A hacker collective known as AntiSec has published over a million Apple device IDs that it claims were captured from the laptop of an FBI agent. If you own an iPhone or iPad, you might be wondering what this hack means to you, and you might also be curious about why the FBI had your Apple UDID in the first place.
The information was acquired and released by the hackers as a political statement. The lengthy diatribe posted on Pastebin along with the hacked Apple ID info rants about government oppression and hypocrisy.
According to the letter from AntiSec, there were approximately 12 million Apple device IDs stored in the file on the FBI laptop. It chose to release just a portion rather than publishing all 12 million. AntiSec could have simply published the data it acquired without scrubbing it first, but the point it’s trying to make is against the government and the FBI—not the individuals whose information happened to be in the hands of the FBI.
Andrew Storms, director of security operations for nCircle, stresses that the Apple device UDID information itself doesn’t really pose a risk to users. “UDIDs in isolation aren’t a big deal. In fact, Apple used to permit apps to spew UDIDs all over the place, so there’s a lot of UDID data already in the public domain. For a while, there were a lot of apps using UDID and personal data to track users activity and selling it to advertisers.”
But, the hack of an FBI laptop yielding information on 12 million Apple devices does bring up another very valid question. As Storms puts it, “This release does make you wonder what the heck the FBI and the DOJ were doing with 12 million UDIDs. Are they working on a case involving Apple or an app maker? And, assuming there is a legitimate reason for the FBI to have this data, why wasn’t it better protected?”
I have reached out the FBI Office of Public Affairs seeking an official explanation or statement regarding why the FBI was in possession of the Apple device UDID information at all, as well as whether or not there should have been stronger protection in place to guard such sensitive data. As of this moment, the FBI has not yet responded.
[Update]
The FBI has issued a statement flatly denying that the hacked Apple device IDs published by AntiSec came from an FBI computer, or that the FBI is in any way involved in collecting such data in the first place:
“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
The FBI statement puts the ball back in AntiSec’s court. One side or the other isn’t being completely honest here. AntiSec does seem to be in possession of vast quantity of Apple device ID data. The question is, if the data didn’t come from a hacked FBI laptop, where did the information come from and how did AntiSec acquire it?