This story stinks. It either stinks because it is not true or it stinks because the FBI is walking around with 12,367,232 UDID’s and more or less personal data connected to it.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose. The big question is: how did they collect that data? It is hard to believe that either Apple or the Carriers are involved. The first thing to look for is a rogue app using maybe a rogue ad-system. But there are other possibilities, we’ll hear about soon enough. The good thing is that the use of the UDID is deprecated in iOS6, but that doesn’t help the ones already out there and maybe other personal information that might be used.