FinSpy Mobile and your iDevice UDID ...

The UDID is needed to remotely install the FinFisher Mobile version FinSpy Mobile ...

prior knowledge of a device’s UDID is required for government agencies that wish to infect a particular surveillance target’s iOS device with the FinFisher mobile spyware tool.

Apple’s Persistent Device ID is a Threat to Privacy via aclu.org

These UDIDs were hard baked in for a reason, in my opinion. From the same article above.

"Unique, unchangeable UDIDs are not necessary for the functioning of a smartphone. Although Apple’s customer can never escape their UDID, Google’s Android operating system resets the Android ID (which is equivalent to Apple’s UDID) when a user performs a factory reset of their device."

I knew there was a reason I rooted and installed ROMs once a week, lol

So, what can FinFisher actually do ?

The capabilities of the spyware, known as FinFisher, include location tracking, remotely activating a built-in microphone and conducting live surveillance via "silent calls," as well as the ability to monitor all forms of communication on the device, including emails and voice calls, according to a study released Thursday by the University of Toronto Munk School of Global Affairs' Citizen Lab.

FinFisher Mobile Spyware Tracking Political Activists via informationweek.com

But Apple is on top of security right?

The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs. Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch. Promotional videos used by the firm at trade shows which illustrate how to infect a computer with the surveillance suite were released by Wikileaks in December, 2011.

Finfisher Wiki

Obviously, not as well as we all thought and the above article is covering a Mac PC, why would Apple wait so long to patch this issue on the Macs ? The FinSpy Mobile tools iOS version "appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up". Can we really believe this is all just coincidence ?

I believe that Apple and the FBI are BOTH lying, they know exactly what is going on and will cover this up at any cost. Now the Government is saying, with impeccable timing might I add ...

The Obama administration told a federal court Tuesday that the public has no “reasonable expectation of privacy” in cellphone location data, and hence the authorities may obtain documents detailing a person’s movements from wireless carriers without a probable-cause warrant.

Feds Say Mobile-Phone Location Data Not ‘Constitutionally Protected via wired.com

Although this statement does not cover monitoring rooms via silent calls, downloading files and forwarding phone calls, SMS text messages and emails that day could be sooner then we would like to think.
How long will it be until we can expect no “reasonable expectation of privacy” at all ?

I forgot to mention HOW FinSpy Mobile is installed using the UDID ...

CrowdStrike analyzed the iOS version of FinSpy to identify details of any attacks against the iOS platform itself which would facilitate the installation of the FinSpy tool. The technical overview from The Citizen Lab identifies some notable attributes which imply either a bypass or exploit of the iOS security architecture.

One of the first points to catch our attention was that the applications in the FinSpy package use Ad-hoc distribution. Ad-hoc distribution is typically used for testing, and one of the three application distribution methods available from Apple, the second being In-House apps and the most well-known distribution method being through the iTunes App Store (which also includes Business-to-Business a.k.a B2B apps). Ad-hoc distribution requires that the individual target device's Unique Device Identifier (UDID) must be known when the Ad-hoc distribution profile is created, long before execution/installation time. This makes Ad-hoc distribution less than ideal for in-the-wild exploitation and would seem to support Gamma International's statement regarding the sales demonstration server. That is of course until the recent 'anti-sec' leak of over a million UDIDs with customer name/device name correlation.

FinSpy Mobile: iOS and Apple UDID leak

Hmm, So supposedly the most secure PC the Mac was left with a security hole for THREE YEARS 2009 to 2011 that was exploited by FinFisher Spyware, with a video tutorial on how to exploit the security loop hole and no one has a word to say about it ?

Not to mention the Ad-Hoc exploit to install FinFisher Finspy mobile iOS edition with use of Apple UDIDs on iPhones and iPads of all generations and iOS versions up to this day and no one has anything to say about it ... wow !

I thought this was going to be a good thread too, a little geeky but not to overly technical and what could potentially be the biggest conspiracy in the PC and mobile worlds.

Aw, well ...

Well I wouldnt call the Mac the "most secure PC" there are other OS's out there that are much more secure. But what do you expect? Apple went from being the under dog to being the man. They done sold out. Of course there is probably a lot of pressure from the Feds.

reply to post by VonDoomen


Your right and I actually thought about that after I posted that, I should had said "that claims to be one of the most secure PCs" ...

I was just reading an Anon statement just released, sounds like they could be hinting at leaking maybe more UDIDs or leaking something else related, I do not know ...

next: release coming, tribute to a good friend whos now jailed.

Source

reply to post by Tazkven


It would be nice if they released all 12 million so people can check to see if they are also on the list. For now you only have a 1/12 chance of knowing or not.

An ecrime expert pointed out yesterday that 3 of his devices were on the list of publicaly available ID's. Which would be strange uf the FBI was tracjing or compiling data on him.

reply to post by VonDoomen


Yea, I do not know what is scarier ... Knowing the Feds could have these UDIDs and there is a company in England making a tool that uses them to remotely install itself using an Ad-hoc exploit on iDevices.

or ...

That hackers have the UDIDs and you have no way of knowing if they have yours or not and you KNOW they have access to Gamma International's FinFisher's FinSpy Mobile tools and could be hacking iDevices of that list as we speak

Even if they released all 12 million and you was not on the list I still believe all iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up are at risk.

CNET is catching on too ...

Many people are asking what exactly they can do now that their Apple UDID information is in the hands of, well, no one knows who's hands the data is in.

Apple has a responsibility to their customers -- and the millions of customers' very real concerns -- that they have not addressed, or even acknowledged.

Apple hasn't said anything to -- or even about -- its customers affected by the UDID catastrophe. If things turn out badly, this may go down as an epic privacy disaster that lies squarely at Apple's feet.

The unanswered questions and potential risk for all involved means that the UDID debacle is far from over.

CNET

This is not far from exploding ...

reply to post by Tazkven


unfortunately for apple. the UDID is hard written to the phone where as with the droid OS, your ID changeds when the phone is reset to factory settings.

reply to post by VonDoomen


Luckily, I am rooted and install ROMs about once a week, lol