Wickersham's Conscience

Commentary, Reviews and Nature Photography

Why Does the FBI Have Your UDID?

The hacker group Antisec has posted a list of 1 million Unique Device Identifiers (UDIDs) from a file of more than 12 million that Antisec claims to have hacked from an FBI laptop. You have to wade throuogh a lot of wind to reach the bag, but here’s the heart of Antisec’s claim:

  1. During the second week of March 2012, a Dell Vostro notebook, used by
  2. Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
  3. Team and New York FBI Office Evidence Response Team was breached using the
  4. AtomicReferenceArray vulnerability on Java, during the shell session some files
  5. were downloaded from his Desktop folder one of them with the name of
  6. “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS
  7. devices including Unique Device Identifiers (UDID), user names, name of device,
  8. type of device, Apple Push Notification Service tokens, zipcodes, cellphone
  9. numbers, addresses, etc. the personal details fields referring to people
  10. appears many times empty leaving the whole list incompleted on many parts. no
  11. other file on the same folder makes mention about this list or its purpose.

The FBI, by the way, denies any of this occurred. Do you trust the FBI? Or have we reached the point in our culture where we believe a bunch of unknown hackers (“a semiliterate digital delinquent with serious anger management issues,” according to Robert Cringely) more than we believe the FBI?

Yep.

WC isn’t sure the FBI is smart enough to even know it has been hacked.

Assuming the claims are true, WC has some questions.

First, why does the FBI have personal information about more than 12 million iPhone and iPad users? It’s true that Apple formerly tolerated iOS app developers collecting that information, but how did it get into the hands of the FBI? And why is the FBI keeping it?

Second, assuming that there is a lawful purpose for collecting and holding that information, what in the world is it doing on an unprotected, unsecure laptop computer? WC encrypts his clients’ data on his laptop, and, with all respect to the clients, it’s a lot less important than 12 million citizens’ personal information.

Third, why was an FBI laptop susceptible to a fairly primitive exploit like the AtomicReferencArray Java vulnerability. For that matter, why is Java even implemented on an FBI laptop? Especially one that holds megabytes of personal information.

There’s no easy way to test if your information is among the million UDIDs released, let alone the other 11.3 million that Antisec claims to have. And with more than 80 million iDevices out there, the odds that your iPhone are among those exposed is relatively low.

But that’s going to be small consolation if Antisec’s hack – and Antisec isn’t composed completely of “good guys” – results in identity theft.

In the meantime, WC looks forward to the FBI’s explanation as this sorts itself out…

About these ads

Written by Wickersham's Conscience

September 5, 2012 at 6:15 am

Posted in Commentary, Law, Technogeekery

Tagged with , , ,

«
»

2 Responses

Subscribe to comments with RSS.

  1. Thank you, WC, but although I also look forward to the FBI’s explanation, I’m not holding my breath. And as an intelligent person, I doubt that you are, either.

    freshwatersnark

    September 5, 2012 at 7:49 pm

  2. Greeting WC -

    >First, why does the FBI have personal information about more than 12 million iPhone and iPad users?
    That is consistent with the FBI’s mantra – No information left behind. They could have ‘found’ that info on a “hackers” machine and copied it as evidence. They are not constrained by anything resembling fiduciary responsibility, let alone privacy concerns.

    >Second, assuming that there is a lawful purpose for collecting and holding that information, what in the world is it doing on an unprotected, unsecure laptop computer?
    Uh, no lawful purpose required, it’s the FBI. But considering that information was in a csv file, it could have been literally – couple meg at most in size, “deleted” from a former case, but not securely deleted and overwritten.

    >Third, why was an FBI laptop susceptible to a fairly primitive exploit like the AtomicReferencArray Java vulnerability. For that matter, why is Java even implemented on an FBI laptop?
    Why was it susceptible to a simple virus – easy – Microsoft. Why is java even enabled on a govt laptop is a valid question. No “govt” laptop should have java enabled, the only thing java is good for is dancing baloney, p0rn, and Youtube singing cats. But any 13 old can enable java in a browser, even with permission turned off. So how an FBI agent was able to turn it on is beyond me, mabey that part was an accident…

    D.

    mrderik

    September 5, 2012 at 8:11 pm


Comments are closed.

%d bloggers like this: