FBI Denies AntiSec Claim of iOS UDID Hack

| News

The FBI has denied a claim by AntiSec that a list of Apple IOS UDIDs (unique device identifiers) the hacker group published came from one of its computers. The U.S.'s top law enforcement agency said there was no evidence indicating the FBI had either sought or obtained such information, let alone that one of its computers had been compromised.

FBI

Over the holiday weekend (in the U.S.), AntiSec published a list of more than one million UDIDs that it said came from, "a Dell Vostro notebook used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team."

The list contained, "Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc."

AntiSec said that it was publishing the data in part to raise awareness that the FBI was collecting the data in the first place, a practice that could well violate the Constitutional right to privacy in the U.S. if it was being done without due process.

Indeed, as part of the discussion about the situation, it had been suggested that the data was more likely to be from an app developer's database. The FBI erroneously seized an Instapaper server in 2011, for instance, and the data could have come from that event.

The FBI is denying the whole thing, however, and in a statement issued to AllThingsD, said:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

There is no doubt more to come on this subject.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

The conspiracy theorist in me quickly noted that the FBI's denial said there was no evidence indicating that it sought or obtained this data, and didn't actually deny that it had done so. That's probably just legalese at work, though. No need to say more than you have to, and all that.

The reality is that is rather doubtful that the FBI would collect that kind of data on purpose without due process. Those sorts of actions are more the realm of the National Security Agency (NSA) inside the U.S. or the CIA outside the U.S. Without a rogue operation that will eventually star Matt Damon, Jeremy Renner, or Daniel Craig, the FBI's denial is certainly plausible.

That said, it seems just as likely that AntiSec knows of what it speaks when the group says the data came from a specific computer. If so, I personally fancy the idea that the data file was left over from the careless seizure of Instapaper's server in 2011, and that makes this incident a fantastic reminder about the dangers of such incidents.

The server shouldn't have been seized, and once it was, there shouldn't be any stray and errant data files lingering around on a field laptop.

As noted above, there is no doubt more to come on this subject, and someone is going to have some 'splainin' to do.

Popular TMO Stories

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

As you say gathering such information is more a function of the NSA than the FBI. However, the NSA just gathers information, they don’t make arrests. They could have turned the database over to the FBI who is a law enforcement agency.

Do we have a list of apps that were collecting UDIDs?

KitsuneStudios

The reality is that is rather doubtful that the FBI would collect that kind of data on purpose without due process.

http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy

Started under Bush, continued under Obama. This position is highly naive these days.

Bryan Chaffin

Mr. KitsuneStudios. Long time. It’s nice to see you around. smile

Please note that in the article itself I specified that domestic data collections (and surveillance)  were the domain of the NSA, which is in keeping with the Wikipedia entry you linked to.

Not sure if you missed that.

iJack

Actually Byran, I’m pretty sure that NSA is primarily responsible for OVERSEAS collections (mostly telephone calls), but can tap a domestic phone if it’s receiving suspect calls originating overseas, or otherwise with a warrant.  Theoretically at least, they only work DOMESTICALLY to protect US Government data.

I copied this Wikipedia entry first:

“The National Security Agency (NSA) is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S. government communications and information systems,[1] which involves information security and cryptanalysis/cryptography.”

But if you go to the NSA site, it says essentially the same thing.
http://www.nsa.gov/

Of course we all know the stories about entire “private” switch rooms being installed in central offices, but how NSA is actually using them is anyone’s guess, and mine is that they’ll do what the damned well like, because they know that nothing more than the mildest rebuke is forthcoming when they exceed their charter.

geoduck

[quoteThe reality is that is rather doubtful that the FBI would collect that kind of data on purpose without due process.

I’m afraid I have to agree with KitsuneStudios on this one. The FBI has a history of making appearances to follow the law while doing whatever it feels needs to be done. This goes back to the Hoover days. It’s in their DNA to collect first, to spy first, to act without due process first, then if they find something to try to build a case out of clean evidence that would stand up in court. That they even HAD this data shows that they were doing something they shouldn’t, whether they got it by illegal spying or illegal copying of data from Instapaper’s server that they should not have seized.

[quote Th]e FBI’s denial said there was no evidence indicating that it sought or obtained this data, and didn’t actually deny that it had done so

This says it all.

KitsuneStudios

Ah, found the login button. Like the new page.

Bryan: Yes, I noticed. The problem is that this really isn’t a clear-cut distinction. There is nothing in the law that exempts the NSA from complying with the 4th amendment, yet their actions were barely covered by the media, the few challenges which reached the courts were dismissed, congress acted to bring the program into a more legal position, the program was defended by both Republican and Democratic presidents, and corporations protected for their role in providing the information.

Now, with all of that, if the FBI were to have access to this information, what incentive would they have not to use it?

Simply put, organizations are only as trustworthy as the level of accountability they face, and organizational accountability has gone completely out of fashion in the US.

John Dingler, artist

Hi Bryan,
Even this artist knows that the FBI has at least two ways to collect personal data without court order. One is via NSL (National Security Letter). These are secret demand letters issued without court approval or independent oversight used to gather any data the FBI thinks is important to its investigation. It can issue this to anything from libraries to credit agencies. All it has to do is justify that the info. sought is relevant to some ongoing investigation.

The other way is for it to purchase the data, when otherwise prohibited, from any of the several domestic spy agencies such as Choicepoint, Equifax, etc. By at lest these two methods, the FBI can gather a sweeping amt. of mass data on unsuspecting, non-criminal citizens.

Oh, and another way is for it to get data from other countries, thereby sidestepping any domestic restrictions. In this scheme, countries signed on to an agreement to share data in this international spy network. I think this includes five countries (US, GB, Australia, NZ, and another one, perhaps Canada).

For all we know, and given the FBI’s bureaucratic reply, AntiSec’s revelation could have belonged to any of the above gov. and private spy agencies which does not exclude the FBI.

But this spy overlay is made more egregious by provisions in the US Patriot Act and the Congress’s demand that the various police agencies share data.

From what and others reveal, you can see that you may need to reexamine your loose generosity to the National Security State Apparatus.

Log-in to comment