In what looks to be one of the worst privacy disasters yet, the hacking collective known as AntiSec has released a list of 1,000,001 Apple Unique Device Identifiers (UDIDs) that they’ve allegedly obtained from an FBI breach. This is supposedly from a much larger cache of 12 million UDIDs that the group managed to purloin during their raid. Not only did the files include the UDIDs, but many of these had other identifying information attached, such as usernames, cell phone numbers, and addresses. Lovely.
How, exactly, did they manage to snatch such a glorious list? This is obviously a huge win for anyone looking to expose exactly what kind of information the United States government keeps on folks. AntiSec’s manifesto clearly summarizes how they obtained the file in the first place:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
The takeaway here is that the information stems from the second week of March, so it’s about seven months old at least. The file name, if AntiSec’s account is to be considered accurate, could refer to the National Cyber-Forensics & Training Alliance, a non-profit corporation that brings together the public and private sector in order to fight cyber crime. Even so, the FBI’s intended use for such data is nebulous at best, regardless of the charges leveled at them by AntiSec. That doesn’t mean AntiSec’s wrong; it just means that the evidence isn’t yet damning enough.
Luckily for anyone wanting to search the 1,000,001 UDIDs, Sean MacGuire has already taken it upon himself to create a tool with which they can do so. Even if a specific UDID fails to pop, that doesn’t mean it isn’t sitting in the much larger list that AntiSec has kept for themselves at the moment.
- New earbuds might be coming with the iPhone 5
- This isn’t the first time AntiSec has made the rounds
- AntiSec has an awful lot in common with LulzSec