Hackers leak 1 million Apple UDIDs allegedly stolen from FBI laptop

Hackers claim to have stolen a file containing information on over 12 million iOS devices and their owners from an FBI laptop

A group of hackers released a file containing unique identification data for over 1 million Apple iOS devices and claim that the information is part of a larger database stolen from the compromised laptop of an FBI agent.

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability in Java," the hackers, who claimed affiliation to Anonymous and its Operation Antisec campaign, said Monday in a statement published on Pastebin.

"During the shell session some files were downloaded from his Desktop folder," the hackers said. "One of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc."

As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said.

The FBI declined to comment on the alleged security breach.

However, the leaked UDIDs -- random-looking codes made up of letters and numbers that are unique to every iOS device -- appear to be authentic.

"I have confirmed three of my devices in the leaked data," Peter Kruse, an electronic crime specialist at Denmark-based security firm CSIS Security Group, said Tuesday on Twitter.

A check of a random sample of UDIDs using the publicly accessible API (application programming interface) of OpenFeint, a social networking platform for iOS games, revealed that many of them correspond to devices whose owners have OpenFeint player profiles.

According to security researcher Aldo Cortesi, the founder of New Zealand-based security consultancy firm Nullcube, the leak of UDIDs can have serious privacy implications.

In the past, Cortesi investigated how UDIDs were being used by app developers and what information was being associated with them.

In May 2011, he reported that, when supplied with an UDID, the OpenFeint's API returned GPS coordinates and information that could reveal the user's Facebook profile.

In September 2011, he reported that other popular iOS gaming platforms had similar data leak issues. In one case, a platform's API even allowed attackers to take over a user's Facebook and Twitter account by knowing only their iOS device's UDID.

"It's disheartening to say it, but some of the companies mentioned in my posts still have unfixed problems (they were all notified well in advance of any publication)," Cortesi said in a blog post published Tuesday in light of the new UDID leak, which he described as a "privacy catastrophe."

"There are a number of far more serious problems still unfixed in the gaming social networks I discussed, but I would like to avoid describing those directly," Cortesi said Tuesday via email. "I [also] know of similar vulnerabilities in a number of non-gaming applications."

One of the problems is that user information linked to UDIDs has been aggregated in thousands of databases that now exist all over the Web, Cortesi said. "It takes only a single leak or security incident for data like this to be exposed."

"It's common, for instance, for app developers to use a UDID as a pseudo-identifier for users, and then to use that for tracking and analytics," Cortesi said. "The result would be a database of UDIDs with some associated behavioral information."

The use of UDIDs has been deprecated since iOS 5.0 and Apple has started rejecting App Store submissions for apps that access UDIDs since March.

The UDID was a bad idea from the beginning and Apple should have realized its privacy implications, Cortesi said. "I believe that they're doing what they can to move the application ecosystem away from using UDIDs as quickly as possible. They've just not quite been quick enough."

Apple did not return a request for comment regarding the leak of 1 million UDIDs.

(Jeremy Kirk in Sydney contributed to this report.)

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place