitate the installation of the FinSpy tool. The technical overview from The Citizen Lab identifies some notable attributes which imply either a bypass or exploit of the iOS security architecture.
One of the first points to catch our attention was that the applications in the FinSpy package use Ad-hoc distribution. Ad-hoc distribution is typically used for testing, and one of the three application distribution methods available from Apple, the second being In-House apps and the most well-known distribution method being through the iTunes App Store (which also includes Business-to-Business a.k.a B2B apps). Ad-hoc distribution requires that the individual target device's Unique Device Identifier (UDID) must be known when the Ad-hoc distribution profile is created, long before execution/installation time. This makes Ad-hoc distribution less than ideal for in-the-wild exploitation and would seem to support Gamma International's statement regarding the sales demonstration server. That is of course until the recent 'anti-sec' leak of over a million UDIDs with customer name/device name correlation.
next: release coming, tribute to a good friend whos now jailed.
Many people are asking what exactly they can do now that their Apple UDID information is in the hands of, well, no one knows who's hands the data is in.
Apple has a responsibility to their customers -- and the millions of customers' very real concerns -- that they have not addressed, or even acknowledged.
Apple hasn't said anything to -- or even about -- its customers affected by the UDID catastrophe. If things turn out badly, this may go down as an epic privacy disaster that lies squarely at Apple's feet.
The unanswered questions and potential risk for all involved means that the UDID debacle is far from over.