Immediately after news went live reporting that AntiSec hacked into an FBI agent's laptop and discovered over 12 million Apple Unique Device Identifiers (UDIDs) listed on a file stored on the desktop, the government agency flat out denied both the hack and the file's existence.
"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the FBI's website states. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."
The FBI Press Office wasn't quite so diplomatic on Twitter. "Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE."
According to AntiSec, the group hacked into a Dell Vostro notebook used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team. The hack took place in the second week of March 2012 using the AtomicReferenceArray vulnerability on Java.
AntiSec said they retrieved a file called "NCFTA_iOS_devices_intel.csv" from his desktop which contained a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses and more.
The prove that it indeed retrieved the numbers from the FBI, AntiSec released a list of 1 million numbers linking to their users and their APNS tokens. The group trimmed out the more sensitive data like full names, cell numbers, addresses, zip codes and more.
"Not all devices have the same amount of personal data linked. Some devices contained lot of info," the hactivist group stated. "Others no more than zip codes or almost anything. We left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not."
Despite the details provided by AntiSec, the FBI is denying everything like a classic X-Files episode. Even more, Apple claims that the government didn't request the information, nor did Apple provide the numbers to the FBI or any other4 organization.
"Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokeswoman Natalie Kerris told AllThingsD.
Meanwhile. Security firm Imperva updated its blog with a step-by-step tutorial on how the unofficial FBI breach actually worked. It was conducted as follows:
1. The hacker used a framework to load the exploit code and generate a host to let the victim download the malicious payload.
2. The victim is tricked to access the malicious host, by either persistent XSS infection on a site, malicious link in an email, or plain social engineering to name a few.
3. Once the target has activated the URL, the payload is activated via the vulnerability vector and a reverse session is opened between the hacker and the victim.
4. The hacker at this stage has full control on the machine and is able to launch commands including a prompt to execute code or search the victims host.
"If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user’s online activity—possibly even a user’s location," Imperva said on Tuesday. "To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users."
Let's hope the hacking is all fake and merely a ploy to get attention.
