bassethound
04-09-12, 23:15
A hacking group has leaked over one million Apple iPhone and iPad device identifiers online after supposedly hacking into a laptop belonging to an FBI agent.
Hacktivists AntiSec claim to have infiltrated the laptop and found data on more than 12m Apple devices, including the unique device identifiers, or UDIDs.
UDIDs are unique 40-character codes assigned to all iDevices with cellular connectivity. They were previously used primarily for app registration and tracking by third-party developers, but Apple stopped that practice earlier in the year.
In an account detailing the hack, a post supposedly by AntiSec on Pastebin said: "During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team, was breached using the AtomicReferenceArray vulnerability on Java.
"During the shell session some files were downloaded from his Desktop folder. One of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
"The personal details fields referring to people appears many times empty leaving the whole list incompleted (sic) on many parts. No other file on the same folder makes mention about this list or its purpose."
Whilst the alleged attack and subsequent UDID leak has not been verified, it has raised questions over how and why the FBI may have been able to secure the device identifiers.
AntiSec notes that the UDIDs featured varying amounts of information, with some holding just basic details, but others having full names, addresses and mobile numbers.
The group published a sample of 1,000,001 iPhone and iPad identifiers, but stripped out any identifying data and left just the Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type data.
This enabled people to "look if their devices are listed there or not", they said.
Justin Basini, the chief executive of London-based personal data company Allow, said news that an FBI computer may have been hacked and Apple Device IDs exposed is "extremely concerning".
"It will be a worry for any iPhone and iPad user who will be wondering when they might suffer from spam or, worse, an attempt to commit crime and defraud them," he said.
"There is no foolproof way for the man on the street to prevent a hack, but people can use some sort of early warning system, so that at least they know immediately if their information is exposed.
"This would limit the risk of fraud, plus a 'disposable' email, like the one that we can generate, would mean that you never need to give out your real email address in the first place."
Hacktivists AntiSec claim to have infiltrated the laptop and found data on more than 12m Apple devices, including the unique device identifiers, or UDIDs.
UDIDs are unique 40-character codes assigned to all iDevices with cellular connectivity. They were previously used primarily for app registration and tracking by third-party developers, but Apple stopped that practice earlier in the year.
In an account detailing the hack, a post supposedly by AntiSec on Pastebin said: "During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team, was breached using the AtomicReferenceArray vulnerability on Java.
"During the shell session some files were downloaded from his Desktop folder. One of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
"The personal details fields referring to people appears many times empty leaving the whole list incompleted (sic) on many parts. No other file on the same folder makes mention about this list or its purpose."
Whilst the alleged attack and subsequent UDID leak has not been verified, it has raised questions over how and why the FBI may have been able to secure the device identifiers.
AntiSec notes that the UDIDs featured varying amounts of information, with some holding just basic details, but others having full names, addresses and mobile numbers.
The group published a sample of 1,000,001 iPhone and iPad identifiers, but stripped out any identifying data and left just the Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type data.
This enabled people to "look if their devices are listed there or not", they said.
Justin Basini, the chief executive of London-based personal data company Allow, said news that an FBI computer may have been hacked and Apple Device IDs exposed is "extremely concerning".
"It will be a worry for any iPhone and iPad user who will be wondering when they might suffer from spam or, worse, an attempt to commit crime and defraud them," he said.
"There is no foolproof way for the man on the street to prevent a hack, but people can use some sort of early warning system, so that at least they know immediately if their information is exposed.
"This would limit the risk of fraud, plus a 'disposable' email, like the one that we can generate, would mean that you never need to give out your real email address in the first place."