The Federal Bureau of Investigation is in the spotlight after Anonymous and LulzSec co-op AntiSec revealed it breached their security and extracted 12,367,232 Unique Device Identifiers (UDID) for Apple iOS devices from one of their agent’s laptops, raising concerns as to whether the federal agency is tracking users of Apple devices.
Update (9.5): The FBI is disputing these claims, having release an official statement assuring they have no information about a breach or that they possess this kind of data.
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
The rest of the original story is below:
To prove their claims Anonymous published the download links to one million and one UDID’s on Pastebin, along with the statement: “we have learnt it seems quite clear nobody pays attention if you just come and say ‘hey, [the] FBI is using your device details and info and who... knows [why they are] experimenting with that’ [...] We could have released mail and a very small extract of the data. Some people would eventually pick up the issue but well, let’s be honest, that will be ephemeral... Eventually, looking at the massive number of devices concerned, someone should care about it.”
While the hacktivists trimmed out most of the personal information, the original unedited data contains the device ID and type, the name of the device, Push Notification tokens, and other personally identifiable details such as the owner's name, address, zip code, phone numbers and Apple username.
AntiSec got access to the files via the “AtomicReferenceArray” Java exploit on the Dell Vostro laptop used by Supervisor Special Agent Christopher K. Stangl of the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team. The hackers claim the UDID content was in a large database file named “NCFTA_iOS_devices_intel.csv” saved in the user's desktop folder.
No other content on the laptop provided further evidence of its use, although the hackers suggest it could be enough basic information needed to start a tracking project. The filename is curious as well as it appears it could have come from the National Cyber-Forensics & Training Alliance, an organization that functions as an intermediary and data manager between the private industry and law enforcement agencies to “identify, mitigate and neutralize cyber crime.”
While it isn’t unusual for developers to have access to some of the data the UDID holds on each device, they don’t normally get access to the personally identifiable information it contains. AntiSec maintains they released the details purely to highlight the FBI’s alleged tracking of Apple customers.