Hacker group Anonymous claims to have obtained 12 million iOS user IDs from the computer of an FBI agent and has released nearly 1 million of those IDs along with corresponding personal information. The claim, if it is true, raises important questions. For instance, what was an FBI agent doing with personal information about 12 million private citizens?
According to a post on Pastebin by members of Anonymous, the group obtained the unique device identification numbers (UDID) in March from the laptop of Supervisor Special Agent Christopher K. Stangl. Anonymous hacked into the laptop using a known Java vulnerability and copied 12 million UDIDs along with associated information such as user names, zip codes, cell phone numbers, and street addresses.
The post explained the group's motivations for releasing the information. Anonymous is upset with the U.S. government for recruiting hackers to “carry out their own political agendas” and closed systems that do not allow users to do as they wish with devices they purchase. The group is also upset about the arrest of hacker Jeremy Hammond and efforts to prosecute Julian Assange, founder of Wikileaks. The post amounts to a lengthy (if scattered) diatribe on the group's concerns and why it continues to hack into government and corporate databases and release the information it finds.
“We decided we'd help out Internet security by auditing FBI first. We all know by now they make Internet insecure on purpose to help their bottom line. But it's a shitty job, especially since they decided to hunt us down and jail our friends,” Anonymous wrote.
If the Anonymous list of UDIDs is real (and it looks like it is), the most pertinent question is what the FBI, and Stangl in particular, were doing with those numbers. Knowing the UDID of an iOS device could lead to tracking of that device and the credit card or social accounts it is tied to. Earlier this year, Apple shut off UDID access to App Store developers because of the potential abuse of privacy that UDIDs afford. The use of UDIDs could allow marketers and advertisers to track user location and other activities on the user’s device. That information could be very lucrative for advertisers and marketers. Apparently, it could also be useful to the FBI.
Aldo Cortesi, a coder and security consultant in New Zealand, has been preaching about the dangerous use of UDIDs for several years. He has long expected a dump of millions of UDIDs by enterprising hackers.
“I've often been asked ‘What's the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked ... and here we are,” Cortesi wrote on his personal website.
Anonymous agrees with Cortesi that establishing UDIDs was a bad idea from the beginning. “[We] always thought it was a really bad idea. That hardware coded IDs for devices concept should be eradicated from any device on the market in the future,” Anonymous wrote.
For all its loud and disjointed rhetoric, the data leak put an exclamation point on the issue of FBI tracking and Apple's use of UDIDs. Anonymous released the 1 million UDIDs to attract attention of the FBI, Apple, federal governments and large corporations. It is safe to say that the group has their attention now.
The FBI has responded to the alleged hacking by denying that it happened.
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE— FBI PressOffice (@FBIPressOffice) September 4, 2012
In a short release issued by the department on the afternoon of Sept. 4, the FBI stated: "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."