FBI hack yielded 12 million iPhone and iPad IDs, Anonymous claims

Hackers associated with Anonymous have published a million unique device identifiers from Apple devices, claiming they were taken from an FBI computer. The alleged hack was intended to publicise the existence of some kind of secret FBI tracking project.
Written by David Meyer, Contributor

Hackers associated with Anonymous claim to have swiped more than 12 million Apple iPhone and iPad device identifiers from an FBI computer.

Someone using the banner of AntiSec — a 14-month-old joint operation of Anonymous and LulzSec — posted a document to Pastebin on Monday that contained links to around a million Apple unique device identifiers (UDIDs). The anonymous poster said the release was intended to highlight the FBI's alleged tracking of Apple customers.

AntiSec claims to have stolen 12 million device IDs for Apple iPads and iPhones.

"We never liked the concept of UDIDs since the beginning indeed," the post read. "Really bad decision from Apple. Fishy thingie."

Every iOS device has a UDID. The number was put in place so developers and mobile advertising networks could track user behaviour. However, over the last year Apple has been phasing out apps' access to UDIDs, as the numbers were sometimes being transmitted to third parties without users' consent.

According to the post, which was linked to from a well-known Anonymous Twitter account, the hackers got into the Dell laptop of FBI special agent Christopher Stangl during the second week of March this year. Stangl works at the FBI's New York field office, and has been a prominent face in the agency's cybersecurity recruitment efforts.

AntiSec said the hack, which apparently exploited a Java vulnerability, yielded a CSV file containing "a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service [APNS] tokens, zipcodes, cellphone numbers, addresses, etc".

1,000,001 released

The hackers said they were publishing 1,000,001 of the UDIDs and APNS tokens as that was "enough to release". They stressed that they had stripped out the other personal data held in the file, noting that not all the listed devices have the same amount of personal data linked.

"We have learnt it seems quite clear nobody pays attention if you just come and say 'hey, [the] FBI is using your device details and info and who... knows [why they are] experimenting with that'," the document read. "We could have released mail and a very small extract of the data. Some people would eventually pick up the issue but well, let's be honest, that will be ephemeral... Eventually, looking at the massive number of devices concerned, someone should care about it."

The hackers added that it was "the right moment" to release the data as Apple was currently looking for alternatives to the UDID system.

"In this case it's too late for those concerned owners on the list," the document read. "We always thought it was a really bad idea. That hardware coded IDs for devices concept should be eradicated from any device on the market in the future."

The document, which is written in slightly broken English, has near its end an insult about US presidential candidate Mitt Romney, written in German.

Editorial standards