A group of hackers claims to have stolen 12 million Apple device IDs and other user information from an FBI agent’s laptop, and has posted some of the information online.
The group, dubbed AntiSec, posted 1 million Unique Device Identifiers, or UDIDs, but removed most of the personally identifiable information from the list. AntiSec’s message is long and ranty, but touches on a desire to embarrass the FBI and to tarnish the concept of UDIDs.
A hack like this is always bound to cause a bit of a panic, so let’s walk through the main things you need to know:
What Information Was Leaked?
Although AntiSec claims to have information for roughly 12 million devices, it has only published 1 million UDIDs, along with Push Notification tokens, device names and device types. The group claims to have other personal information, including names, cell numbers, addresses and zip codes, but has not published those details.
Where Did the Information Come From?
AntiSec says it hacked the notebook of Christopher K. Stangl, a member of the FBI’s Regional Cyber Action Team and New York FBI Office Evidence Response Team, using a Java vulnerability. The files reportedly came from the agent’s desktop, with one folder named “NCFTA_iOS_devices_intel.csv.” However, at the moment there’s no proof of this claim other than AntiSec’s word.
If AntiSec’s claims are true, then the “NCFTA” referenced in the FBI agent’s folder likely refers to the National Cyber-Forensics & Training Alliance, which acts as an intelligence-gathering liaison between the feds and businesses. This suggests that either Apple, wireless carriers or app makers were providing information to the NCFTA to help fight cybercriminals.
Strangely, a story by Forbes‘ Kashmir Hill from last April claims that NCFTA doesn’t collect personally identifiable information, yet AntiSec claims to have unearthed user names, numbers, addresses and more in its hack.
What’s a UDID, Anyway, and What’s the Worry?
The Unique Device Identifier is a string of letters and numbers that identifies an Apple device, but carries no personal information about the user. App developers use UDIDs to track user behavior–say, for the purpose of ad targeting or usage monitoring.
On its own, the UDID is fairly harmless, but as Aldo Cortesi points out (via Slate), UDIDs have been misused in ways that can link them to user identities, geo-locations and social media accounts. Apple is aware of these issues, and as of March has been rejecting apps that rely on UDIDs instead of alternative methods.
As far as data breaches go, this is less concerning than a full-blown e-mail/password hacking incident, but it’s still a privacy concern, especially if the FBI is involved. (Stay tuned for the inevitable outraged letters from members of Congress asking how this happened.)
How Can I Find Out If I’m On the List?
The Next Web has posted a tool that checks your device’s UDID against the AntiSec list. Note that the UDID is not your phone number. It’s a unique code associated with your iPhone, iPad or iPod Touch. A website called whatsmyudid.com will tell you how to find your device’s ID number through iTunes.
Has Apple or the FBI Responded?
AntiSec also says it won’t answer questions unless Gawker posts pictures to its homepage of writer Adrian Chen wearing a tutu. Seriously. He seems willing to play along if assured that the hackers will honor the deal. Good sport. Apple has not yet responded.
The New York Times reports that the FBI has issued the following statement:
“The F.B.I. is aware of published reports alleging that an F.B.I. laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data.”