FBI refutes claims of hacked agency laptop, Apple UDID database

AppleInsider

Less than one day after hacker group AntiSec claimed to have found over 12 million Apple UDIDs on a purportedly compromised agency laptop, the FBI issued a statement saying the group's allegations are false and distanced itself from the gathering of such private information.

Earlier on Tuesday, AntiSec published what it claimed to be 1,000,001 unique device identifiers (UDIDs) belonging to cellular-enabled Apple iPhones and iPads, saying the leak was just a small sampling of over 12 million such IDs purportedly stolen from an FBI laptop.

In a statement obtained by All Things D, the FBI denies the claims, saying that there is no evidence tying the agency to the purported UDID leak.

The group alleges that personal information like phone numbers, full names and addresses were included in the database alongside the UDIDs, information not usually available to developers.

From the FBI's statement:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

When AntiSec first posted its purported findings, the group noted the leaked UDIDs had varying amounts of associated personal data, ranging from zip codes to more comprehensive datasets like full names and addresses. UDID codes are available to app developers, however access is limited and doesn't usually include personal information.

The FBI's denial raises the question of where the leak originated as at least some of the unique identifiers were verified as legitimate.

anantksundaram

I have 6 iOS devices, none of which seem to have been compromised. Yet.

 

Perhaps my life is not interesting enough........ :-/

tallest skil

Originally Posted by anantksundaram 

I have 6 iOS devices, none of which seem to have been compromised. Yet.

 

How do you know they weren't?

sneamia

.

shidell

An interesting observation. Think WinPhone is guilty of this? BB? 

 

Curiously, as Android is open source, you (can) know exactly what's on your device--and who has access to what, specifically. There is nothing magical under the hood that may talk through Google--or Apple, or Microsoft--without your knowledge.

brian ward

Is it wrong to feel equally trusting of the FBI and the Hackers?  Either could be lying and I would not be surprised.

noelos

Perhaps the headline should have been "refute". "Rebuke" is an odd choice.

noelos

[quote]
Curiously, as Android is open source, you (can) know exactly what's on your device--and who has access to what, specifically. There is nothing magical under the hood that may talk through Google--or Apple, or Microsoft--without your knowledge.
[/quote]

Is every application open source too? What about all the crapware the phone manufacturer and telco adds? Is their source open?

theothergeoff

Quote:

Originally Posted by Brian Ward 

Is it wrong to feel equally trusting of the FBI and the Hackers?  Either could be lying and I would not be surprised.

Both could be lying... maybe they didn't hack the Special Agent's PC, but got into more 'sensitive' FBI systems.

 

My issue is the spin that it's an Apple Leak.  I can't see how if choosing to claim hacking FBI or Apple, you would choose the FBI...  The value of the prize for lying about an FBI leak seems so minor compared to showing proof that you hacked through Apple defense.  And if Apple had 12Million exposed, they'd have 120Million exposed

boxmaccary

Uh-oh .... 

Now those FBI assholes have officially put it out there that this is all bullshit & it never happened .... 

All AltSec has to do, now, is somehow/someway prove that this is genuine.

Of course, this could all be a feint by the feds to see exactly how AltSec got the data ....

shidell

Quote:

Originally Posted by noelos 





Is every application open source too? What about all the crapware the phone manufacturer and telco adds? Is their source open?

 

No, but what you load is ultimately up to the user--and you can replace the software on your device with your old build, should you so desire.

9secondko

Quote:

Originally Posted by noelos 



Perhaps the headline should have been "refute". "Rebuke" is an odd choice.

refute was probably what they were gunning for

 

and of course the fbi is going to deny they were inept.

softeky

Wouldn't the UDID be required to associate a cell-tower connection with a particular mobile device? If so, I'm pretty sure your cellphone service provider has this info and it can be obtained by the FBI directly from them. Hopefully with some kind of warrant, but nowadays (Patriot Act etc.) who knows? I doubt a phone hack is needed for this information to become available to the FBI should they want it for some reason.

 

I'd like to know if the numbers in the database were obtained by the FBI via legal warrant or via some less official "procedure".

 

Oh, and yeah, it would be expected for the FBI to deny any collection activity unless challenged by congress. Now it's up to anonymous to somehow tie that data to the agent's laptop. Perhaps via some Wikileaks disclosures.

