AntiSec may have frog in throat over FBI hacking claims.
When hacking group AntiSec claimed last week that they’d hacked into an FBI agent’s computer and stolen millions of iOS unique device identifyers (UDIDs), the FBI immediately denied ever having the information in question:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
However, independent reports began to come out across the internet from individuals (including a journalist and an “eCrime specialist”) that their UDIDs were on that list, proving that at least some of the public list AntiSec showed off as “proof” of their successful FBI attack were real. So if the UDIDs were real, and the FBI is telling the truth, where did the UDIDs come from?
An announcement today from a digital publishing company that makes quite a few iOS apps called BlueToad (no relation to the above image – it’s a frog – but let’s stay topical) has revealed where the UDIDs have come from. According to the company, they were able to match their own data against the released list from AntiSec,and it showed a “98% correlation,” according to an interview BlueToad had with NBC. They obviously wished to set the record straight as quickly as possible, and went to great lengths to do so, approaching appropriate law enforcement officials and taking public responsibility for their lapse of security.
The likelyhood is that AntiSec never had the “millions” of UDIDs that they claimed – and if they did, they certainly didn’t come from the FBI. Instead, the list came from a social network of some kind, or an app that collects user data. However, now the question remains – was BlueToad the only app company victimized so that AntiSec could pull off their FBI hoax? Where did the 2% of UDIDs that didn’t belong to them originate, and are there even more where those came from? The UDIDs themselves aren’t dangerous – they’re a string of characters which lend a unique ID to any individual iOS device – be it an iPhone, iPad, an iPod, or a iTouch. Pretty much every app developer that exists has a list of UDIDs somewhere, and that string of characters alone can’t reveal anything about you. The danger comes from the app maker’s database, which may have your name, phone number, address, and even financial data attached to that UDID, marking you as their customer.
Apple has known of this potential problem for awhile and, as such, has begun distancing itself from the use of UDIDs; with the advent of iOS 6 and it’s new set of APIs to replace UDID functionality, Apple has even gone as far as to reject apps that make use of the identifyer. Unfortunately, this has come too late to stop this hack from causing an internet-wide scare, not knowing what personal information AntiSec has in it’s possession, or what other groups might be doing with the information that they already released publicly. Or if the FBI is secretly tracking everybody.
As for the hacking group itself, AntiSec has yet to comment on BlueToad’s seeming ownership of the leaked file. Apple, on the other hand, did confirm that the data taken from the app developer is typical of the kind of information developers might have on record. However, you can rest assured of one thing: the UDID in and of itself is not enough, a user has to have specifically decided to give their information to a developer for it to be in that list. Or at least that is in theory.
The bad news is that any iOS user that bought an app from BlueToad has the potential of their information being in the hands of AntiSec hackers. Did you buy one of their apps? For your sake, I hope UDIDn’t.