Antisec (hacking group) is at it again and this time they’ve surprised us with an example of how lax the United States’ security policies have become. Antisec managed to hack an FBI agent’s Dell laptop computer. Utilizing a shell session, the hacker(s) noticed a file sitting on the FBI agent’s desktop that look interesting. They grabbed the file and viola, were now in possession of 12 million Apple UDID (unique device ID) of which they released 1,000,001 (yes, that’s a “1”) on pastebin.
According to Antisec
There you have. 1,000,001 Apple Devices UDIDs linking to their users and their APNS tokens. The original file contained around 12,000,000 devices. we decided a million would be enough to release. We trimmed out other personal data as, full names, cell numbers, addresses, zip codes, etc. Not all devices have the same amount of personal data linked. some devices contained lot of info.
They went on to explain how they hacked the machine:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incomplete on many parts. no other file on the same folder makes mention about this list or its purpose.
The FBI denies that anything was stolen from them and posted the following press release on their website:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
What’s most worrisome to us is that an FBI agent (a supervisor and member of the Cyber Action team no less) would be carrying such an important file around on a laptop – unencrypted! Then I guess you have to also ask (1) why does the FBI have this personal information and (2) how did the FBI come into possession of this data? Oh yeah, and why did Apple release this data to the FBI in the first place?