It could turn out to be a very bad week for Apple and the FBI.
On Sept. 4, news began to circulate around the Web that hackers associated with AntiSec had stolen more than 12 million Apple Unique Device Identifiers (UDIDs) for iOS devices from an FBI agent’s laptop. In a Sept. 4 posting via Pastebin, those attackers offered download links to what they claimed were 1 million of those IDs, which are linked to individual devices.
“The original file contained around 12,000,000 devices. We decided a million would be enough to release,” read that posting. “We trimmed out other personal data as, full names, cell numbers, addresses, [zip codes], etc.” The writer went on to claim the information came from the Dell Vostro laptop of an FBI agent with the FBI Regional Cyber Action Team and the New York FBI Office Evidence Response Team, “breached using the AtomicReferenceArray vulnerability on Java.”
The rest of the posting features callouts to Syrian rebels, a certain Russian punk-rock group, and various hackers either arrested or killed over the past couple decades.
Are these UDIDs authentic? That’s the question of the hour for pretty much everybody involved. Forbes writer Andy Greenberg, who covers data security and hacker culture, downloaded the file and poked around a bit:
“While there’s no easy way to confirm the authenticity or the source of the released data, I downloaded the encrypted file and decrypted it, and it does seem to be an enormous list of 40-character strings made up of numbers and the letters A through F, just like Apple UDIDs. Each string is accompanied by a longer collection of characters that Anonymous says is an Apple Push Notification token and what appears to be a username and an indication as to whether the UDID is attached to an iPad, iPhone or iPod touch.”
Meanwhile, TheNextWeb is offering a way to check whether one’s UDID ended up released by AntiSec. “Just input your UDID/UUID into the form and we’ll run it against the database,” the publication posted Sept. 4. “Of course, TNW won’t store your identifier.” Which is more than could be said for the FBI, if the information about the hack turns out to be true.
If the FBI is truly storing UDIDs, that raises some interesting privacy questions. First, how did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?
So far, the FBI has not issued an official response to the alleged leak. Apple had already started phasing out apps that relied on UDIDs to track users, reportedly because of privacy concerns; this hack could drive them to take additional steps to safeguard that data, especially if millions of Apple users’ personal data ends up spilled all over the Web.
Image: Rob Kints/Shutterstock.com