How unhappy would you be if you discovered that the FBI is using device information to track citizens? No; we are not talking about people who are allegedly terrorists . . . unless there are 12 million potential terrorists who prefer Apple devices? As ludicrous as that suggestion is, so are the FBI you-might-be-a terrorist-if lists. The latest leak allegedly was snagged from an FBI laptop and contains a redacted list of Apple Unique Device IDs – device names, types and Apple Push Notification Service DevTokens.
“This is our next challenge: to decide whether to become tools for the system, or for ourselves. The system plans to use us to hold the next in their endless wars, their cyberwars. Hackers vs. hackers, slaves vs slaves.” The AntiSec statement adds, "We are trapped."
Displeased after NSA Chief General Keith Alexander spoke at Def Con, attempting to “seduce” hackers to improve Internet security and to recruit hackers for future cyberwars, AntiSec hackers said, “We decided we'd help out Internet security by auditing FBI first.” If a leak of 1,000,001 Apple device UDIDs linked to users and their APNS tokens doesn’t seem massive enough, the hackers say that’s a mere drop in the bucket and claim the original file had about 12 million!
How was this accomplished? By exploiting Java—what a shocker! And no it wasn’t the newest migraine-inducing Java zero-day for which Oracle finally issued an emergency patch. The hack was allegedly accomplished in March, so the hackers exploited the previous Java zero-day. According to the Pastebin announcement:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Every Apple device has a hardware-coded 20-byte ID code which the AntiSec hackers claim was a “really bad decision from Apple. Fishy thingie.” Before dumping a million records, the hackers chose to redact some personal data while leaving enough “to help a significant amount of users to look if their devices are listed there or not.” The hackers’ statement includes links of where to download and how to get the “candy” from the files.
You may recall that in February, members of LulzSec tapped into a conference call between the FBI and Scotland Yard before releasing a recording of the intercepted communications. An intercepted email arranging the conference call for about 40 law enforcement agents worldwide included Stangl as one of the FBI agents invited to participate. After the humiliating eavesdrop was made public, both the FBI and Scotland Yard confirmed the intercept. The FBI stated, "The information was intended for law enforcement officers only and was illegally obtained. A criminal investigation is under way to identify and hold accountable those responsible." Rob Graham of Errata Security further explored “How the FBI might've been owned.”
It is unclear right now how much of this dump and the accompanying accusations are legit; seemingly ridiculous aspects of the AntiSec statement regarding Adrian Chen and the front page of Gawker don’t help. Did Apple hand over this user database to a group such as the National Cyber-Forensics & Training Alliance, or did it come from an Apple App developer? Did the FBI have a warrant to obtain the digital dirt on 12 million iPad, iPhone and other iOS users? Richi Jennings explored varying opinions on how, if true, could the FBI legally track iOS device users. The AntiSec group that dumped the data suggested the FBI will “deny or ignore” the situation, but that “someone should care” how the feds got all this info on Apple users and how it’s being used to track citizens.
Note to whomever writes these public statements -- most news outlets cannot publish curse words, so you might want to rethink that strategy. Here are some portions of the AntiSec statement with cursing marked through so it can be published.
If it's true that the FBI is tracking people via devices, it doubtfully begins and ends with Apple products. If it's true, it's not very lulzy and we should all care.