“A Total Clusterfuck” thenextweb.com

Josh Ong reports for Read Write Web:

The AntiSec hacking group claims to have released a set of more than 1 million Apple Unique Device Identifiers (UDIDs) obtained from breaching the FBI. The group claims to have over 12 million IDs, as well as personal information such as user names, device names, notification tokens, cell phone numbers and addresses.

I think there are three questions on everyone’s mind right now:

  1. How was this list acquired in the first place?
  2. Why would the FBI even have 12 million iOS UDIDs?
  3. Am I affected?

Regarding the first point, the hackers explain their technique:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

But this doesn’t explain how the FBI got the list. A quick Google search reveals that “NCFTA” is the National Cyber-Forensics & Training Alliance, which is a private company that “functions as a conduit between private industry and law enforcement”.

NCFTA appears to be the company that compiled the list, but it’s very difficult to see where they could have acquired 12 million UDIDs. A developer would be able gain access to this information, but how many apps have been downloaded 12 million times? Marco Arment and “teflon” think it’s the NCFTA’s “AllClear ID” app (iTunes link):

AllClear ID is the first 100% free, basic identity protection that includes Fraud Detection, Monthly Reports, and Fast & Secure Phone Alerts when your identity is at risk. Millions trust AllClear ID, and it has been featured by NBC’s TODAY show, the Clark Howard Show, The NY Times and Wall Street Journal.

This sounds very sketchy, similar to the Trusteer browser plugin. I never trust any app that purports to protect against identity theft by requiring the user to enter a lot of information about their identity, for obvious reasons.

Update: Arment’s post (above) contains a correction to note that AllClearID denies any involvement:

AllClear ID sent a statement saying they do not collect UDIDs and are not affiliated with the NCFTA, for whatever it’s worth.

My comment regarding providing personal information to an app to “protect” that personal information still stands, but they weren’t involved.

In regards to question three—”am I affected?”—that’s a good question. The Next Web has built a tool to check your UDID. It’s clever, because you can check a partial ID. But remember that this list represents just one million UDIDs—8% of what the hackers claim to have access to.

But question two is still a mystery. Why would the FBI have a list this large? Surely the vast majority of the IDs on this list aren’t involved in any sort of crime. Hell, I’d wager that not even a small minority of these are suspect, or involved in an investigation.

As usual, Mr. Gruber says it best: “this sounds like a total clusterfuck.”