Hackers claim 12 million Apple IDs from FBI

By | September 4, 2012

Hackers 2

The incident raises question over why the FBI had held the details of consumers of Apple products [AP]

A hacker group has claimed to have obtained personal data from 12 million Apple iPhone and iPad users by breaching
a Federal Bureau of Investigation (FBI) computer, raising concerns about government tracking.

The group called AntiSec, linked to the hacking collective known as Anonymous, posted one million Apple user identifiers on Monday purported to be part of a larger group of 12 million obtained from an FBI laptop.

In the posting, AntiSec said the original file “contained around 12,000,000 devices” and that “we decided a million would be enough to release”.

The group said it “trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc”.

Contacted by AFP news agency, FBI spokeswoman Jenny Shearer said: “We’re not commenting.”

It also raises question over why the FBI had held the details of consumers of Apple products.

Apple also did not immediately respond to a request for comment.

One website set up a database to help users determine if their device was on the hacked list of Apple unique device IDs (UDIDs).

“Quite why the FBI was collecting the UDIDs and personal information of millions of iPhone and iPad users is not yet clear – but it’s obvious that the data (and the computer it was apparently stored on) was not adequately secured,” said Graham Cluley of the British security firm Sophos.

The hacker group said it posted the information to draw attention to Apple’s practices which allow users to be tracked.

“We never liked the concept of UDIDs since the beginning indeed. Really bad decision from Apple,” it said.

‘Very worrying’

Hacker and computer security expert, Jason Moon told Al Jazeera: “I think we should be very concerned”.

He said: “If the intelligence agencies are going to spy on their own citizens and retain this kind of personal information it’s very worrying that hacker can get their hands on”.

“Our enemies can get their hands on it just as easily then…So it’s kind of like doing the spying for our enemy in a sense”, he added.

“If they are going to be this negligent with the way the information is secured keeping it all in one place in the manner that they did, it’s really disturbing.”

The cyber incursion set social networking sites aflutter with technology bloggers questioning consumer privacy.

Peter Kruse, an e-crime specialist with CSIS Security Group in Denmark, confirmed on Twitter that the leak “is real” and that three of his own devices had been included.

He tweeted: “Also notice that they claim to have full name, addresses, phone numbers etc… Big ouch!”

A security expert with Tata Communications, Eric Hemmendinger, said: “The question is not whether it’s accurate, it is why did the feds have the information and why did they not take due care to secure it”.

“If you work in cybersecurity and your machine gets hacked, that’s a pretty embarrassing scenario,” he added. …


There is a web site you can use to see if your ID was one of the million released by the hackers, but then you are giving your UDID to some web site. I’d rather check for myself, so I found the file and this detail from the hackers on how they got the file:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent [*** Name remove ***] from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

via http://pastebin.com/nfVT7b0Z

Obvious question from this… What is NCFTA?

The NCFTA functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs. …

If you are interested in learning more about how the NCFTA can help your organization or would like to become a partner, please contact us.

2000 Technology Drive
Suite 450
Pittsburgh, PA 15219

Phone: 412.802.8000

via http://www.ncfta.net/

Thanks for the warrant-less release of our personal data, Apple. I’m sure you were just doing what you thought was profitable, I mean morally correct. *cough* *cough* *lawsuit* *cough* I checked (by downloading the file and doing a search against it) and none of my three iPhones UDIDs are in the million released.  Tip, use the free app eMonster UDID to email your UDID from your iPhone to yourself for reference. I also recommend securely wiping the files after you download them to check for yours. You’ll need a serious text editor like TextPad (windows) to open the large file. Windows Notepad will probably just hang. Use a free program like Eraser (windows) to wipe the files and you can be better than Apple at protecting people’s Apple IDs.

According to one web site, there are over 187 million devices:

I have always wondered how many devices I am targeting and finally I have close to an answer:

iPod Touch: 60 million
iPhone: 108 million
iPad: 19 million

See http://thisismynext.com/2011/04/19/apple-sues-samsung-analysis/ for more information

That’s 187 million devices.

Does the FBI have all 187 million? I have no idea, but why would they have only 12 million? What’s special about those?

P.S. Patch your Java, people!

Leave a Reply