AntiSec has published a file they claim contains one million iOS ‘unique device identifiers’ (UDIDs) allegedly lifted from an FBI agent’s Dell laptop this March.
The hackers released portions of the file on Thursday but claim the original, said to be named “NCFTA_iOS_devices_intel.csv”, contained over 12 million UDIDs -- a 40 digit number that’s used for mobile advertising analytics.
The file allegedly from the FBI laptop is also said to contain user names, name of the device, device type, Apple Push Notification Service (APNS) tokens, post codes, mobile numbers, and another partially completed column containing personal details of people on the list.
The released version was “trimmed” of all details but the UDIDs, names attached to the device and APNS tokens, according to AntiSec.
Danish security researcher Peter Kruse says that the UDIDs are real, having cross checked his name against the iPhone and iPad UDIDs on the list. This does not, however, mean the file necessarily came from the FBI.
The hackers claimed to have used a Java flaw to acquire the file, which according to Errata Security researcher Robert Graham, fits the description of a zero day that was being exploited at the time Antisec claims it pulled off the heist.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his desktop folder, one of them with the name of 'NCFTA_iOS_devices_intel.csv'...” AntiSec states on the release notes containing a link to the edited file.
Stangl was one of 40 officers in a trans-Atlantic conference call that was leaked at the time of the hunt for LulzSec.
The name of the “NCFTA” could suggest a possible connection to the “National Cyber Forensics and Training Alliance”, an industry and law enforcement information sharing initiative that was established by an FBI agent in 1997.
Whatever the source of the file, Aldo Cortesi, a security consultant from New Zealand who has interrogated how app developers mis-use UDIDs, has called the leak “a privacy disaster”.
coder and security consultant Aldo Cortesi showed widespread misuse of UDIDs in amongst gaming apps, including that some game networks had linked UDIDs to Facebook profiles, meaning that they were no longer anonymous device identifiers.
“When speaking to people about this, I've often been asked "What's the worst that can happen?". My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are,” wrote Cortesi.