12 million iPhone and iPad device IDs hacked from the FBI, Anonymous claims

Filed Under: Data loss, Featured, iOS, Java, Law & order, Vulnerability

Hackers have published a collection of what they say is over a million Unique Device Identifiers (UDID), connected with Apple iPhones and iPads.

Headline used by hackers in their posting

The data, claims the hackers, is just part of a larger database of 12,367,232 UDIDs, and personal information such as full names, cellphone numbers, addresses and zipcodes belonging to Apple customers. The data was allegedly stolen via a Java vulnerability from a laptop belonging to an FBI cybersecurity agent:

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."

Quite why the FBI was collecting the UDIDs and personal information of millions of iPhone and iPad users is not yet clear - but it's obvious that the data (and the computer it was apparently stored on) was not adequately secured.

iPhone

I suppose we should be pleased that the hackers have not, as yet, published the majority of the information they claim to have purloined from the FBI though the hack - including the personal information about members of the public.

As such, my suspicion is that the hackers were more interested in embarrassing the FBI's team than endangering innocent users.

All the same, hacking into computers is a criminal act - and I would anticipate that the FBI and other law enforcement agencies will be keen to hunt down those responsible.

Mitt Romney, journalists wearing tutus, and a shoe on head

If it helps cut down the number of suspects at all, here's a clue to help the FBI with their investigation.

Attached to the end of the hackers' announcement is the following phrase in German:

"Romney aber, sag's ihm, er kann mich im Arsche lecken!"

This translates into English as:

"Romney, however, tell him he can kiss the asses!"

Clearly not a fan of the Republican party then..

Adrian Chen. Image from TwitterAnd someone else that the hackers aren't huge fans of is Gawker journalist Adrian Chen.

Chen has become something of a bête noire for the likes of 4Chan and Anonymous.

Whoever was responsible for the latest hack says that they will only agree to speak to the press if a photo of Chen, dressed as a ballerina with a shoe on his head, is published on the main page of Gawker.

Hackers demand Chen wears a tutu

The whole "shoe on the head" thing is a 4Chan meme - victims are told they have to take a photograph of themselves wearing a shoe on their head for the amusement of hackers.

Whatever tickles your fancy I suppose..

, , , , , , , , , , , ,

You might like

21 Responses to 12 million iPhone and iPad device IDs hacked from the FBI, Anonymous claims

  1. Valerie · 714 days ago

    Er, "er kann mich im Arsche lecken" literally means "he can lick my ass," but I'm pretty sure it gets used the same way "he can kiss my ass" does in English. "He can kiss the asses"? That's just weird.

  2. Dinah Greek · 714 days ago

    What I find alarming is the fact .. if it is a fact and not an exaggerated boast... that the FBI has the personal details of all these Apple users .. are they really monitoring and alarmed about 12 million suspected terrorists, criminals, activists, (add what ever other considered criminal, subversive activity you can think of ) all of whom can afford Apple devices?

  3. Someone · 714 days ago

    You're kidding me right? They search for who's hacked and into the FBI's pc but not WHY they keep such information? Maybe this is not illegal...?

    • Someone2 · 714 days ago

      I agree with you. Yes it's important to know who the hackers are but I have an iPad, iPhone...etc & I'm not a criminal!!!! I had to give my cell phone number to the trusted travelers program to be used in conjunction with my US passport which of course they check with the FBI to see of you are a criminal! No wonder I've been getting so many strange calls........

      • Rob · 714 days ago

        I also joined the Trusted traveler Program (NEXUS) and giving my phone numbers, address, and email address up are required. I also have got a lot of phone calls from places I never heard of, and usually don't answer. I suspect most are junk calls, but who knows.

        • Someone2 · 714 days ago

          Rob, my cell & home phone numbers keep getting strange calls even though I am on the do not call list and my most private trusted email address is suddenly filled with a little too much junk mail....
          It makes me wonder what kind of security the FBI & other governmental agencies have in place......

  4. stuart · 714 days ago

    What amuses me even more than the data breach is that the FBI use vostro laptops not the latitudes with FDE. Cheapskates.

  5. Pimpboy · 714 days ago

    Well I guess I won't be using my iPhone to talk dirty to my wife again..

  6. Jan · 714 days ago

    Hi Graham,

    I found your article very interesting and worthwile, however, i would like to
    point out one thing:

    You wrote:
    If it helps cut down the number of suspects at all, here's a clue to
    help the FBI with their investigation.

    Attached to the end of the hackers' announcement is the following
    phrase in German:

    "Romney aber, sag's ihm, er kann mich im Arsche lecken!"