 

Really must buy more popcorn.

jeff fields

Pretty terrible headline to this article. The FBI has not, in fact, "refuted" anything. They merely stated that there is no proof. That's only a "refutation" if you live in some Bizarro World where everything the FBI says is accepted as true.

Marvin

AppleInsider wrote:

there is no evidence tying the agency to the purported UDID leak.

Notice they didn't deny it, they probably just killed everyone linking it back to them.

It could be another leak from a service provider:

http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed

They'd have address info and might track device identifiers for service usage. But, if the info is international, it would have to be a global carrier like T-Mobile.

If it was an app that collected it, it would have to be a very popular app to collect so many.

marcusj0015

Why the **** does the FBI have a list of UDID's ?! what. the. ****. 

jeff fields

No, "rebuke" is an accurate choice. "Refute" is a terrible and false choice, since the FBI has not refuted anything.

marcusj0015

Quote:

Originally Posted by softeky 

Wouldn't the UDID be required to associate a cell-tower connection with a particular mobile device? If so, I'm pretty sure your cellphone service provider has this info and it can be obtained by the FBI directly from them. Hopefully with some kind of warrant, but nowadays (Patriot Act etc.) who knows? I doubt a phone hack is needed for this information to become available to the FBI should they want it for some reason.

 

I'd like to know if the numbers in the database were obtained by the FBI via legal warrant or via some less official "procedure".

 

Oh, and yeah, it would be expected for the FBI to deny any collection activity unless challenged by congress. Now it's up to anonymous to somehow tie that data to the agent's laptop. Perhaps via some Wikileaks disclosures.

 

Really must buy more popcorn.

No, Apple and Apps use the UDID, carriers use the IMEI.

inkling

The most likely scenario is that the NSA had that data, perhaps with Apple's assistance, and someone there leaked it, unofficially of course, to this FBI agent. Cracking an individual agent's laptop would be a lot easier than cracking computers at Apple or some federal agency. Why would hackers claim to have done much less than what they actually did?

 

The other alternatives include:

 

1. 
   The hackers got the data from some federal agency that got the data from Apple without Apple's permission. Perhaps Apple's assistance in supplying court-ordered UDIDs gave that agency the clues it needed to crack Apple's computers. 


2. 
   The hackers got the data directly from Apple. But if that's the case, why did they just get 12 million records? Getting in to get some, should have gotten all of them.


3. 
   The FBI, while not exactly lying, has operations going on that those speaking for it don't know about. This data really is from the FBI and being used by the FBI.

 

Behind this fuss is a more fundamental one. Why is so much data about us not only available to the government, but ending up being stored willy-nilly on laptops that can be cracked, stolen or lost? It's bad enough to contemplate the government even having all this data. It's far worse that it's  being guarded so poorly that it's ending up on laptops.

 

One cause of this sort of mess is that working for the government at any level bestows far too much protection on individual wrongdoers. If this FBI agent really was a rogue acting without authorization, then "Supervisor Special Agent Christopher K. Stangl" should be facing the mother of all class action lawsuits.

mcarling

The FBI has denied it, but the FBI has not refuted anything.  To refute the claims, the FBI would need evidence showing that the claims are false.  The FBI seems to have no such evidence.

djrumpy

Quote:

Originally Posted by Shidell 

An interesting observation. Think WinPhone is guilty of this? BB? 

 

Curiously, as Android is open source, you (can) know exactly what's on your device--and who has access to what, specifically. There is nothing magical under the hood that may talk through Google--or Apple, or Microsoft--without your knowledge.

This is a false statement as been shown many times over from various malware reports for Android. They have a much higher exposure to malware than Apple does at this point.

 

http://tech2.in.com/news/android/android-more-vulnerable-to-malware-than-ios/263032



Also assuming joe user would be able to open the source for an app (again assuming it was even open) and verify what it was doing isn't even remotely likely to happen. Besides that, most apps are probably not open source, and claiming 'nothing' on your phone could be doing something bad is just foolish.

 

Just because the OS might be open source is no way indicative that your user experience is any safer. Quite the contrary based on found malware on each platform.