- dotTech - http://dottech.org -

12 million iPhone and iPad device IDs allegedly stolen from the FBI by hackers, FBI denies it all


Hackers calling themselves AntiSec (aka LulzSec, Anonymous, etc.) have published online one million iPhone [2] and iPad [3] unique device identifiers (UDIDs). They claim to have another eleven million stashed away and say they stole the information from the FBI.

According to their online declaration [4], the hackers stole a file named “NCFTA_iOS_devices_intel.csv” from FBI Supervisor Special Agent Christopher K. Stangl’s computer. They claim to have remotely access Special Agent Stangl’s machine in March 2012 by exploiting AtomicReferenceArray, a Java [5] vulnerability that was discovered last year and patched by Oracle [6] in February 2012.

AntiSec claim “NCFTA_iOS_devices_intel.csv” contains a list of 12,367,232 UDIDs, with some UDIDs having accompanying information such as full names, addresses, and cell phone numbers. AntiSec says they removed all information aside from UDIDs for the one million they have published online so far, so as to protect the privacy of the device owners.

The FBI, for its part, has come out and denied the allegations, first on Twitter…

Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE.

…then through an official public statement:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

However, there are independent confirmations that at least some of the UDIDs AntiSec leaked online are real. Rob Lemos (a journalist) and Peter Kruse (“eCrime specialist”) both say their device UDIDs appear in the list. So, then, the question is where exactly did the UDIDs come from?

It could be that the FBI is indeed collecting this information (why, we don’t know) and they are too embarrassed to admit they were hacked, hence the public denial. On the other hand, AntiSec could have attained this information from some other source (where, we don’t know) and just want to throw some egg on the FBI’s face by falsifying the truth. Sadly we likely won’t ever know the truth unless one side confesses.

Ignoring the truth for a second, let’s ponder on the two possible scenarios.

I’m not sure which scenario is better.

[via ArsTechnica [8]]