A dump of 1 million unique identifiers (UDIDs) from Apple iOS devices have been released by hacker group Antisec. The identifiers allegedly came from a file found on an FBI laptop in March.
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv.”
The file was said to contain over 12 million device records, including Apple UDIDs, usernames, and push notification tokens. In some cases, the information also included names, cell phone numbers, addresses and zip codes.
The group released 1 million of these records but stripped most of the personal information. The information released includes Apple UDIDs, APNS (push notification) Tokens, Device Name, and Device Type. MacRumors says it has been able to confirm that the UDIDs appear to be legitimate.
It is unclear as to what the source of the data is. The type of data is typical for the kind of information an iOS developer would collect to deliver push notifications to a user.
The Next Web has a handy tool available on their site to help you find out if your UDID is included in the list. They also include helpful information on how to find out what your devices UDID is.
The actual implications of the leak isn’t exactly clear at this time. The UDIDs are considered harmless in isolation. The privacy risks can come from these IDs being used across ad networks and apps to assemble a more complete picture of activity and interests of the user.
Are you worried that your UDID might have been compromised? Here’s how you can check!
UPDATE (9/4/2012):
The Federal Bureau of Investigation has issued a denial of responsibility regarding the leak of the UDID numbers.
In statement, the FBI said the following:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
So, they’re not saying the information didn’t come from the FBI, just that there isn’t any “evidence” that a laptop was compromised, or that the FBI sought or obtained the UDIDs.
UPDATE 2 (9/5/2012):
Apple itself has now issued a statement saying it did not provide any UDIDs to the FBI.
“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization,” spokesperson Natalie Kerris said to All Things D. “Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of UDID and will soon be banning the use of UDID.”
UPDATE 3 (9/10/2012):
App developer BlueToad, who mainly builds applications for App Store developers, says that UDIDs were stolen from its servers two weeks ago. The company says that the leaked UDID data matches its stolen data at a level of 98%.