The online hacker group associated with Anonymous has posted a million Apple Unique Device Identifiers (UDIDs) by breaching FBI security and allegedly lifting the data from a US federal agent's laptop.
A UDID is the unique string of numbers that identifies each iOS device, and was formerly used by developers to track their app installations across Apple's user base.
In all, AntiSec claims to have obtained more than 12 million UDIDs, including user names, addresses and notification tokens from a laptop used by an FBI agent. In a missive posted to Pastebin, the hacking group explains how it obtained the data from an FBI agent's laptop:
During the second week of March 2012, a Dell Vostro notebook, used by supervisor special agent Christopher K Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team, was breached using the AtomicReferenceArray vulnerability on Java. During the shell session, some files were downloaded from his Desktop folder, one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices, including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cell phone numbers, addresses, etc. The personal details fields referring to people appears many times empty, leaving the whole list incomplete on many parts. No other file on the same folder makes mention about this list or its purpose.
Although Apple has already said it would begin restricting developer access to the identifiers, the Pastebin post said that the group posted the data out of suspicion the FBI was using the UDIDs for nefarious purposes, such as people tracking, as well as to protest the use of UDIDs in general.
We always thought it was a really bad idea, that hardware coded IDs for devices concept should be eradicated from any device on the market in the future.
Even though it says it has more than 12 million UDIDs, AntiSec said it settled on posting only a million, trimming out personal information, such as full names, cell numbers and addresses.
We left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not. The DevTokens are included for those mobile hackers who could figure out some use from the dataset.
The FBI, however, said that it does not know anything about the compromised laptop.
"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," said an FBI spokesperson. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data." Before the statement was released, the FBI Press Office tweeted: "Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE."
If the hackers didn't get the data from the FBI, who did they get it from? The FBI statement doesn't change the fact that data of potentially millions of iOS devices has been leaked. CNET has verified the authenticity of some of the user account details that the hackers released. (You can use this site to see if your iOS device is on the list.)
In a video posted to Facebook in 2009, FBI agent Christopher K Stangl talked about how the FBI is looking for a few good cybersecurity experts.
Supervisory special agent Christopher K Stangl, the owner of the laptop, was among a group of four dozen or so US and UK law enforcement agents who were recipients of an email that AntiSec members got hold of, related to investigating AntiSec, Anonymous and their affiliates. The email was sent last January to organise a conference call among the agents, which the hackers then listened in on. Robert David Graham speculated on his Errata Security blog that the hackers got Stangl's email address off that list and targeted him for compromise with a phishing email.
The @AnonyOps Twitter account responded to the FBI statement, saying "FBI says there was no hack. That means either they're lying or they *gave* the information up to someone in #antisec. It's happened before."
CNET talked to a few people whose devices were on the list, and whose names and numbers were included in their "Device Name Field". CNET was also able to use the data, which had been mostly scrubbed by the hackers of any personally identifiable information, to find names and phone numbers. People on the list could be targets for phishing attacks, based on the information on the list, and even more at risk if someone does a little bit of digging.
Apple representatives did not respond to requests for comment. The company is phasing out UDIDs because of privacy concerns, but it's unclear when they will all be stricken from existing apps and what will replace them that will allow developers to track usage of apps, without revealing too much user information.
The vast majority of AntiSec data dump claims have turned out to be true in the past. And while people usually get testy at the hackers for stealing the data, in this case — assuming that this data had been on the FBI laptop — people seem to be more angry with the US government.
The initial report hackles among the security community and Apple users. They want to know why the feds would have that type of information and how they got it. The file name gives a clue that is interesting. The acronym NCFTA stands for National Cyber-Forensics & Training Alliance, which is a non-profit created to serve as a "conduit between private industry and law enforcement, with a core mission to identify, mitigate and neutralize cyber crime," according to the website. NCFTA did not immediately return a call seeking comment this afternoon.
"Look at the name of the file," said Frank Heidt, chief executive of Leviathan Security. "What makes anyone think there's not an Android file or an AT&T file? I'm waiting for the other shoe to drop. Why only Apple? It makes no sense."
Greg Wilson, a Tempe, Arizona-based musician and teacher whose data was on the list, said that he suspects the government has a lot of data on people that it shouldn't, because of cooperation with the technology providers.
"I'm not surprised. I saw Enemy of the State and I've read 1984," he told CNET in a phone interview. "I'm saddened. President Bush had such cachet with the world after 9/11, and this is where it's descended to."
"Maybe I shouldn't be looking at so much porn," joked one man contacted by CNET who asked not to be named.
Whoever the hackers got the data from apparently didn't use the basic security measures to protect it from prying eyes, including having a sensitive user file unencrypted on an unsecured laptop. And then there is the worry about what criminals can do with the data now that it is public.
"I don't know if you want people having that push token. Given that, and the UDID and username, I could arbitrarily load an app on your phone," Heidt said.
The very use of the .csv import-export file format poses questions. "Who exported it and where are they going to import it?" he added, assuming that the FBI had the data. "We are at least owed the 'why'. I think our government at least owes us that."
Calling the UDID leak a "privacy catastrophe", security consultant Aldo Corttesi wrote a blog post about him finding numerous instances of gaming social networks and related sites, including Open Feint, "using and misusing" UDIDs. (Open Feint was used by CNET to get more data on the victims in this data leak, from the information provided by the hackers, for example.)
Cortesi wrote that, when speaking to people about this, he's often been asked "What's the worst that can happen?" "My response was always that the worst case scenario would be if a large database of UDIDs leaked ... and here we are."