Hackers say they got data on Apple device users from FBI agent's laptop, but the agency denies knowing anything about it.
The FBI said today that it does not know anything about a laptop that hackers say they compromised and that led them to millions of Apple iOS device user details, of which 1 million have been released on the Web.
"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," said an FBI spokesperson. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."
Although the agency says it can neither confirm nor deny that a compromise happened, that doesn't mean it didn't happen. And it doesn't speak to the issue that data of potentially millions of iOS devices has been leaked. CNET has verified the authenticity of some of the user account details that the hackers released.
The Anonymous-affiliated group AntiSec said in its post
last night that it had actually obtained 12 million Apple Unique Device Identifiers (UDIDs) from the laptop of FBI supervisory special agent Christopher K. Stangl by exploiting a Java vulnerability, but that it released only data from 1 million devices. It said it was able to download files from the agent's laptop, including one entitled "NCFTA_iOS_Devices_intel.csv," which had the data, including user names, device name, device type, zip codes, cell phone numbers, addresses and Apple Push Notification Service tokens. (You can use
this site to see if your iOS device is on the list.)
The @AnonyOps Twitter account responded to the FBI statement, saying "FBI says there was no hack. That means either they're lying or they *gave* the information up to someone in #antisec. It's happened before."
CNET talked to a few people whose devices were on the list and whose names and numbers were included in their "Device Name Field.' CNET also was able to use the data, which had been mostly scrubbed by the hackers of any personally identifiable information, to find names and phone numbers. People on the list could be targets for phishing attacks based on the information on the list and even more at risk if someone did a little bit of digging.
Apple representatives did not respond to requests for comment. The company has said it will phase out UDIDs because of privacy concerns, but it's unclear when that will happen and what will replace them that will allow developers to track usage of apps without revealing too much user information.
The vast majority of AntiSec data dump claims turn out to be true. And while people usually get testy at the hackers for stealing the data, in this case -- assuming that this data had been on the FBI laptop -- people seem to be more angry with the government.
The big questions on everyone's minds are why the FBI would have that UDID information and how it got it. But there are other questions, such as what other information does the FBI have that we don't know about? The file name gives a clue that is interesting. The acronym NCFTA stands for National Cyber-Forensics & Training Alliance," which is a nonprofit created to serve as a "conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime," according to the
Web site. NCFTA did not immediately return a call seeking comment this afternoon."
"Look at the name of the file," said Frank Heidt, chief executive of Leviathan Security, said of the . "What makes anyone think there's not an Android file or an AT&T file? I'm waiting for the other shoe to drop. Why only Apple? It makes no sense."
Greg Wilson, a Tempe, Ariz.-based musician and teacher in whose data was on the list, said he suspects that the government has a lot of data on people that it shouldn't because of cooperation with the technology providers.
"I'm not surprised. I saw 'Enemy of the State' and I've read '1984,'" he told CNET in a phone interview. "I'm saddened. President Bush had such cachet with the world after 9/11 and this is where it's descended to."
"Maybe, I shouldn't be looking at so much porn," joked one man contacted by CNET who asked not to be named.
Whoever the hackers got the data from apparently didn't use the basic security measures to protect it from prying eyes, including having a sensitive user file unencrypted on an unsecured laptop. And then there is the worry about what criminals can do with the data now that it is public.
"I don't know if you want people having that push token. Given that and the UDID and username I could arbitrarily load an app on your phone," Heidt said.
The very use of the .csv import-export file format poses questions. "Who exported it and where are they going to import it?" he added, assuming that the FBI had the data. "We are at least owed the 'why.' I think our government at least owes us that."
Calling the UDID leak a "privacy catastrophe," security consultant Aldo Corttesi wrote a blog post that he has found numerous instances of gaming social networks and related sites, including Open Feint, "using and misusing" UDIDs. (Open Feint was used by CNET to get more data on the victims in this data leak than the hackers provided, for example.)
When speaking to people about this, I've often been asked "What's the worst that can happen?" Cortesi wrote. "My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are."
Updated 2:20 p.m. PT with more background and reaction.
