The hacking group AntiSec have today released the Unique Identifiers pertaining to 1,000,001 iOS devices allegedly obtained from a hacked FBI laptop that was holding over 12 million Apple device ID’s and the corresponding personal information.
AntiSec say that they have the numbers of 12,367,232 iPhones and iPads that were found and taken whilst hacking an FBI agent’s notebook. Each iDevice that connects using the cell network has a UID that is used for app registration and tracking by developers.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
It is noted that some of the UID’s had limited personal information whilst some had names and addresses. When the sample was published the identifying data was removed however the Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type data were left intact for users to “look if their devices are listed there or not.”
It is not known why the FBI had this information, how they obtained it or what they intended to do with it.
The number of iDevices that the FBI has information on is a mere drop in the ocean compared to the number of iPhones and iPads sold however it is of great concern that this information has been harvested and is being used or analysed for unknown reasons. The information provided in the leaked data is commonly available to developers however data such as addresses and phone numbers is not commonly taken.
The introduction of iOS6 will see an inability to collect UDID’s and thus any future collection will be rendered nearly impossible.
The questions here have to be why does the FBI have this information, what do they intend to do with it and how on earth did they allow a hackers group to get hold of it?
Update – The FBI deny that a laptop has been hacked and say that the news story is “totally false”.