iSpy: Snowden leak shows how the UK tracked iPhone users.

iPhone_UDID

Apple has long been outspoken about the measures it goes to to keep your iPhone secure, but new documents leaked by whistleblower Edward Snowden demonstrate how the British spy agency GCHQ was able to carry out “realtime tracking of target iPhones” — by compromising users’ computers.

Rather than directly targeting the iPhones, GCHQ agents focused their attack on the computers with which the iPhones were synchronised, enabling them to access much of the data stored on the handset. The method took advantage of flaws in Apple’s UDID (unique device identifier) system, which issued a unique code for every iPhone, linking it with its owner.

The iPhone tracking report was handed over by Snowden to a group of nine journalists — including Laura Poitras, the filmmaker behind the acclaimed documentary Citizenfour.

 As the report describes, different iPhone UDID identifiers could be found through accessing compromised computers, since the code was visible in iTunes. This, in turn, allowed GCHQ agents to keep tabs on iPhones every time they were synced — and to extract data from them. The agency was also able to track the iPhone as it browsed the web thanks to a Safari browser exploit.

Fortunately, Apple has long moved away from using UDID identifiers — meaning that the 2010 report is now well and truly out-of-date.

Apple abandoned the system after a number of iOS app privacy concerns, including one social networking app that was discovered to be uploading users’ iPhone address books and storing them on private servers without permission. Not long after, Apple began formally rejecting apps which used UDID.

Since news of the Edward Snowden NSA leaks first took place in 2013, a group backed by tech companies including Apple has been outspoken about demanding an end to the indiscriminate collection of metadata by governments.

Still, if nothing else, the new leak shows just how hard spy agencies will work to surveil users — and how incredibly effective it can be when the right exploit is used.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s