Anonymous has a way of releasing massive collections of information that raise many more questions than they answer.
Case in point: On Monday night, the segment of the hacker group that calls itself Antisec announced that it had dumped 1,000,001 unique device identifier numbers or UDIDs for Apple devices–the fingerprints that Apple, apps and ad networks use to identify the iPhone and iPads of individual users–that it claims to have stolen from the FBI. In a long statement posted with links to the data on the upload site Pastebin, the hackers said they had taken the Apple data from a much larger database of more than 12 million users’ personal information stored on an FBI computer.
While there’s no easy way to confirm the authenticity or the source of the released data, I downloaded the encrypted file and decrypted it, and it does seem to be an enormous list of 40-character strings made up of numbers and the letters A through F, just like Apple UDIDs. Each string is accompanied by a longer collection of characters that Anonymous says is an Apple Push Notification token and what appears to be a username and an indication as to whether the UDID is attached to an iPad, iPhone or iPod touch.
In their message, posted initially in the Anonymous twitter feed AnonymousIRC, the hackers say they used a vulnerability in Java to access the data on an FBI Dell laptop in March of this year. They say the database included not only the UDIDs, but also “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.” Anonymous claims that the amount of data about each users was highly variable, and that it only released enough data to the public “to help a significant amount of users to look if their device are listed there or not.”
The Antisec statement also took the opportunity to mock the recent appearance of NSA Director and General Keith Alexander at the hacker conference Defcon, where he made a recruiting pitch to attendees. “It was an amusing hypocritical attempt made by the system to flatter hackers into becoming tools for the state,” Anonymous’ statement reads. “We decided we’d help out Internet security by auditing FBI first.”
If the UDIDs are determined to be real, just what that means about law enforcement and Apple users’ privacy isn’t entirely clear. Much more than passwords or even email addresses, UDIDs are already spread around the Internet by app developers and advertisers–a study by one privacy researcher in 2011 found that 74% of the apps he tested sent a user’s UDID to a remote server. But the same researcher also found that five out of seven social gaming networks he tested allowed users to log in with only their UDID, making a stolen UDID equivalent to a stolen password.
“We never liked the concept of UDIDs since the beginning indeed,” reads the Anonymous statement. “Really bad decision from Apple. Fishy thingie.”
Due perhaps to the privacy concerns around UDIDs’ proliferation, Apple stopped allowing new iOS apps to track UDIDs earlier this year.
Regardless, if the FBI has in fact collected 12 million Apple UDIDs–or even just one million–it will have some explaining to do to privacy advocates. In its release, Anonymous argues that the massive dump of users’ personal information, which it says has been stripped of many of the most identifying details, is designed raise awareness of the FBI’s alleged gadget-tracking shenanigans. “…We will probably see their damage control teams going hard lobbying media with bullshits to discredit this,” the statement reads at one point. “But well, whatever, at least we tried and eventually, looking at the massive number of devices concerned, someone should care about it.”
For now, Anonymous refuses to answer more questions about its release–at least from the press. Before granting any interviews, it’s demanding that Gawker writer Adrian Chen, who has been especially critical of Anonymous, appears on Gawker’s home page in a “huge picture of him dressing a ballet tutu and shoe on the head.”
SOURCE: Forbes.com
Leave a Reply