The (alleged) Apple-FBI hack: 1 million and one damnations

Sure, anonymous hackers may be sitting on 12 million user IDs, but bigger question lurks: How did the feds got pwned so easily?

Pop quiz: What's a UDID? No, it's not a birth control device.

Also, you probably haven't been paying much attention to the blogosphere, which is abuzz with news of an alleged major Apple/FBI security breach by Anonymous offshoot AntiSec.

[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to offtherecord@infoworld.com. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. ]

Last night AntiSec posted more than 1 million Apple UDIDs -- or Unique Data Item Descriptions -- it claims to have stolen from a federal agent's laptop, part of a cache of more than 12 million. (To be clear: There's no real proof as yet that AntiSec actually has 12 million UDIDs or that it breached an FBI computer to get them. In fact, the FBI denies both that it suffered a breach and that it collected UDIDs. Apple said it has given no one any list of UDIDs and notes that as of iOS 6, they're being discontinued.)

In a long, rambling, expletive-rich, and often incoherent rant on Pastebin, the hacker explained the alleged source of the names:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team, was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder; one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDIDs), user names, name of device, type of device, Apple Push Notification Service tokens, ZIP codes, cellphone numbers, addresses, etc. The personal details fields referring to people appears many times empty, leaving the whole list incompleted on many parts. No other file on the same folder makes mention about this list or its purpose.

For proof, he/she/they posted 1,000,001 -- the last one for good measure, I suppose -- of them online for your downloading pleasure. Several users have weighed in at Hacker News and elsewhere to confirm that their iOS IDs were among the cache posted online.

(Wonder if yours are among them? The Next Web posted a handy lookup tool. To find your iDevice's UDID, follow the steps outlined here or simply install one of the free apps like Get My UDID or UDID Finder that display that 40-character string for you.)

Also in that rant: A statement that the hacker would not consent to any press interviews until blogger "Adrian Chen get[s] featured [on] the front page of Gawker, a whole day, with a huge picture of him [dressed in] a ballet tutu and shoe on the head, no Photoshop." I think we can safely rule out any nation states or individuals over the age of 14 from the list of suspects.

(Update: I am not at all surprised to report that Chen has complied with this request, so we may learn more within a few days. Also, he looks surprisingly pretty in pink.)

The most popular device name: 42,797 people named their iPhones "iPhone" (so much for the myth that Apple fanboys are creative types). A couple of devices were named "Obama's iPad." There was no indication whether these devices belong to the actual commander in chief or merely an empty chair.

The bigger question

Of course, even if your UDID isn't among the 1 million posted by AntiSec, it may still be lurking amid the 11 million that haven't been posted yet. The question on everyone's mind: How the heck did the federales get their fingers on 12 million Apple IDs, and what were they planning to do with them?

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies