Hacker group claims access to 12M Apple device IDs
AntiSec posts list containing 1M unique device identifiers, says they came from FBI laptop
Computerworld - Hacker group AntiSec has published what it claims is about 1 million unique device identifier numbers (UDIDs) for Apple devices that it said it accessed earlier this year from a computer belonging to an FBI agent.
The group, which is a splinter operation of the Anonymous hacking collective, claims that it has culled more than 12 million UDIDs and personal data linking the devices to users from the FBI computer. AntiSec said it chose to publish a portion of those records to prove it has them.
In an unusually lengthy note on Pastebin, a member of AntiSec said the group had culled some personal data such as full names and cell numbers from the published data. Instead, the group said it published enough information such as device type, device ID and Apple Push Notification Service tokens to let users determine whether their devices are on the list. Apple device owners who want to check can do so here.
It was not immediately possible to verify the authenticity of AntiSec's claims about the data. Nor was it clear why the unique device ID data and other personal information belonging to millions of Apple users would be on an FBI agent's computer in the first place.
FBI spokeswoman Jennifer Shearer said the agency has no official comment on the claim.
Graham Cluley, a senior technology consultant at Sophos, said there is no way of knowing yet whether the hackers are telling the truth. "We don't have any way of confirming the source of the data, or what else might have been taken, but it does appear that the files do contain at least some genuine Apple UDIDs." Cluley said via email.
"Is it a big deal? Well, if the data was stolen from an FBI computer then questions will be asked as to what the FBI [was] doing with the data in the first place, as well as why it wasn't better protected," he said. "At the moment it feels as if the hackers might be more interested in embarrassing the FBI and causing mischief than putting innocent users at risk."
Apple's UDIDs are a set of alphanumeric characters used to uniquely identify an iPhone or iPad. The numbers are designed to let application developers track how many users have downloaded their application and to gather other information for data analytics. In 2010, The Wall Street Journal did an investigative report showing how application developers were using Apple's UDID to gather a lot of personal information about the device owner, including name, age, gender, device location and phone numbers. In response to concerns about the tracking, Apple no longer permits new iOS applications to track UDIDs.
In its message on Pastebin, AntiSec said it had obtained the numbers from the a Dell Vostro laptop allegedly belonging to an FBI special agent named Christopher Stangl from the FBI Regional Cyber Action Team in New York.
The computer was breached using the "AtomicReferenceArray vulnerability on Java," the post claimed. "During the shell session, some files were downloaded from his Desktop folder. One of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cell phone numbers, addresses, etc.
"The personal details fields referring to people appears many times empty leaving the whole list incompleted (sic) on many parts," the post said. "No other file on the same folder makes mention about this list or its purpose."
According to AntiSec, the reason it decided to publish the data was to expose the FBI's tracking of device information belonging to Apple users.
"Well we have learnt (sic) it seems quite clear nobody pays attention if you just come and say 'hey, FBI is using your device details and info and who the f... knows what the hell are they experimenting with that,' well sorry, but nobody will care. FBI will, as usual, deny or ignore this uncomfortable thingie and everybody will forget the whole thing at amazing speed."
The group criticized Apple's use of UDID. "We always thought it was a really bad idea. That hardware coded IDs for devices concept should be erradicated (sic) from any device on the market in the future."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts