Update, Sept. 4, 5:32 p.m.: The FBI has issued a statement denying that it was the source of the leaked Apple user information. Or, at least, denying that there’s any evidence that it was the source of the leaked Apple user information. Here’s the full statement:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
My colleague Ryan Gallagher has more here.
Original post, Sept. 4, 10:42 a.m.: The hacker group AntiSec claims the FBI has compiled a database of 12 million Apple UDIDs—the unique numbers that identify every Apple device, including iPhones and iPads—many of them complete with the device owner’s personal information. To prove it, the Anonymous-affiliated group on Monday published one million of the IDs, along with the type (e.g. iPhone) and name (e.g. Jane Doe’s iPhone) of each device. In a post accompanying the data dump, the group says it withheld other personally identifying information, including names, mobile phone numbers, and addresses. There’s no indication that bank account numbers or passwords were included.
How did the group obtain the information? In its own words (and its own lackadaisical grammar):
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
The group suspects the FBI was using, or planned to use, the information to track Apple users. The FBI has yet to comment on the apparent breach, and it’s unclear how it obtained the Apple IDs.
In a twist, the agent whose laptop AntiSec claims to have hacked appeared in a 2009 FBI recruiting video, urging hackers to join the bureau as cybersecurity experts. To AntiSec, which views cybersecurity experts as, essentially, tools of The Man, that makes him an ideal target.
Meanwhile, some security researchers are pouncing on Apple for hard-coding unique identifiers onto every device in the first place. In a post titled, “The UDID leak is a privacy catastrophe,” security consultant Aldo Cortesi catalogs several of his own past blog posts warning about the potential for the device numbers to be misused.
Wondering whether your device was among those compromised? The Next Web has built a quick tool that lets you check whether your UDID matches any of the one million that AntiSec included in its data dump. The Next Web assures users that it isn’t storing the numbers they enter. You can find your UDID by following the easy steps outlined here. (Note: Even if yours isn’t a match, it could still theoretically be among the other 11 million that AntiSec says it has but didn’t publish.)
