HackerNews linked last night to a Pastbin file, which is a long-rambling diatribe by hacker group AntiSec, that eventually said the group infiltrated an FBI laptop in March and was able to download files off the machine. One of those files, NCFTA_iOS_devices_intel.csv, contained more than 1 million Apple UDIDs, but the group claimed to have over 12 million UDIDs and other personal information, which it apparently gathered after breaching the Dell Vostro of an FBI operative.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
“NCFTA_iOS_devices_intel.csv” looks like it stands for the National Cyber-Forensics and Training Alliance, which “functions as a conduit between private industry and law enforcement.” (http://www.ncfta.net/)
Apple previously said it would limit developer access to UDIDs, but the Pastebin post asserted AntiSec published the identifiers, after first leaving out full names, cell numbers and addresses, to warn folks about the FBI tracking U.S. citizens with the mobile data.
Fun Fact: 166 devices in the data set are named “Titanic” or “The Titanic” because of the “Titanic is syncing” joke.
Cydia creater Saurik took to Hacker News to note that it is unlikely that the source was from jailbreaking:
I run Cydia, and have determined only 16.7% of the UDIDs in that file are from jailbroken devices: I thereby do not believe that whatever managed to get this data is anywhere in our ecosystem.
The UDID information is consistant with those obtained by developers with push capabilities. However, developers with 12 million accounts are pretty few and far between.
Update: Marcus Armento, developer of Instascraper, said it is unlikely the FBI information is from his DB server:
For everyone asking: The Instapaper FBI server thing didn’t involve the disks being taken, and I had nowhere near 12 million user records.— Marco Arment (@marcoarment) September 4, 2012
Also, Instapaper did log UDIDs with user accounts in the past, but has never transmitted or logged any of those other fields.— Marco Arment (@marcoarment) September 4, 2012
He also blames the AllClear ID app for the problem saying it is the “likely culprit”:
Update 2: Marco’s not very happy about the concern:
@llsethj It’s not a laugh when people start accusing me of giving data to the FBI, asshole.— Marco Arment (@marcoarment) September 4, 2012
The hacker group will not release any more information on the hack until Gawker puts a picture of one of its writers on its homepage “ballet tutu and shoe on the head” for an entire day (something not out of the realm of possibility on a normal day, if we are being honest with ourselves really).
to journalists: no more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith Alexander. go, go, go. (and there you ll get your desired pageviews number too) Until that happens, this whole statement will be the only thing getting out directly from us. So no tutu, no sources.