Hacker group Anonymous claims to have obtained 12 million iOS user IDs from the computer of an FBI agent and has released nearly 1 million of those IDs along with corresponding personal information. The claim, if it is true, raises important questions. For instance, what was an FBI agent doing with personal information about 12 million private citizens?
According to a post on Pastebin by members of Anonymous, the group obtained the unique device identification numbers (UDID) in March from the laptop of Supervisor Special Agent Christopher K. Stangl. Anonymous hacked into the laptop using a known Java vulnerability and copied 12 million UDIDs along with associated information such as user names, zip codes, cell phone numbers, and street addresses.
The post explained the group’s motivations for releasing the information. Anonymous is upset with the U.S. government for recruiting hackers to “carry out their own political agendas” and closed systems that do not allow users to do as they wish with devices they purchase. The group is also upset about the arrest of hacker Jeremy Hammond and efforts to prosecute Julian Assange, founder of Wikileaks. The post amounts to a lengthy (if scattered) diatribe on the group’s concerns and why it continues to hack into government and corporate databases and release the information it finds.
“We decided we’d help out Internet security by auditing FBI first. We all know by now they make Internet insecure on purpose to help their bottom line. But it’s a shitty job, especially since they decided to hunt us down and jail our friends,” Anonymous wrote.
If the Anonymous list of UDIDs is real (and it looks like it is), the most pertinent question is what the FBI, and Stangl in particular, were doing with those numbers. Knowing the UDID of an iOS device could lead to tracking of that device and the credit card or social accounts it is tied to. Earlier this year, Apple shut off UDID access to App Store developers because of the potential abuse of privacy that UDIDs afford. The use of UDIDs could allow marketers and advertisers to track user location and other activities on the user’s device. That information could be very lucrative for advertisers and marketers. Apparently, it could also be useful to the FBI.
Aldo Cortesi, a coder and security consultant in New Zealand, has been preaching about the dangerous use of UDIDs for several years. He has long expected a dump of millions of UDIDs by enterprising hackers.
“I’ve often been asked ‘What’s the worst that can happen?’ My response was always that the worst case scenario would be if a large database of UDIDs leaked … and here we are,” Cortesi wrote on his personal website.
Anonymous agrees with Cortesi that establishing UDIDs was a bad idea from the beginning. “[We] always thought it was a really bad idea. That hardware coded IDs for devices concept should be eradicated from any device on the market in the future,” Anonymous wrote.
For all its loud and disjointed rhetoric, the data leak put an exclamation point on the issue of FBI tracking and Apple’s use of UDIDs. Anonymous released the 1 million UDIDs to attract attention of the FBI, Apple, federal governments and large corporations. It is safe to say that the group has their attention now.
Driven by breakthrough thinking and a wide-open sense of what’s possible, Alcatel-Lucent delivers the world’s most advanced technologies to companies all across the globe. Our driving motivation is to realize the potential of the connected world – by providing the technologies needed to turn networks into engines of sustainable economic growth, social development and opportunity. We provide a comprehensive suite of software solutions and services offerings designed specifically to meet the needs and demands of communication network operators and strategic industries. These solutions allow our customers to optimize network costs and quickly deploy innovative, value added products and services for their subscribers that increase loyalty and create new revenue streams. To learn more about how we’re turning the network into a platform, visit http://www2.alcatel-lucent.com/hln/network_evolution.php