Why is the FBI carrying around a file with 12M Apple user UDIDs? (and is yours one of them?)

Update: The FBI has issued a denial

HackerNews linked last night to a Pastbin file, which is a long-rambling diatribe by hacker group AntiSec, that eventually said the group infiltrated an FBI laptop in March and was able to download files off  the machine. One of those files, NCFTA_iOS_devices_intel.csv, contained more than 1 million Apple UDIDs, but the group claimed to have over 12 million UDIDs and other personal information, which it apparently gathered after breaching the Dell Vostro of an FBI operative.

 During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

“NCFTA_iOS_devices_intel.csv” looks like it stands for the National Cyber-Forensics and Training Alliance, which “functions as a conduit between private industry and law enforcement.” (http://www.ncfta.net/)

Apple previously said it would limit developer access to UDIDs, but the Pastebin post asserted AntiSec published the identifiers, after first leaving out full names, cell numbers and addresses, to warn folks about the FBI tracking U.S. citizens with the mobile data.

Fun Fact: 166 devices in the data set  are named “Titanic” or “The Titanic” because of the “Titanic is syncing” joke.

Cydia creater Saurik took to Hacker News to note that it is unlikely that the source was from jailbreaking:

I run Cydia, and have determined only 16.7% of the UDIDs in that file are from jailbroken devices: I thereby do not believe that whatever managed to get this data is anywhere in our ecosystem.

Others on HackerNews are asking : Did the FBI lift these UDIDs in an unrelated raid last year?

The UDID information is consistant with those obtained by developers with push capabilities. However, developers with 12 million accounts are pretty few and far between.

Update: Marcus Armento, developer of Instascraper, said it is unlikely the FBI information is from his DB server:

https://twitter.com/marcoarment/status/242995724617392128 https://twitter.com/marcoarment/status/242996344686514176

He also blames the AllClear ID app for the problem saying it is the “likely culprit”:

Update: The popular and free AllClear ID app, related to NCFTA, is a likely culprit, especially given the filename.

Update 2: Marco’s not very happy about the concern:



The hacker group will not release any more information on the hack until Gawker puts a picture of one of its writers on its homepage “ballet tutu and shoe on the head” for an entire day (something not out of the realm of possibility on a normal day, if we are being honest with ourselves really).

to journalists: no more interviews to anyone till Adrian Chen get featured in
the front page of Gawker, a whole day, with a huge picture of him dressing a
ballet tutu and shoe on the head, no photoshop. yeah, man. like Keith
Alexander. go, go, go.
(and there you ll get your desired pageviews number too) Until that happens,
this whole statement will be the only thing getting out
directly from us. So no tutu, no sources.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel