FBI Denies AntiSec Claim Of Stolen Apple UDIDs


The Federal Bureau of Investigation has denied claims by an Anonymous-affiliated hacker group that it had stolen 12 million Apple UDIDs from the computer of an FBI special agent.

In a brief statement Tuesday, the Federal Bureau of Investigation branded the claim as "Totally False," which suggests that the ultimate source of Apple UDIDs was not the bureau, but any other source that may collect such information.

It was reported earlier on Tuesday that a hacktivist group affiliated with the renowned hacking confederation "Anonymous" had released an archive of more than a million Apple-related Unique Device Identifiers (UDIDs), claiming that they were a small portion of a collection of 12 million UDIDs stolen from an FBI computer. The group, known as "AntiSec," claimed they were able to breach the computer earlier this year, using a vulnerability in Java.

[Related: Despite Oracle’s Patch, New Java 7 Vulnerabilities Emerge]

The FBI subsequently responded in two brief messages, the first of which was a posted on Twitter, indicating that an official statement would be forthcoming. "Bottom Line: Totally False," it read.

The Bureau's press office then released a nearly equally short statement: "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

Skeptics suggest that the FBI would almost necessarily need to deny that it was the source, because the presence of the data would generate a lot of questions about why 12 million devices, and most likely the owners of those devices, were being tracked and whether legal restrictions around probable cause might have therefore been breached.

Such data could also be harvested from a variety of other sources, such as gaming servers or companies that collect and use personal information.

"The one thing we know for sure is that the data presented by AntiSec is legitimate," said Marcus Carey, security researcher at Rapid 7. "It could have come from the FBI, but it also could have come from a software developer or from Apple, itself. Also, AT&T had a breach a long time ago where UDIDs were exposed. So we just don't know."

Carey went on to say that if Anonymous did manage to hack into the FBI special agent's computer, then the group has a higher level of skill than a lot of people give them credit for.

"A patch for the Java vulnerability that they apparently used was available in February, and there was nothing floating around in Metasploit or Black Hole, or any of the other kits that we are aware of," he said. "So they would have needed to launch their own attack from scratch."

PUBLISHED SEPT. 5, 2012