Hackers Claim FBI Has List of 12 Million iPhone and iPad ID Numbers
Why would the FBI allegedly be keeping a list of 12 million unique identifying numbers for Apple iPhones, iPads and iPod touches? And why was a copy of that list on a notebook PC belonging to an FBI agent? And how did a group of hackers get access to that machine and steal that file?
Those are but three of the questions arising from the overnight dump of 1 million Unique Device Identification numbers by the hacker troupe known as AntiSec, the loosely organized group that has variously used the names LulzSec and Anonymous over the last year or so.
In an otherwise rambling political message posted to PasteBin, the group included download links to an 89-megabyte file that certainly looks for real. The circumstances of how the hackers obtained it couldn’t be independently confirmed, but AntiSec claims it was taken during a breach of an FBI-owned notebook in March.
The group described the incident like so (typos in the original):
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
There is, according to LinkedIn, a Christopher Stangl employed by the FBI in New York, but so far the agency has had no comment on AntiSec’s claims.
I downloaded the file and from what I know about UDID numbers, it certainly looks legit. So what is a UDID anyway and why should you care? Every iOS device — iPhones, iPads, and iPod touches — has a UDID number. Developers use it to distribute trial versions of new apps before those apps are released to the iTunes store. Another use is storing applications preferences and high scores for games.
But historically, the UDID has been part of the data that many popular applications have shared with third-party marketers along with the phone owner’s age, gender, and ZIP code. A 2010 Wall Street Journal story examined this practice in detail. Earlier that year, the nature of privacy risks on the iPhone were disclosed (PDF here) by the security researcher Erik Smith of PSKL.
Earlier this year Apple started quietly denying access to the UDID by developers, refusing to approve apps that access it, making good on a policy it outlined in August of 2011. In March of this year, Congress started asking questions about the privacy in iOS apps, including UDIDs.
If you’d like to know if your device is on the list of 1 million or so released so far, here’s what to do. First, install a free app called Ad Hoc Helper on your device. This app grabs your device’s UDID and emails it to you. Once you have it, cut and paste the number into this search tool on Dazzlepod. (We haven’t vetted this, so use it at your own risk.)
So what use is knowing if your device is on the list? That’s a good question. I checked two of the three iOS devices I own and they’re not on the list, though in the original file there were several devices owned by people who share my first name. As AntiSec puts it in its statement: “…in this case it’s too late for those concerned owners on the list.”
If the claim by AntiSec bears out (and frankly, right now it is only that, a claim), then the question quickly turns to the FBI’s reasons for gathering the information in the first place. There might be legitimate law-enforcement reasons for doing so, though it’s hard to image what they might be given the sheer numbers said to be involved. It’s not hard to imagine the FBI requesting a UDID along with other information as part of building a case in a criminal investigation into a person or a set of people. But the leak of 1 million such UDIDs with the promise that there are 12 million more certainly raises a lot of troubling questions.
Worse is the fact that the machine on which it was stored was so readily breached by outside elements, though again, this is only an unverified claim.
I’ve asked Apple and the FBI for guidance on this, and don’t expect to hear much, but will update you if I do.