AntiSec says it snatched UDIDs from the FBI. But why did the US authorities have them in the first place?
Anonymous offshoot AntiSec has released what it claims to be over one million UDIDs (Unique Device Identifiers) for Apple products, stolen from an FBI agent’s laptop by exploiting a Java vulnerability.
In a release on PasteBin, accompanied by a long ideological statement, the hackers say they have actually obtained 12 million records, and only published a small part for verification.
The group has accused the FBI of using this information for surveillance. The hack was first reported on AnonymousIRC Twitter feed on Monday night.
Watching the watchmen
The UDID is a 40-character code assigned to every Apple device that cannot be erased, duplicated or obscured. It can be used to track the whereabouts of any iPhone or iPad, as well as see what apps have been installed, how often they’re being opened and what adverts users click on.
Last year, Apple started to crack down on apps using UDIDs, hoping to completely phase them out following a privacy scare in the US.
In March 2012, AntiSec decided to “audition” the FBI security by hacking the laptop of the supervisor special agent Christopher Stangl from the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team. The security was breached using the Java AtomicReferenceArray vulnerability.
Among other data stored on the unfortunate agent’s laptop, hackers discovered a file entitled ‘NCFTA_iOS_devices_intel.csv’, which contained a list of 12,367,232 devices running Apple’s iOS.
AntiSec claims the list included combinations of UDIDS, Apple Push Notification tokens, usernames, phone numbers, addresses and device types. Hackers removed personal details from the information they posted online, leaving just enough data to verify its authenticity.
Apple UDID leak is real. I have confirmed three of my devices in the leaked data 🙁
— peterkruse (@peterkruse) September 4, 2012
According to AntiSec, no other file in the same folder mentioned the list or its purpose. It is unclear why the FBI would have information that belongs to Apple, but “NCFTA” could stand for National Cyber-Forensics & Training Alliance – a non-profit US corporation that brings together cybersecurity professionals from both public and private sector to collect intelligence.
Hackers have justified their attack by the need to raise awareness about alleged FBI eavesdropping. “It seems quite clear nobody pays attention if you just come and say “hey, FBI is using your device details and info and who the f**k knows what the hell are they experimenting with that,”” stated the release.
“We always thought it was a really bad idea, that hardware coded IDs for devices should be eradicated from any device on the market in the future,” it added.
Robert Graham from Errata Security suggests that the hack was possible due to an earlier attack that provided AntiSec with a list of FBI agents’ email addresses. After that, it was just a question of sending a phishing email that looked like it originated from the FBI, containing a link to a site hosting the exploit.
We have not received a response to a request for comment from the FBI at the time of writing.
In the concluding paragraphs of the statement, AntiSec has promised to stop interacting directly with the media until Gawker journalist Adrian Chen gets featured on the front page of the website for the whole day, wearing a ballet tutu and a shoe on his head. Chen has previously angered the group by writing news stories that harshly criticised Anonymous.
AntiSec has also pledged its support to Wikileaks, Julian Assange, the Syrian rebels and Pussy Riot.
How well do you know Anonymous? Take our quiz!