Why Does the FBI Have Your UDID?
The hacker group Antisec has posted a list of 1 million Unique Device Identifiers (UDIDs) from a file of more than 12 million that Antisec claims to have hacked from an FBI laptop. You have to wade throuogh a lot of wind to reach the bag, but here’s the heart of Antisec’s claim:
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
“NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
The FBI, by the way, denies any of this occurred. Do you trust the FBI? Or have we reached the point in our culture where we believe a bunch of unknown hackers (“a semiliterate digital delinquent with serious anger management issues,” according to Robert Cringely) more than we believe the FBI?
WC isn’t sure the FBI is smart enough to even know it has been hacked.
Assuming the claims are true, WC has some questions.
First, why does the FBI have personal information about more than 12 million iPhone and iPad users? It’s true that Apple formerly tolerated iOS app developers collecting that information, but how did it get into the hands of the FBI? And why is the FBI keeping it?
Second, assuming that there is a lawful purpose for collecting and holding that information, what in the world is it doing on an unprotected, unsecure laptop computer? WC encrypts his clients’ data on his laptop, and, with all respect to the clients, it’s a lot less important than 12 million citizens’ personal information.
Third, why was an FBI laptop susceptible to a fairly primitive exploit like the AtomicReferencArray Java vulnerability. For that matter, why is Java even implemented on an FBI laptop? Especially one that holds megabytes of personal information.
There’s no easy way to test if your information is among the million UDIDs released, let alone the other 11.3 million that Antisec claims to have. And with more than 80 million iDevices out there, the odds that your iPhone are among those exposed is relatively low.
But that’s going to be small consolation if Antisec’s hack – and Antisec isn’t composed completely of “good guys” – results in identity theft.
In the meantime, WC looks forward to the FBI’s explanation as this sorts itself out…