This morning AntiSec released a list of 1 million out of 12 million Apple UDID's that it said it got from the FBI, which has raised many questions, most prominently perhaps: Just what was the FBI doing with that data in the first place? First off, neither the FBI nor Apple has confirmed that the data released so far is real. Update: Just after we published this post, the FBI issued a statement to Gizmodo denying that the data came from them. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data." Before that statement, an FBI spokesperson told Computer World and Gizmodo that it was "declining to comment," which has led Gizmodo's Jamie Condliffe and Sam Biddle to suggest "it's very much possible that an FBI computer is the original source of this alleged data dump." Even though we have no proof of that, others have at least confirmed that the UDIDs out there correspond to actual phones, with ArsTechnica's Jacqui Cheng posting responses from Security journalist Rob Lemos and "eCrime specialist" Peter Kruse saying that they have devices on the list. With so little information -- AntiSec has refused to give interviews, for now -- we still can't be sure that these came from the FBI. But if the hackers are to be believed (an admittedly big if), it brings us back to that initial question: What did the FBI want with those Apple IDs? Some theories.
"FBI IS USING YOUR DEVICE INFO FOR A TRACKING PEOPLE PROJECT OR SOME SHIT." That's the explanation that AntiSec uses in its post, which Anonymous reiterated in the following tweet.
12,000,000 identified and tracked iOS devices. thanks FBI SSA Christopher Stangl. #AntiSec— AnonymousIRC (@AnonymousIRC) September 4, 2012
- The FBI got this information by proxy. It's possible that the FBI just had this data as a part of another project, as Marcus Carey, a researcher at Rapid7 explained to Bits Blog's Nicole Perlroth. "The F.B.I. could have obtained the file while doing forensics on another data breach," he said. The FBI once got a hold of an Instapaper server from an unrelated raid, last year. Instapaper CEO Marco Arment has denied that the two incidents are related -- Instapaper has nowhere near 12 million members, for one. But, this could have been from something like that. That makes sense, especially since these ID's don't reveal anything too dangerous, as Carey continues. "This poses very little risk. None of this information could be used to hack someone or launch an attack," he adds.
- Apple gave it to them just because. This isn't really an explanation for what the FBI wanted with the information, but some on Hacker News have suggested that the FBI asked for it, so Apple obliged because why not. "There might be legitimate law-enforcement reasons for doing so, though it’s hard to image what they might be given the sheer numbers said to be involved," notes AllThingsD's Arik Hesseldahl. "It’s not hard to imagine the FBI requesting a UDID along with other information as part of building a case in a criminal investigation into a person or a set of people," he continues. But that sounds like a privacy disaster waiting to happen -- er, that just happened -- for Apple, which has not yet commented.
- This info isn't from the FBI, at all. From what we know, this could have come from anywhere. "Apple could have been breached. AT&T could have been breached. A video game maker could have been breached," adds Carey. Since UDIDs are used in relation to push notifications with apps, others have surmised that the info comes from a database dump of an app with 12 million users. "Any app with more than 12 million users, then, would be suspect," wrote TechCrunch's John Biggs.
Since posting the original hack, AntiSec hasn't given any more information about the data and won't until Gawker's Adrian Chen meets their demands that he wear a ballet tutu and a shoe on his head and post it to the site. Earlier we explained how to check if you were part of the list, but it looks like this move was more to embarrass the FBI than to compromise devices. So far, that part is working. Without any answers from the FBI (or Apple) we are left with this question, and other related ones, reminding us that there is some possibility the government wanted something with 12 million iPhones.
Update, 6:48 p.m.: Adrian Chen is complying with their demands. He's paying his public penance and wearing a pink tutu and balancing a Reebok sneaker on his head. "Get used to it because it's going to be up until around 6:30pm tomorrow." Part of the demand is it has to lead the front page for a full 24 hours. "As a journalist, I am sworn to bring facts to light by any means necessary. So here is a picture of me in a tutu with a shoe on my head at Gawker HQ," he says. He's doing it for us, guys. Adrian Chen is a man of the people.