Hackers leak 1M iOS device IDs supposedly taken from FBI agent's laptop
According to AntiSec, the unique device identifiers (UDID) of 12,367,232 Apple iPhones and iPads were discovered and lifted during the breach of an FBI agent's notebook, reports The Next Web. UDIDs are unique 40-character codes assigned to iDevices with cellular connectivity, their primary use being app registration and tracking by developers.
From AntiSec's post:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
If the alleged attack and subsequent UDID leak is legitimate, it is unclear how or why the FBI secured the Apple UDIDs.
AntiSec noted the UDIDs had varying amounts of personal data, with some having just basic personal information while others were more comprehensive and included full names and addresses. When the group published the UDID sample set, it stripped out identifying data but left Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type data intact for users to "look if their devices are listed there or not."
It should be noted that some of the information provided in the leaked data sets are commonly available to iOS app developers as a requirement for push notifications, however private data like phone numbers and addresses are usually blocked.
Apple recently began taking steps to block UDID app access amid increased scrutiny of privacy practices from both consumers and the government. In August 2011, the company warned developers that it would be ending UDID access with iOS 5, effectively ending an easy solution to OS-wide user tracking.
42 Comments
It should be noted that most of the information provided in the leaked data sets are commonly available to iOS app developers as a requirement for push notifications, among other uses...
Most of the information, or all of the information?
Well, let's assume there is a valid reason for the FBI to keep such a ridiculous amount of private and confidential data on a cheap-ass laptop (can't think of one, but what do I know), this is still rather worrisome. I would expect some Supervisor Special Agent working for FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team (of all people), to know that such data does not belong on a mobile device, and that running something as unsafe as Java on the same device is approaching grossly negligent territory. These incompetent creatures might be more dangerous than what they are fighting.
Well, that is a bit misleading / euphemistic. Developers would get some of that for/from their own app, but certainly not for all of them on any phone; and certainly not any ZIP codes, phone numbers or addresses without user consent. Even if this just lands in the hands of online marketing spammers, this is 12 million of the most sought-after contact details. Real addresses, belonging to real people with considerable income. No need to downplay that.
Your homeland security hard at work. Lets see. If they have such information then maybe they have a list of all the rolls of toilet paper and their serial numbers ever sold to Osama Bin Laden. Also I have built a bridge to London out of sharp cheddar cheese and green beans. Yes green beans!
The FBI has all this shit on a cheap-assed Windows laptop and didn't even think to encrypt it????!!!!!
13million odd people can now sue the FBI.