Tuesday, September 04, 2012

Anonymous leaks more than one million iDevice UDIDs after FBI laptop hack

Anonymous, under the purview of its Antisec anti-government / anti-big business campaign, has released 1,000,001 iDevice (iPad, iPhone) UDIDs that it says it obtained by breaching an FBI laptop. The loosely knit hacker group released the info on its site of choice, Pastebin.

While the group released one million UDIDs, Anonymous claims to have a total of over 12 million UDIDs, as well as the personal information of end users, including user names, device names, notification tokens, cell phone numbers and addresses.

Anonymous described the hack as following:
"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."
The AtomicReferenceArray exploit was the one used by Flashback on Mac OS X.

Assuming Anonymous' description of the hack is valid, the NCFTA acronym in the filename would probably refer to the National Cyber-Forensics & Training Alliance, a non-profit organization of experts from both the public and private sector that investigates cyber-crimes.

Anonymous also said there would be no further information released about the hack, and no additional interviews until Gawker writer Adrian Chen is featured on the front page the site, for an entire day, sporting a ballet tutu and a shoe on his head.

Why did Anonymous release the info? They said it was because otherwise the public wouldn't get on the FBI's case to find out what the organization was doing with all those UDIDs. The hacker group's statement:
"well we have learnt it seems quite clear nobody pays attention if you just come and say 'hey, FBI is using your device details and info and who the f*ck knows what the hell are they experimenting with that', well sorry, but nobody will care. FBI will, as usual, deny or ignore this uncomfortable thingie and everybody will forget the whole thing at amazing speed. so next option, we could have released mail and a very small extract of the data. some people would eventually pick up the issue but well, lets be honest, that will be ephemeral too.

So without even being sure if the current choice will guarantee that people will pay attention to this f*cking shouted 'F*CKING FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SH*T' well at least it seems our best bet, and even in this case we will probably see their damage control teams going hard lobbying media with bullsh*ts to discredit this, but well, whatever, at least we tried and eventually, looking at the massive number of devices concerned, someone should care about it."
We'd expect to see a lot of focus on this, indeed.

Those concerned that their UDID might be included in the released list can use this tool.  Naturally, this will only tell you if your UDID is among the 1,000,0001 leaked, not if your UDID is in the other 11 million.

No comments: