The (alleged) Apple-FBI hack: 1 million and one damnations

Pop quiz: What’s a UDID? No, it’s not a birth control device.

Also, you probably haven’t been paying much attention to the blogosphere, which is abuzz with news of an alleged major Apple/FBI security breach by Anonymous offshoot AntiSec.

[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. ]

Last night AntiSec posted more than 1 million Apple UDIDs — or Unique Data Item Descriptions — it claims to have stolen from a federal agent’s laptop, part of a cache of more than 12 million. (To be clear: There’s no real proof as yet that AntiSec actually has 12 million UDIDs or that it breached an FBI computer to get them. In fact, the FBI denies both that it suffered a breach and that it collected UDIDs. Apple said it has given no one any list of UDIDs and notes that as of iOS 6, they’re being discontinued.)

In a long, rambling, expletive-rich, and often incoherent rant on Pastebin, the hacker explained the alleged source of the names:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team, was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder; one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDIDs), user names, name of device, type of device, Apple Push Notification Service tokens, ZIP codes, cellphone numbers, addresses, etc. The personal details fields referring to people appears many times empty, leaving the whole list incompleted on many parts. No other file on the same folder makes mention about this list or its purpose.

For proof, he/she/they posted 1,000,001 — the last one for good measure, I suppose — of them online for your downloading pleasure. Several users have weighed in at Hacker News and elsewhere to confirm that their iOS IDs were among the cache posted online.

(Wonder if yours are among them? The Next Web posted a handy lookup tool. To find your iDevice’s UDID, follow the steps outlined here or simply install one of the free apps like Get My UDID or UDID Finder that display that 40-character string for you.)

Also in that rant: A statement that the hacker would not consent to any press interviews until blogger “Adrian Chen get[s] featured [on] the front page of Gawker, a whole day, with a huge picture of him [dressed in] a ballet tutu and shoe on the head, no Photoshop.” I think we can safely rule out any nation states or individuals over the age of 14 from the list of suspects.

(Update: I am not at all surprised to report that Chen has complied with this request, so we may learn more within a few days. Also, he looks surprisingly pretty in pink.)

The most popular device name: 42,797 people named their iPhones “iPhone” (so much for the myth that Apple fanboys are creative types). A couple of devices were named “Obama’s iPad.” There was no indication whether these devices belong to the actual commander in chief or merely an empty chair.

The bigger question

Of course, even if your UDID isn’t among the 1 million posted by AntiSec, it may still be lurking amid the 11 million that haven’t been posted yet. The question on everyone’s mind: How the heck did the federales get their fingers on 12 million Apple IDs, and what were they planning to do with them?

The FBI’s response? A flat-out denial. As a side note, it turns out the agent who allegedly got pwned, Chris Stangl, was featured in a 2009 video attempting to recruit hackers over to the good side of the force. (Hat tip to Slashgear’s Chris Davies for that tidbit.)

Of course, we don’t know if AntiSec got these UDIDs from Stangl or even the feds; all we have is the word of a semiliterate digital delinquent with serious anger management issues. We don’t know if the source of these IDs was Apple, an app developer, or a series of app developers. Even if they came from the feds, we don’t know if they obtained these IDs legally via a warrant, if they were given them by companies, or if they were seized from some other hacker who had purloined them.

How big a deal is this? Blogger Aldo Cortesi calls it a “privacy catastrophe,” noting that UDIDs can be linked to other personal information, as well as the “ability to completely take over the user’s Facebook and Twitter accounts.” Personally, I’d be more worried about AntiSec taking over my Facebook and Twitter than the FBI, but maybe that’s just me. I really don’t see how much use 12 million UDIDs would be to the feds, who could certainly get access to a lot more sensitive information about us if they wanted to.

Far more worrisome to me, if this story proves true, is how easily the feds got gamed. Are all G-men laptops as porous as this one allegedly was? What other sensitive info is in there for the taking, and who else has it?

We have a lot of questions, a ton of speculation, and very few solid answers. Unless this escalates to the level of Congressional attention — in an election year, that’s a distinct possibility — we may never see any resolution.

Are you now or have you ever been a member of the Apple-ist party? Come clean below or take the fifth here: cringe@infoworld.com.

This article, “The Apple-FBI hack: 1 million and one damnations,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.