FBI: We Weren’t Hacked, Never Had Apple Device IDs
Despite a claim made by hacking group AntiSec, which said it compromised 12 million Apple iOS Unique Device IDs (UDIDs) and personal information from a laptop of an FBI staffer, the government agency is denying that it ever had the data the hackers allegedly stole.
“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed,” the FBI said in a statement to Mashable. “At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
Apple Unique Device Identifiers (UDID) — which is a sequence of 40 letters and numbers specific to an Apple device such as an iPhone, iPad and iPod Touch — don’t contain too much information by themselves, but when coupled with other information such as iTunes passwords, billing addresses and payment data, it could pose some risks for users.
AntiSec said it posted one million of the hacked IDs on the site Pastebin, along with a detailed description of how the hackers allegedly obtained the IDs from the FBI.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc,” AntiSec claimed.
The FBI’s statement presumably rules the agency out as the source of the data store, but it raises another question: Where did the the cache of UDID’s come from and how were they collected?