Snowden leak shows how the UK tracked iPhone users

iSpy: Snowden leak shows how the UK tracked iPhone users


UDID identifiers could be used to link iPhones to their users. Photo: Cult of Mac

Apple has long been outspoken about the measures it goes to to keep your iPhone secure, but new documents leaked by whistleblower Edward Snowden demonstrate how the British spy agency GCHQ was able to carry out “realtime tracking of target iPhones” — by compromising users’ computers.

Rather than directly targeting the iPhones, GCHQ agents focused their attack on the computers with which the iPhones were synchronised, enabling them to access much of the data stored on the handset. The method took advantage of flaws in Apple’s UDID (unique device identifier) system, which issued a unique code for every iPhone, linking it with its owner.

The iPhone tracking report was handed over by Snowden to a group of nine journalists — including Laura Poitras, the filmmaker behind the acclaimed documentary Citizenfour.

As the report describes, different iPhone UDID identifiers could be found through accessing compromised computers, since the code was visible in iTunes. This, in turn, allowed GCHQ agents to keep tabs on iPhones every time they were synced — and to extract data from them. The agency was also able to track the iPhone as it browsed the web thanks to a Safari browser exploit.

Fortunately, Apple has long moved away from using UDID identifiers — meaning that the 2010 report is now well and truly out-of-date.

Apple abandoned the system after a number of iOS app privacy concerns, including one social networking app that was discovered to be uploading users’ iPhone address books and storing them on private servers without permission. Not long after, Apple began formally rejecting apps which used UDID.

Since news of the Edward Snowden NSA leaks first took place in 2013, a group backed by tech companies including Apple has been outspoken about demanding an end to the indiscriminate collection of metadata by governments.

Still, if nothing else, the new leak shows just how hard spy agencies will work to surveil users — and how incredibly effective it can be when the right exploit is used.

Via: The Verge