Tag Archives: APNS

Huge leak of Apple device unique IDs and ASPNs

Recently, I saw a post on pastebin regarding leaked Apple device IDs. The hackers said they got the file from a laptop belonging to an FBI employee:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UUID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

The file ”NCFTA_iOS_devices_intel.csv” is said to contain over 12 million unique device identifiers (UUID) and user data for iOS devices. The actual leaked file contains 1 million records. The UUID is a unique number assigned to each device. It’s used for identifying the device, and many app developers use it to identify the device/user.

The list looks something like this:

That in itself doesn’t contain much ”dangerous” information, however, the interesting thing is where the hackers, or the FBI/NCFTA (National Cyber-Forensics & Training Alliance) got it. I’d generally say that this information could be fetched from some hacked app developer, since they usually store that kind of info on their servers. Perhaps they got this from some hacker they arrested? Or some developer handed it over?

Security expert Peter Kruse reported on Twitter that the actual data is correct, he found three of his devices in the list.

The list also contains APNS (Apple Push Notification Service) IDs. This is used for push notifications on the iOS devices. I am uncertain if it’s enough to have the device ID and the APNS ID in order to read the push notifications for any device. If any reader knows, please let me know!

Looking at the data, there seem to be some interesting device names, however, keep in mind that anyone can choose to name their device whatever they like:

[email protected]
[email protected]
[email protected]
Government Official’s iPod
Governor’s iPad
Governor’s iPad
Forensic3GiPad
Forensic iPad
Forensic iPhone
Forensics
TACTICAL FORENSIC SOLUTIONS
A. Castillo Law Office
Chief Excecutive Officer’s iPad
Law Offices of Jannette Mooney’s iPad
Port Moresby Duty Officer iPad
Riot Officer’s iPad
The Law Office of Yariv Katz, P.C.’s iPad

Without more info, it’s very hard to tell where the list originally came from, or what it’s purpose is. Time will tell, and hopefully we’ll get some more info soon. Also, keep in mind that the persons who leaked this also said the original list contained much more info (addresses, phone numbers, etc).

Some report that the data might have been acquired in a raid on Instapaper servers.

There seem to be quite many devices from Asia in the list. The top 10 device names are:

   1140 – PdaTX.Net
1196 – Administrator’s iPhone
1309 – Administrator’s iPad
1414 – 이지윤의 iPhone
1453  – iPhone
1534 – Owner’s iPad
2202 – “Administrator”的 iPhone
3136 – “Administrator”的 iPad
5141 – iPod touch
42790 – iPhone

Since the list also contains the device type, here is how it’s distributed:

iPod touch: 6%
iPhone: 35%
iPad: 59%

So, if this list comes from an app developer, it sure seems like the app is most popular on the iPad.

Update: They say they got the list from using a Java exploit in March, and as ErrataRob points out, this coincides with that exploit being used, and a possible targeted attack on a leaked list of agents and agencies trying to track hackers.