According to Anonymous claims, over 12 million Apple iPhone and iPad device IDs have been hacked from an FBI computer. This isn’t the first time, and it’s likely not to be the last, but hackers associated with the group Anonymous have accessed at least 12 million Apple unique device identifiers (UDID) from an FBI computer. An Anonymous subgroup known as AnitSec posted instructions on how to access one million Apple UDIDs on the public bulletin board, Pastebin. The group then reported the hack through Twitter, via an Anonymous account.
Anonymous & AntiSec
AntiSec’s archive lists 1,000,001 profiles, including usernames, device names, cell phone numbers and addresses. The data was first accesed from Apple iOS devices, specifically iPhones, iPads and iPods. Apparently, the data was taken through a Java vulnerability from a laptop belonging to an FBI cybersecurity agent:
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the Atomic Reference Array vulnerability on Java, during the shell session some files were downloaded from his Desktop folder on of them with the name of “NCFTA_iOS-devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID_, user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellpohe numbers, addresses, etc. The personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. No other file on the same folder makes mention about this list or its purpose.”
The Anonymous group is known for its high profile interference with the US FBI. The relatively few arrests of their members have only served to further their efforts. The hacktivist group has even been accused of eavesdropping on the FBI’s anti-Anonymous meeting. The purpose of Anonymous is to shed light on the FBI’s efforts in breaking into computers for surveillance purposes. Through the exposure of hundreds of personal IDs, AntiSec claims to make a high-profile, lingering impression.
Disdain for the UDID
According to Anonymous, “We never liked the concept of UDIDs since the beginning indeed. Really bad decision from Apple. Fishy thingie.” However, every iOS device has a UDID. The number was instituted so that developers and mobile advertising networks could track user behavior. However, over the past year, Apple has started to phase out apps’ access to UDIDs, as the numbers were sometimes being transmitted to third parties without the users’ consent.
The hackers said:
“We have learnt it seems quite clear nobody pays attention if you just come and say ‘hey, [the] FBI is using your device details and info and who… knows [why they are] experimenting with that’… We could have released mail and a very small extract of the data. Some people would eventiually pick up the issue but well, let’s be honest, that will be ephemeral… Eventually, looking at the massive number of devices concerned, someone should care about it.”
It’s not quite clear just why the FBI was collecting the UDIDs and personal information of over ten million iPhone and iPad users. However, it is quite certain that the data (and computer it was being stored on) was inadequately secured.
AntiSec claims the FBI has been using the Apple UDID to track individuals. However, the group hasn’t yet quoted any incidents that back its allegations. Another possible reason for this attempt is that AntiSec feels it has been unfairly targeted. According to the group the FBI “decided to hunt us down and jail our friends.”
The group may be referring to several cases in which hackers worldwide were arrested, including a number of individuals associated with the group LulzSec in the UK as well as Arizona. LulzSec made headlines when it took credit for stealing the account information of over 77 million members of Sony’s PlayStation Network. The group’s 50-day hacking attack began in May 2011, with a database of X Factor contestants.
The group also claimed responsibility for later hacking into Sony Pictures Entertainment and accessing 1 million accounts. The company reported later that 37,500 accounts had actually been breached. LulzSec then claimed to have hacked the CIA, US Senate and Public Broadcasting Service websites.
This article covers the recent Anonymous attack, which accessed over 12 million iPhone and iPad device identifiers (unique device identifiers; UDIDs), via an FBI computer. The hack was intended to highlight the FBI’s alleged tracking of Apple customers.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Personally identifiable information (I.A.c.i.)
- Determining data accountability; ownership of data (I.C.b.i.)