FBI denies leaked Apple device IDs came from agent's laptop
AntiSec hacker group claims to have accessed 12 million unique device identifiers on FBI computer
The FBI is denying claims that a laptop of one of its agents was hacked by a group operating under the name AntiSec that says it obtained 12 million Apple device IDs from the computer last March.
AntiSec said it got the unique device identifiers, or UDIDs, by exploiting a Java vulnerability and accessing a desktop folder on the laptop of a special agent who worked with the FBI's regional cyber action and evidence response teams in New York.
The IDs are strings of numbers and letters assigned to Apple devices running the mobile operating system iOS, such as iPhones, iPod Touches and iPads.
They are used by software developers to track Apple customers' use of mobile apps — although Apple has recently stopped accepting apps that use UDIDs after customers complained that they violated their privacy.
"The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," the agency said in a statement Tuesday afternoon.
"At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."
Hackers, FBI press office go head to head on Twitter
The FBI press office also Tweeted about the matter, saying, "We never had info in question. Bottom Line: TOTALLY FALSE."
The hackers responded with their own tweet on the FBI's feed that said "Wait, what? So because you don't know of any data breach it never happened? So the conference call was fake, too? ;-)"
They later also tweeted another comment on the @AnonymousIRC Twitter feed, where news of the leak first appeared:
"You know you're doing something right if @FBIPressOffice throws caps at you on Twitter to deny an #Anonymous statement," the tweet said.
The @AnonymousIRC feed is used by the international hacker collective Anonymous, which gained notoriety when it came to the defence of WikiLeaks with a series of high-profile cyberattacks against companies that boycotted the activist group after it released a series of classified U.S. diplomatic cables.
AntiSec said it uses the @AnonymousIRC Twitter feed, one of several associated with Anonymous, to share ideas and post news of its activities.
Personal data not published
Instructions for accessing one million out of the 12 million UDIDs allegedly obtained by AntiSec were posted on the website Pastebin.com in an at times rambling text peppered with expletives and anti-establishment rants against certain perceived abuses and corrupt actions of security agencies, governments and corporations.
Pastebin is a site used to temporarily store and share various kinds of text and programming code and has been used to release statements about hacking activities in the past.
Some of the IDs were associated with personal information of the device owners, such as names, cellphone numbers and postal addresses, while others were not linked with any personal data.
AntiSec said it removed all personal details before posting the IDs online.
AntiSec, or Anti-Security, is the name given to an operation aimed at hacking into the computer systems of government agencies and financial institutions launched last year by the international hacker collective Anonymous and one of its offshoots,Lulz Security, or LulzSec.
"Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments," Lulz Security said in a June 19, 2011, post on Pastebin announcing the Anti-Security initiative.
Privacy concerns over UDIDs
AntiSec said in a post explaining the UDID leak that part of the motivation behind it was to point out the dangers of assigning specific codes to devices that can be tracked.
"We always thought it was a really bad idea. That hardware-coded IDs for devices concept should be eradicated from any device on the market in the future," the group wrote on Pastebin.com.
The group also said it publicized the IDs in order to draw attention to the fact that the FBI was compiling such information, and to get people to start asking why the law enforcement agency might be collecting the data, and what they could be doing with it.
"We have learnt it seems quite clear nobody pays attention if you just come and say 'Hey, FBI is using your device details and info'," the group wrote.