Anti-security group claims FBI breach, posts 1 million iOS UDIDs
Hacktivist group AntiSec has released what it claims are 1,000,001 Apple Unique Device Identifiers (UDIDs) that were allegedly obtained from an FBI breach. The anti-security group, which is loosely associated with Anonymous, claims that this leak is just a small piece of the original file, which it says contains 12,367,232 UDIDs, in some cases with associated personal data.
AntiSec released the set of 1,000,001 UDIDs on Pastebin, a website where Anonymous and AntiSec routinely store the text announcements of their various conquests. The group says it has “trimmed out” other personal data, including full names, cellphone numbers, addresses, and ZIP codes. The purported purpose of the leak is so that users can look up their own UDIDs, which are unique identifiers assigned to each and every iOS device that Apple makes.
According to the group, the list of 12,367,232 UDIDs was obtained from the Dell Vostro notebook computer of Special Agent Christopher K. Stangl of the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team. AntiSec alleges it breached Agent Stangl’s notebook using the AtomicReferenceArray vulnerability in Java, and was able to download some files from his desktop folder.
Among these was a file entitled “NCFTA_iOS_devices_intel.csv,” which contained the list of Apple iOS devices and their details, including “Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.” AntiSec says that many of the records contained only limited personal data, and none of the other files it downloaded mentioned the list or its specific purpose.
MacRumors says it has confirmed the validity of the list, and suggests that the information might have been obtained via a third-party developer since it resembles what a third-party developer might need to deliver push notifications. At least one programmer has shown that obtaining UDIDs from third-party services is not difficult and other research has shown that many apps have transmitted UDIDs as a matter of course. Apple has been criticized in the past for its reliance UDIDs, and with the release of iOS 5 last year, it began phasing out the use of the identifier, instead suggesting that developers create their own unique IDs on an app-by-app basis. Earlier this year, Apple began rejecting apps that send out UDIDs.
If you would like to download the file so that you can check to see if your UDID is listed, you can do so here, here, here, or here. AntiSec lists detailed instructions on how to decrypt the file using a password and then uncompress it, over on Pastebin. Some sites, such as The Next Web, have created tools to easily search the list for your UDID.
If this file is indeed from the FBI, “NCFTA” probably refers to the National Cyber-Forensics & Training Alliance. The NCFTA is a non-profit corporation that seeks to address “complex and often internationally-spawned cyber crimes.” The FBI’s Cyber Initiative and Resource Fusion Unit works as part of the NCFTA.
And, of course, if it turns out that the information’s provenance does indeed trace back to the FBI, there’s the question of how exactly the bureau obtained UDIDs and the associated names, zip codes, etc.
When reached, the FBI declined to comment on the story.
Updated at 7:26 a.m. PT with FBI response.