12 million Apple UDIDs stolen from FBI agent’s computer

The UDID is like a fingerprint for the iPhone.

Hacktivists are called such because they typically hack for a cause. That cause is often revenge, which makes government agencies like the U.S. Federal Bureau of Investigation a popular target for cyber criminals. A recent operation by hacktivist group AntiSec targeted FBI agent and cybersecurity researcher Christopher Stangl, and it also compromised approximately 12 million Apple users.As Forbes pointed out, Stangl has shown a great deal of support for bringing more cybersecurity expertise into government agencies. The hackers broke into his laptop using the Atomic Reference Array vulnerability in Java and stole the unique IDs (UDID) of approximately 12 million Apple device users. In addition to claiming responsibility, the hackers publicly released 1 million device IDs as evidence.

The UDID of the iPhone and iPad is like a fingerprint – it’s unique and mobile carriers use it to track usage. According to a PasteBin post written by AntiSec, they were also able to steal personal information such as names, addresses and full cellphone numbers. However, the group removed the extra information from its posting.

Hackers raise a few eyebrows
The incident has raised more than a few concerns, including concerning the security of government agencies regarding other sensitive information. Forbes also highlighted concerns that an FBI agent had a collection of Apple device information on his laptop in the first place. Although more malicious threats could use the data to design targeted attacks against users, Forbes speculated the attack was construed in order to make cybersecurity experts look bad.

“This particular operation was wrapped into the weekly event (despite being released on a Monday) and aimed at causing maximum embarrassment to investigators who are trying to prevent attacks like these from spinning out of control,” Forbes wrote. “The fact that the hackers targeted someone who once called for computer savvy individuals to join the Feds, may have given them all the more reason to pounce.”

What’s more embarrassing for a cybersecurity researcher being victimized by hackers? How about a security expert that was compromised by a threat that could have been easily mitigated? Solutions such as application control can protect against a wide variety of threats, but keeping software updated can also protect against breaches (and public embarrassment). AntiSec claimed the security breach happened in March. However, the Java exploit the group utilized was patched in February, meaning the incident could have been avoided if Spangl had the latest version of the platform.

Besides causing a little public shame, AntiSec said the intention was to raise privacy awareness. The hacktivist group criticized the FBI for monitoring and storing personal information, and condemned Apple for making devices with UDIDs in the first place.

Is your Apple UDID one of the 1 million released?
If you’re already worried that your information might be compromised, The Next Web has created a tool that will check your Apple UDID to see if it has been compromised. Although TNW doesn’t store information, the data is not transmitted using SSL, so you may not want to enter your entire UDID.

One ID in particular made headlines because it is believed to belong to U.S. President Barack Obama’s iPad, according to a recent Cult of Mac article. While it hasn’t been completely confirmed, it does show that the FBI has its eyes on the president as well as the country’s population.

What do you think about the attack? What could the FBI be doing with the data on Stangl’s computer?

Kate Beckham

Kate has been lighting up the blogosphere for over 5 years, with a keen interest in social media and new malware threats. When not sitting at a café behind her Mac, you’ll usually find her scouring the racks for vintage finds or playing guitar.