Claim of iPhone hacking raises questions about FBI data

WASHINGTON — A hacker group's claim that it obtained from an FBI laptop a file with more than 12 million identification numbers for Apple iPhones, iPads and other devices has set off widespread speculation about why a federal agency would possess such information.

But the FBI disputed the allegation Tuesday, saying that "at this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

• Apple makes it official, sends out invitations for Sept. 12

If the FBI's denials prove correct, the agency may have been the victim of a clever hoax by the group known as AntiSec that spurred thousands of headlines around the Web and left readers wondering how and why the FBI could have gotten access to Apple customer records.

The hackers said they found the file when they infiltrated a Dell laptop computer belonging to Christopher K. Stangl, a member of the FBI's Cyber Action Teams. They posted to a website a file containing 1 million of the so-called unique device identifiers, or UDIDs, to bolster their claim. They said the larger file included "user names, name of device, type of device, Apple Push Notification Service tokens" as well as ZIP Codes, cellphone numbers and addresses, though they did not release any of those details.

The hacker group said the file containing the data was called "NCFTA_iOS_devices_intel.csv". That set off a flurry of speculation among privacy activists that the data was linked to the National Cyber-Forensics and Training Alliance, a partnership of business, government and academia that includes a former FBI agent as its director of operations. No one from that organization responded to requests for comment.

The NCFTA, which is based in Pittsburgh, has billed itself as a clearinghouse through which companies can indirectly share cyber security-related data with the government. Cyber security legislation that failed to pass the Senate in July included provisions to expand such information sharing, so that the FBI and other agencies have help in tackling malware used in cyber crime.

"It's exactly the type of scenario that we were worried about happening with cyber security legislation," said Trevor Tim, an activist and blogger with the Electronic Frontier Foundation, a civil liberties group focusing on technology. "That these companies were going to use cyber information sharing provisions to hand over large swaths of data to the government that they would otherwise need a subpoena or a warrant or a court order."

After the Sept. 11, 2001, terrorist attacks, the FBI was given legal tools to request "third-party business records" without a court order, as long as it deemed those records "relevant to an investigation." Many consumer interactions with businesses on the Web produce records that are covered under those provisions and are not protected by the 4th Amendment requirement of a search warrant.

Most security experts said that the release of UDIDs into the wild in and of itself did not pose much of a privacy or security risk. It was no more harmful than a list of car VIN numbers, they said.

But if AntiSec's claims are true that the larger file accessed includes names, phone numbers and email addresses, the information could be used to track individuals, see what apps they've downloaded or lead to identity theft, said Ori Eisen, founder and chief innovation officer of security firm 41st Parameter.