Where did AntiSec find those Apple UDIDs?
Confusion surrounds the source of a massive leak of Apple’s unique device IDs that could affect more than 12 million customers.
The hacking group AntiSec yesterday claimed to have hacked an FBI agent’s computer and downloaded UDIDs and other personal information of more than 12m Apple users – then posted 1m of the UDIDs online to prove the attack was genuine.
The breach has raised serious questions, such as why the FBI would be holding such information, but the bureau issued a statement claiming it doesn’t collect the data in question.
If it wasn’t the FBI then who was it and why would AntiSec say it was?
“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed,” the FBI statement read. “At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
The Twitter denial of any involvement was even stronger, claiming it had never stored user IDs, which would give rise to state surveillance allegations. “We never had info in question. Bottom line: totally false,” the tweet said.
If the FBI isn’t the original source of the data, then it leaves two pertinent questions, security experts said.
“If it wasn’t the FBI then who was it and why would AntiSec say it was?” said Graham Cluley, a security expert with Sophos in a briefing with PC Pro.
“It’s curious that the FBI is denying it. They appear to be genuine UDIDs in there, so where did they get them from,” Cluley. “It could be from an app developer who has stored these things from a popular application – it’s strange and there’s still a lot of mystery.”
The idea that the data could have come from a third party has gained momentum since the FBI denied involvement, and with the data having been harvested back in March security experts also questioned why the hackers would have held onto it so long.
“So far we don’t have many clues, although the size of the database might be one,” said Stephen Cobb, a security expert at ESET on the company blog. “Based on what AntiSec claims, the file probably takes up more than a gigabyte of disk space. We’re talking 12 million devices, one out of every 30 or 40 iOS devices in use today.”
“Of course, the interwebs are abuzz with speculation about government surveillance, but the file could also be from an ad agency or data broker,” Cobb said. “Until Apple stopped them about a year ago, some apps transmitted UDIDs and other data for commercial purposes.”
Cause for concern?
Although AntiSec claims to have other details that it has not yet published, the details in question are Apple’s unique device identifiers, which are a 40-character string assigned to Apple devices to help developers and Apple verify handsets.
“In itself it probably isn’t that big a worry,” said Cluley. “The hackers claim to have personal info and, if true, that makes things more dangerous – if they had phone numbers, names and addresses they could target individuals – but the UDIDs on their own aren’t going to cause that much alarm.”
However, if AntiSec really believes the data came from the FBI it might move to prove it, which could see more data released, which could prove a greater concern.
“It will be interesting to see what Anonymous do next,” Cluley said. “Because if they really did believe it came from the FBI then they might be tempted to release some more information to use as evidence, and at that point innocent user data might be released.”
Security experts have warned against trawling search engines looking for tools that will highlight whether end user handsets are affected because criminals could try to exploit the anxiety by setting up bogus checkers that actually collect numbers.
However, password security company LastPass has put together a tool allowing concerned Apple users to check their numbers – it cross references numbers input in a search box with the list posted online.