Skip to main content

Apple, FBI Deny UDIDs Discovered by AntiSec

Immediately after news went live reporting that AntiSec hacked into an FBI agent's laptop and discovered over 12 million Apple Unique Device Identifiers (UDIDs) listed on a file stored on the desktop, the government agency flat out denied both the hack and the file's existence.

"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the FBI's website states. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

The FBI Press Office wasn't quite so diplomatic on Twitter. "Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE."

According to AntiSec, the group hacked into a Dell Vostro notebook used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team. The hack took place in the second week of March 2012 using the AtomicReferenceArray vulnerability on Java.

AntiSec said they retrieved a file called "NCFTA_iOS_devices_intel.csv" from his desktop which contained a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses and more.

The prove that it indeed retrieved the numbers from the FBI, AntiSec released a list of 1 million numbers linking to their users and their APNS tokens. The group trimmed out the more sensitive data like full names, cell numbers, addresses, zip codes and more.

"Not all devices have the same amount of personal data linked. Some devices contained lot of info," the hactivist group stated. "Others no more than zip codes or almost anything. We left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not."

Despite the details provided by AntiSec, the FBI is denying everything like a classic X-Files episode. Even more, Apple claims that the government didn't request the information, nor did Apple provide the numbers to the FBI or any other4 organization.

"Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokeswoman Natalie Kerris told AllThingsD.

Meanwhile. Security firm Imperva updated its blog with a step-by-step tutorial on how the unofficial FBI breach actually worked. It was conducted as follows:

1. The hacker used a framework to load the exploit code and generate a host to let the victim download the malicious payload.
2. The victim is tricked to access the malicious host, by either persistent XSS infection on a site, malicious link in an email, or plain social engineering to name a few.
3. Once the target has activated the URL, the payload is activated via the vulnerability vector and a reverse session is opened between the hacker and the victim.
4. The hacker at this stage has full control on the machine and is able to launch commands including a prompt to execute code or search the victims host.

"If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user’s online activity—possibly even a user’s location," Imperva said on Tuesday. "To be clear, the released database is sanitized so you cannot perform this type of surveillance today.  But with the full information that hackers claim to have, someone can perform this type of surveillance.  This implies that the FBI can track Apple users."

Let's hope the hacking is all fake and merely a ploy to get attention.

Contact Us for News Tips, Corrections and Feedback

  • blurr91
    Between the government and the hacker group, I'm not sure which I would trust more.
    Reply
  • amuffin
    Agreed^^
    Reply
  • nacos
    blurr91Between the government and the hacker group, I'm not sure which I would trust more.If there's one thing I hate almost as much as secretive government agencies, it's "vigilante" hacker groups who do what they think is right regardless of the impact or popular opinion.
    Reply
  • A Bad Day
    blurr91Between the government and the hacker group, I'm not sure which I would trust more.
    Welcome to the club.
    Reply
  • thecolorblue
    the government NEVER lies
    there is ZERO documentation proving lies by the FBI.... erm..

    ...HAHAHAHAHAHAHAHAHHHAAAA
    Reply
  • hrhuffnpuff
    I do not trust either the Government nor Crapple. Both deceive and sadly people still believe in both. As for the hacking group, leave them be. A little vigilantism never hurts. Just ask Charles Bronson.
    Reply
  • DavidRitchey
    Vigilante hacker groups are far more righteous than a government secretly operated by the owners of the corrupt, private, "Federal" Reserve.
    Read about the history of the USA, dead presidents, and presidential memoirs.
    DOWN with the FED. DOWN with dishonorable government. It's the American way. Go vigilantes!
    Reply
  • Nills
    I am not sure who is telling the truth, but it doesn't matter. I'm playing on my Macbook and some dev can have an UDID call as part of a flash game. Apple needs to patch this BS, and quit trying to play monopoly.
    Reply
  • blazorthon
    DavidRitcheyVigilante hacker groups are far more righteous than a government secretly operated by the owners of the corrupt, private, "Federal" Reserve.Read about the history of the USA, dead presidents, and presidential memoirs.DOWN with the FED. DOWN with dishonorable government. It's the American way. Go vigilantes!
    Being better than the USA government is easy. However, I wouldn't call them good, just the lesser of the two evils to an extreme.
    Reply
  • neoverdugo
    Liar, Liar! Pants on Fire! The FBI Bought those files from Apple as part of spying the population program. Like Facebook, Apple sold our privacy for money like mercenaries. (However, i don't own an iphone, ipad or itouch)
    Reply