Those pesky internet devils, AntiSec, announced in a posting on a hacker’s site the following:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Out of the 12 million, the group posted one million of the UDID’s. There’s a whole bunch of things wrong with this.
#1: UDID’s are Unique Device Identifier numbers, which for an iPhone, iPad or iTouch is a 40 character, device specific number that identify that Apple’s device within the iOS ecosystem. UDID’s are used in all sorts of ways between developers, iTunes and you can find your device’s UDID via a few different apps that you can download for free. UDID’s are mostly used for testing apps before they are made available in iTunes, but there are other uses that require being able to ID a specific device. You can check to see if your device UDID was part of the posting via this site.
#2: The group stole these 12 million UDIDs from a laptop of a FBI agent, and also there are claims that there are associated personal info with each number like, name, cell number, addresses and notification tokens (i.e.: what you’ve allowed to push notify/send info to the front of your device’s screen). Why’d they steal it? Because of….
#3: Why exactly was a FBI agent walking around with a laptop with 12 million private citizen’s UDID’s and how did he get them? What are they being used for?
NBC News is reporting that a source within the FBI is claiming that the whole thing is a hoax and lure to get people to go to the site where the original posting is hosted with malware hidden within the page. Several other sources are reporting they cannot find any such malware on the page. (this is why I haven’t copied that link within this story, cause I ain’t sure)
What does this mean to you? Probably nothing. You can find your UDID, put part of it in the search link mentioned above, and if it doesn’t appear you’re safe. But even if it does appear there isn’t much anyone can do with it at this time. But while it is frustrating that this kind of data can be stolen, from the FBI no less, the larger question of why the FBI even had the data is certainly the larger question at hand.
More to come as it develops.