The FBI said today that it does not know anything about a laptop that hackers say they compromised and that led them to millions of Apple iOS device user details, of which 1 million have been released on the Web.
"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," said an FBI spokesperson. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data." Before the statement was released the FBI Press Office tweeted: "Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE."
If the hackers didn't get the data from the FBI, who did they get it from? The FBI statement doesn't change the fact that data of potentially millions of iOS devices has been leaked. CNET has verified the authenticity of some of the user account details that the hackers released.
The Anonymous-affiliated group AntiSec said in its post last night that it had actually obtained 12 million Apple Unique Device Identifiers (UDIDs) from the laptop of FBI supervisory special agent Christopher K. Stangl by exploiting a Java vulnerability, but that it released only data from 1 million devices. It said it was able to download files from the agent's laptop, including one entitled "NCFTA_iOS_Devices_intel.csv," which had the data, including user names, device name, device type, zip codes, cell phone numbers, addresses and Apple Push Notification Service tokens. (You can use this site to see if your iOS device is on the list.)
Stangl was among a group of four dozen or so U.S. and UK law enforcement agents who were recipients of an e-mail that AntiSec members got ahold of related to investigating AntiSec, Anonymous and their affiliates. The e-mail was sent last January to organize a conference call among the agents which the hackers then listened in on. Robert David Graham speculates on his Errata Security blog that the hackers got Stangl's e-mail address off that list and targeted him for compromise with a phishing e-mail.
The @AnonyOps Twitter account responded to the FBI statement, saying "FBI says there was no hack. That means either they're lying or they *gave* the information up to someone in #antisec. It's happened before." Security
Space Rogue, the former editor of Hacker News Network, tweeted: "FBI statement is ambiguously short. States not from an 'FBI' laptop. How about a personal laptop of an FBI agent?" An FBI spokesperson did not immediately respond when asked that question late this afternoon.
Anonymous said in its data dump post that it wouldn't give any interviews to reporters unless Gawker put a picture of Editor Adrian Chen wearing a tutu with a shoe on his head on the front door of the tech news site for a day. Chen has obliged and the AnonymousIRC Twitter account says it will talk to him and other reporters when the hackers have more to say.
CNET talked to a few people whose devices were on the list and whose names and numbers were included in their "Device Name Field.' CNET also was able to use the data, which had been mostly scrubbed by the hackers of personally identifiable information, to find names and phone numbers by cross referencing it with publicly-available third-party databases. People on the list could be targets for phishing attacks based on the information on the list and even more at risk if someone did a little bit of digging.
Apple representatives did not respond to requests for comment. The company is phasing out UDIDs because of privacy concerns, but it's unclear when they will all be stricken from existing apps and what will replace them that will allow developers to track usage of apps without revealing too much user information.
With the FBI and Anonymous calling each other liars, it's hard to figure out exactly what's going on and where the data came from. The initial report raised hackles among the security community and Apple users who wanted to know why the feds would have that type of information and how did they get it. The file name gives a clue that is interesting. The acronym NCFTA stands for National Cyber-Forensics & Training Alliance," which is a nonprofit created to serve as a "conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime," according to the Web site. NCFTA did not immediately return a call seeking comment this afternoon."
"Look at the name of the file," said Frank Heidt, chief executive of Leviathan Security. "What makes anyone think there's not an Android file or an AT&T file? I'm waiting for the other shoe to drop. Why only Apple? It makes no sense."
Greg Wilson, a Tempe, Ariz.-based musician and teacher in whose data was on the list, said he suspects that the government has a lot of data on people that it shouldn't because of cooperation with the technology providers.
"I'm not surprised. I saw 'Enemy of the State' and I've read '1984,'" he told CNET in a phone interview. "I'm saddened. President Bush had such cachet with the world after 9/11 and this is where it's descended to."
"Maybe, I shouldn't be looking at so much porn," joked one man contacted by CNET who asked not to be named.
Whoever the hackers got the data from apparently didn't use the basic security measures to protect it from prying eyes, including having a sensitive user file unencrypted on an unsecured laptop. And then there is the worry about what criminals can do with the data now that it is public.
"I don't know if you want people having that push token. Given that and the UDID and username I could arbitrarily load an app on your phone," Heidt said.
The very use of the .csv import-export file format poses questions. "Who exported it and where are they going to import it?" he added, assuming that the FBI had the data. "We are at least owed the 'why.' I think our government at least owes us that."
Calling the UDID leak a "privacy catastrophe," security consultant Aldo Corttesi wrote a blog post that he has found numerous instances of gaming social networks and related sites, including Open Feint, "using and misusing" UDIDs. (Open Feint was used by CNET to get more data on the victims in this data leak than the hackers provided, for example.)
When speaking to people about this, I've often been asked "What's the worst that can happen?" Cortesi wrote. "My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are."Updated 4:47 p.m. PT with Gawker reporter submitting to hacker demand in order to get interview and Space Rogue tweet 3:06 p.m. PT with more details on Stangl background and FBI press office tweet and 2:20 p.m. PT with more background and reaction.