The FBI says there is no evidence to support hacker group AntiSec’s claims that it stole digital serial numbers for more than 12 million iPhones, iPads and iPod Touches from a poorly secured agency computer.
The bureau issued a statement Tuesday indicating the agency “is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs [Unique Device Identifiers] was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
This comes after AntiSec released more than 1 million of these records to the general public to prove it had found an FBI computer with the information and to raise questions regarding why an agency laptop contained this information in the first place.*
AntiSec claims it took the information in March from a Dell laptop used by Supervisor Special Agent Christopher K. Stangl from the FBI’s Regional Cyber Action Team and New York’s FBI Office Evidence Response Team. The hackers say they were able to steal the information thanks to a Java software flaw. Oracle (which owns the rights to Java after purchasing Java creator Sun Microsystems in 2009) had issued a patch to fix the problem in February, implying that the FBI had not plugged a security hole on this particular computer.
App developers, analytics services, social networks and gaming companies use UDIDs—40-digit long, unique alphanumeric codes assigned to every iOS device—to track the whereabouts of the devices using their software and services. “Users have no way to stop their device from offering up their UDID, telling who their data is being sent to, or even telling that it’s happening at all,” according to a blog posted in May 2011 by Aldo Cortesi, a coder and security consultant living in New Zealand.
Concerns over the collection of user information from Apple devices have been brewing for a while. In March, the U.S. House of Representatives Committee on Energy and Commerce sent Apple CEO Tim Cook a letter requesting more information about what data is collected from customers’ mobile devices when they use certain apps (pdf). Such concerns have prompted Apple to distance itself from or outright reject apps that gather UDID information.
In addition to the UDIDs, AntiSec claims the FBI laptop contained information about the type of device, codes used to push notifications to iOS devices, user names, zip codes, cell phone numbers and addresses. AntiSec says it scrubbed the 1 million records released to include only four columns of data—UDIDs, Apple Push Notification Service DevTokens, device name and device type. One of the iPads listed bears the name “Obama.”
The data Anti-Sec has made available appears to be legitimate, says Marcus Carey, a researcher for computer security firm Rapid7. “This would have been an elaborate hoax to craft those records,” he adds.
The UDID wouldn’t allow someone to attack an Apple device directly, Carey says. An attacker could potentially use the UDID to log on to some apps by forging the UDID from the leaked list. “There are many apps that allow users to use the UDID to authenticate instead of the usernames and passwords,” he adds. “All of the UDIDs on the list are vulnerable to this sort of attack.”
There could be a legitimate reason why an FBI Agent would have access to this data, Carey says. “Let’s say if the agent was investigating a data breach, this could be potential evidence from another compromise,” he adds. “Until we hear from the Justice Department, everything is speculation. I don’t anticipate that will have long term affect on Apple users.”
* Editor’s Note (9/11/12): Digital publishing company BlueToad, Inc., on September 10 claimed that it had been “the victim of a criminal cyber attack, which resulted in the theft of Apple UDIDs from our systems. Shortly thereafter, an unknown group posted these UDIDs on the Internet.” BlueToad’s admission further calls into question AntiSec’s claim that it stole the UDIDs from an FBI computer.
Image courtesy of MJ Photography, via iStockphoto.com