FBI was not hacked by AntiSec/Anonymous for iOS UDIDs — BlueToad, a software publisher, was

AntiSec may have frog in throat over FBI hacking claims.

When hacking group AntiSec claimed last week that they’d hacked into an FBI agent’s computer and stolen millions of iOS unique device identifyers (UDIDs), the FBI immediately denied ever having the information in question:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

However, independent reports began to come out across the internet from individuals (including a journalist and an “eCrime specialist”) that their UDIDs were on that list, proving that at least some of the public list AntiSec showed off as “proof” of their successful FBI attack were real. So if the UDIDs were real, and the FBI is telling the truth, where did the UDIDs come from?

An announcement today from a digital publishing company that makes quite a few iOS apps called BlueToad (no relation to the above image – it’s a frog – but let’s stay topical) has revealed where the UDIDs have come from. According to the company, they were able to match their own data against the released list from AntiSec,and it showed a “98% correlation,” according to an interview BlueToad had with NBC. They obviously wished to set the record straight as quickly as possible, and went to great lengths to do so, approaching appropriate law enforcement officials and taking public responsibility for their lapse of security.

The likelyhood is that AntiSec never had the “millions” of UDIDs that they claimed – and if they did, they certainly didn’t come from the FBI. Instead, the list came from a social network of some kind, or an app that collects user data. However, now the question remains – was BlueToad the only app company victimized so that AntiSec could pull off their FBI hoax? Where did the 2% of UDIDs that didn’t belong to them originate, and are there even more where those came from? The UDIDs themselves aren’t dangerous – they’re a string of characters which lend a unique ID to any individual iOS device – be it an iPhone, iPad, an iPod, or a iTouch. Pretty much every app developer that exists has a list of UDIDs somewhere, and that string of characters alone can’t reveal anything about you. The danger comes from the app maker’s database, which may have your name, phone number, address, and even financial data attached to that UDID, marking you as their customer.

Apple has known of this potential problem for awhile and, as such, has begun distancing itself from the use of UDIDs; with the advent of iOS 6 and it’s new set of APIs to replace UDID functionality, Apple has even gone as far as to reject apps that make use of the identifyer. Unfortunately, this has come too late to stop this hack from causing an internet-wide scare, not knowing what personal information AntiSec has in it’s possession, or what other groups might be doing with the information that they already released publicly. Or if the FBI is secretly tracking everybody.

As for the hacking group itself, AntiSec has yet to comment on BlueToad’s seeming ownership of the leaked file. Apple, on the other hand, did confirm that the data taken from the app developer is typical of the kind of information developers might have on record. However, you can rest assured of one thing: the UDID in and of itself is not enough, a user has to have specifically decided to give their information to a developer for it to be in that list. Or at least that is in theory.

The bad news is that any iOS user that bought an app from BlueToad has the potential of their information being in the hands of AntiSec hackers. Did you buy one of their apps? For your sake, I hope UDIDn’t.

[via ArsTechnica | image credit: MyFreeWallpapers]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

6 comments

  1. Raeldin

    I find it amazing that people will believe a hacker over the FBI. The connotation of the word hacker implies liar. Course the same could be said of the FBI, but still, come on don’t believe either. Just because there are two side doesn’t mean that one must be telling the truth. Given the content in Kathryn’s article, I’d tend to believe the FBI in this case.

    This isn’t a comment to defend the FBI, just a comment on the really sad state of affairs we find ourselves in.

  2. rover3500

    The FBI need all this info and others as it saves them a fortune in law enforcement.Of course they have all the info they can get hold of,as long as it can be kept under wraps.Why people think they wouldn’t do this I don’t know especially in todays tech society they wouldn’t get anywhere otherwise.They will try bring in more and more laws that give them access to such info,a bit at a time till it’s justified what they do now on the sly.
    There’s so many possibilities of cover stories aswell,it’s not likely they’d get caught.Most people can be bought/threatened.

  3. Idoubt It

    And we’re supposed to believe the FBI … because? The thing about lying to the American people is that people tend not to believe you the next time, whether the ‘you’ is the FBI or Romney & Ryan.