Security Experts:

FBI Denies AntiSec Claims of iOS Related Privacy Violations

The FBI has issued a flat-out denial on the claims made Tuesday by AntiSec,which said the law enforcement agency was hoarding personal information on some 12 million Apple customers. However, the statement leads to more questions than answers.

To recap, AntiSec released 1,000,001 Unique Device Identifier (UDID), records, taken from a list of 12 million, after scrubbing of other personal information such as user names, device names, device type, Apple Push Notification Service tokens, zip codes, cellphone numbers, home addresses, and more. They claim the data was taken from an FBI laptop on during the second week of March 2012.

The file itself, NCFTA_iOS_devices_intel.csv, led many to wonder if Apple had handed the data over willingly, as NCFTA stands for the National Cyber-Forensics & Training Alliance, which “functions as a conduit between private industry and law enforcement.” 

There is plenty of debate around how the file was compiled and obtained, including the fact that an app for iOS is to blame. But the FBI has denied that it was taken from them. In a statement, the agency says they are aware of the reports alleging that the data came from a compromised laptop, but they have no evidence to back any of this up.

“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data,” the statement reads in full.

Responding to the statement, comments on Anonymous’ Par:AnoIA website pointed out that the absence of evidence does not mean the breach never happened. In addition, other experts note that while an agency laptop might not have been breached, a personal laptop could have been.

“We would like to point out that at this time, we have no reason to doubt the claim that the data in question was indeed obtained from the agent's notebook. The fact that the FBI has no "evidence" of a databreach on one of their notebooks does not allow the conclusion that it never happened,” the post said.

UUIDs have been called a privacy disaster, and Apple has said their use would be phased out. Additional details on UUIDs and the problems they pose can be seen here

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.