“What was this special agent doing with information on 12 million iDevices?”
The hack, performed by AntiSec, involved scouring an FBI agent’s compromised laptop and coming away with the unique device identifier; apple push notification service token; phone number; address and much more for over 12 million iPhones. Anonymous released instructions on accessing over one million of these records today (minus the address and zip code portion) via Twitter, and by all appearances, the information looks legitimate. This raises several serious questions, but the biggest two in my mind are these: What was this special agent doing with information on 12 million iDevices and where did he get it?
While we’ll probably never know why he really had it, there are several possibilities when it comes to the “Where did he get it?” part of that question. My gut reaction was to blame Apple, but after giving the situation a little more thought, I feel that’s wrong. The way the data is laid out is identical to how an app developer would store software usage information gathered from an iPhone app posted to the app store. Most apps have a mechanism similar to this for tracking customer numbers and demographics, so if you use an iPhone regularly, there’s a good chance that your data is sitting somewhere on someone’s server.
Ostensibly, the data could have been provided to the special agent by an app developer in regards to a legitimate investigation. If this is the case, however, this FBI agent’s handling of sensitive information was abysmal. I can see it now, the app developer hands over a flash drive with all of his customer’s info on it. The agent plugs the flash drive in to his laptop and drags the icon onto his desktop, and there the data sits: unencrypted and waiting to be accessed. The lesson to be learned from this is that if you are storing customer information ANYWHERE, make sure it’s secure and encrypted.
There are obviously more sinister implications that could be explored in this situation, but we have no facts to back any of them up. The FBI could have procured the information with their own hack. They could have gotten the database from a raid on a hosting farm. Heck, they could have created their own app and posted it on the app store under a false name to try and gather information. Again, I doubt we’ll ever know if any of these theories are true. In the meantime, if you are concerned that your information was one of the 1 million records released, check out http://thenextweb.com/apple/2012/09/04/heres-check-apple-device-udid-compromised-antisec-leak/ and enter part of your UDID. That site will tell you if you’ve been compromised or not.