Hackers Swipe 12 Million Apple Device Codes From the FBI

| 4 Sep 2012 15:35

AntiSec claims to have proof that the federal government is spying on the American public.

A UDID, for those not in the know, is a 40-character "unique device identifier" tied to iPhones, iPads and iPod Touches, typically used by app developers for tracking and by Apple to authenticate Siri requests on the iPhone 4S. But more than 12 million of them, along with all sorts of other information, are apparently now in the hands of AntiSec, which came to them by way of the Federal Bureau of Investigation.

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java," the group said in a rambling and rather mangled release on Pastebin. "During the shell session some files were downloaded from his Desktop folder one of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."

Download links to 1,000,001 of the stolen UDIDs, along with decryption instructions, are provided later in the post. "we decided a million would be enough to release. we trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc." the statement continues. "not all devices have the same amount of personal data linked. some devices contained lot of info. others no more than zipcodes or almost anything. we left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not. the DevTokens are included for those mobile hackers who could figure out some use from the dataset."

In case it's not sufficiently alarming that AntiSec has access to 12 million UDIDs - and I honestly don't know if that's something to get overly alarmed about or not - the question behind the question is what the FBI was doing with them in the first place. AntiSec theorizes that the feds are "using your device info for a tracking people project or some shit," which, while impossible to prove, may not be too far off the mark. The only good news in this debacle is that AntiSec has made no claims about accessing passwords or credit card numbers. Neither Apple nor the FBI have commented on the leak or how the FBI came to be in possession of the UDIDs.

Source: Pastebin, via CNN

Comments on