    This translates into English as:
    "Romney, however, tell him he can kiss the asses!"
    Clearly not a fan of the Republican party then..

    I would like to add:
    Theres more to be learned from that sentence, which is actually a
    quote from the story "Der Götz von Berlichingen" by Johann Wolfgang
    von Goethe. This seems to indicate a high level of education and a
    fondness for good german literature besides the contempt for the
    republicans (Goethe is considered good literature for sure). Also,
    your translation is a little off. Literally, it would be translated
    as: "Romney, however, he can kiss the inside of my Ass".

    In literature, the original phrase, which does not mention Mitt
    Romney, is usually translated as :" But he, tell him, can lick my
    arse".
    Just wanted to get that off my chest, thanks for listening, Jan

    • Graham Cluley · 714 days ago

      Thanks for the extra information Jan!

      So we have a Goethe-loving hacker!

      • Rob · 714 days ago

        Does this mean at least one of the hackers was German and in Germany?
        Hackers have to have some intelligence, and maybe reading good literature is a clue to their intelligence.

        • Nigel · 714 days ago

          ...er, it's not entirely clear that hacking the FBI provides evidence of actual intelligence. The most you could say is that, if these hacknoids have any intelligence, it's highly compartmentalized.

  7. jessie · 714 days ago

    they also quote several other books, are clearly literate and intelligent and political, but you've managed to bring this back to adrian chen, shoe on head (it's "shoe on head", not "a shoe on head" and mitt romney? you didn't address any of the political points here, the re-emergence of a starkly politicized anon with a major breach of both FBI security and .. wait, why do the FBI have this information? infosec story of the year and you treat them like script kiddies? yikes. graham-- shoe on head!

  8. Guest · 714 days ago

    That incident, assuming the info we have at this point is correct, raises a few other questions

    - is it legal for Apple to dump personal information about its customers (obviously standard average customers given the UDID and real world ID confirmations we are now seeing) to a Law Enforcement Agency outside any legal process? Give us your Big Data, just in case we need to correlate it later, or use it to deploy our own spyware...

    - It's quite obvious that large US companies will frequently share anyone's private data with law enforcement, for any reason. Big dumps are quite cheap compared to targeted requests and subpoenas. Isn't that a bit worrying in the long run, especially if neither the companies, nor the agencies can keep it safe?

    - is it legal for a FBI employee to travel/connect to the outside world with a laptop containing such a database, thereby potentially exposing it to the world?

    - except for common sense (not exposing the database, not following potentially well crafted phishing e-mails, etc...) how would one avoid zero days in widespread software. If you have a solution to, as you say, "properly secure" that poor chap's machine under those circumstances, feel free to reveal it to the world...

    AFAIC, I see no immediate solution in a world where intentionally leaked information can be correlated (cf that Wired journalist misadventure) and exploited, where companies can't secure their data (countless examples) and where high profile cyber-security officials not only misbehave but seem to be blissfully unaware of the risks an ever expanding attack surface implies.

    As in most high profile cases, I have no doubt a tremendous amount of resources will be put into the hunt for the hacker and some young guy might very well end up behind bars thanks to BSI, GCHQ or others. But it seems this also reveals other crimes which may have far reaching long term consequences...

  9. Alex B · 714 days ago

    Anyone actually confirmed their device is on the list?

  10. zitlips · 714 days ago

    Well I guess that was 1 FBI agent with a lot of information we as a FREE America don't exactly feel good about him having. Privacy rights ? Where in the heck did those go?
    So many name and numbers on one mans memory files and if we multiply that by the number of agents in that one department , then we are probably without any privacy at all as a nation and as a world.
    Rather disgusting in my opinion.

    • Alex B · 713 days ago

      This was pretty much my thoughts. 12 million records out of what? Nearly 400 million Apple devices?

      Seem that the research Frederic Jacobs is conducting (http://fredericjacobs.com/identifying-the-traitor) is finding no particular patterns of ownership or usage. Pretty random results so far; worldwide spread, iPhones and iPads, some with lots of downloaded apps, others with no extra apps. Is it reasonable to just assume this is a small sample of a complete dataset that is now out of Apple's control?

      FBI involved or not, Apple is responsible for the data's existence.

  11. cascades · 706 days ago

    I think the original post had an exploit of some sort for Mac users: following a link from a CNN article, my console log immediately reported failed "su -" messages and later on a contact in my address book reported what appeared to be a malicious email with a link in it.

  12. Coeptis · 638 days ago

    WTF the german text makes no sence.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.