WASHINGTON, DC – Three years ago special agent Christopher Stangl appeared in a video calling on people with computer science degrees to join the Federal Bureau of Investigation, saying they were needed “more than ever.” Last night, hackers with subversive online networks Anonymous and Antisec answered that call with nothing short of irreverence: they published what they claimed were more than 1 million unique device identifier numbers, (UDID) for Apple devices, stolen from Stangl’s own laptop.
In total, the hackers say they were able to steal more than 12 million of these strings of numbers and letters, but, “we decided a million would be enough to release.” They announced the hack through the widely-watched Twitter feed, @AnonymousIRC last night.
Forbes cyber security reporter Andy Greenberg has downloaded the encrypted file posted by Anonymous containing the identifiers, and decrypted it. “It does seem to be an enormous list of 40-character strings made up of numbers and the letters A through F, just like Apple UDIDs,” he reports.
The incident raises many questions, not only about the security of federal devices, but of why an agent might have (allegedly) been carrying a database of Apple UDIDs, which the hackers said also contained “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.” of iPhone and iPad users. They claim to have stripped this information for publication.
Stangl did not wish to comment when contacted by email, and an FBI spokeswoman declined to comment. The Anonymous supporters also said in their Pastebin post on Monday evening that they were not giving further interviews on the matter.
Anonymous claimed they used the Atomic Reference Array vulnerability in Java to breach Stangl’s laptop. (Link via Computer Weekly.) Here’s where they claim to have hacked his device:
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device,type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
“The personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”
Stangl, who joined the FBI in 2003 after graduating from Monmouth University, has been with the agency for nine and a half years and won an award in 2010 for helping bust a cyber crime ring. He was also sucked into another Anonymous stunt earlier this year when at least one of their supporters breached an FBI conference call that had been discussing Anonymous and LulzSec. Stangl was listed among those invited into the call, in an e-mail that was posted on Pastebin.
In a video posted to Facebook in 2009 (and which will likely be getting a lot more views in the coming days), Stangl is shown wearing a dark suit and tie, speaking to the camera, and calling for “cyber security experts” to join the FBI.
“Hello. My name is special agent Chris Stangl of the New York city field office of the FBI,” he says. “Today more than ever we need individuals with compeer science backgrounds to join the FBI. From a special agent that investigates cyber crime or the computer scientist that is embedded in the cyber squad that analyzes malware.”
Anonymous and Antisec have shown a variety of motivators, with a large undercurrent being the pursuit of “lulz” and revenge. Hence the FBI is a regular target, and the subject of long-time operations that vary in size and are known as “F*** FBI Fridays.” This particular operation was wrapped into the weekly event (despite being released on a Monday) and aimed at causing maximum embarrassment to investigators who are trying to prevent attacks like these from spinning out of control. The fact that the hackers targeted someone who once called for computer savvy individuals to join the Feds, may have given them all the more reason to pounce.
UPDATE: If you own an Apple mobile device and are wondering if it got caught up in the UDID dump, TheNextWeb has set up a web tool that lets you type in your device number to check. They also promise to not store your identifier. Here’s how how you can look it up in iTunes.