These were among more than 12 million UDIDs stolen from the laptop of FBI Special Agent Christopher K. Stangl, the group said.
Anonymous deleted personal data, including the names, mobile phone numbers, addresses and ZIP codes of the devices’ users before releasing the data on the Internet.
However, the hacker collective left enough information to help users check to see whether their UDIDs were among those the FBI had. It also included device tokens for mobile hackers’ possible use.
Stangl, whose laptop Anonymous hacked to get the UDIDs, appeared in a video three years ago urging people with computer science degrees to join the FBI, Forbes reported.
However, the video appears to have been taken down.
Anonymous members gained access to Stangl’s Dell Vostro Notebook in March using the AtomicReferenceArray vulnerability in Java, the group said.
A video on this vulnerability was released in March on the Real Hacker blog.
The release of the UDID data was meant to expose the FBI’s gathering of data on American citizens, Anonymous stated.
The UDID Dilemma
UDIDs are tied to specific devices, which means that once the device is upgraded, lost or stolen, it cannot be tied to the user any more. On the other hand, possession of a device’s UDID does expose lots of information about its user. Stangl’s lists had users’ personal data tied to the UDIDs, for example.
However, the problem may be confined to older iDevices — Apple in March began rejecting apps that use UDIDs, and began phasing out developer access to UDIDs with iOS 5, released in May, sparking discussion on Quora forums.
“The average user is probably not going to be at very much risk,” Randy Abrams, a research director at NSS Labs, told TechNewsWorld. “However, in a targeted attack, the data could be used by sophisticated attackers to perform impersonation attacks.”
Neither Apple nor the FBI responded to requests for comment on the incident.
Keeping America Safe
Java vulnerabilities have been exploited in a number of data breaches, and perhaps the FBI should have been aware of this and acted accordingly.
“Recognizing that Java makes a device vulnerable would have implied that the agent would have then known not to keep Java on the device, or else not put sensitive information on the device,” NSS Labs’ Abrams said.
“Organizations really need to assess their need for Java, keep important data away from devices with Java, and figure out a timely migration strategy.”