On Tuesday, hackers associating themselves with Anonymous published over a million Unique Device Identifiers (UDID) associated with Apple iPhones and iPads.
UDID is a sequence of 40 letters and numbers specific to an Apple device such as an iPhone, iPad and iPod Touch. The hackers claimed the data is just a small portion of a larger database of more than 12 million UDIDs and personally identifiable information such as full names, cellphone numbers and addresses belonging to Apple customers.
The database was said to be stolen via a Java vulnerability, from the laptop of a Federal Bureau of Investigation (FBI) cyber security agent.
Security firm LastPass says: “The leaked UDIDs in and of themselves do not pose a serious risk to users. However, there's cause for concern when UDIDs are paired with personally-identifiable information, which the hackers indicate they have in the original data set, although there's no proof at this time. Combined with your name, address, mobile number, and the types of Apple devices you own, identity theft and social engineering are potential threats.”
LastPass has created a new tool for Apple customers to use to check if their UDID was included in the leak. “Note that yours could still be one of the alleged 11 million not publicly released, so caution is still recommended,” says LastPass.
Senior technology consultant at Sophos, Graham Cluley, said since the hackers did not release the majority of the information they claimed to have, he suspects the hackers were more interested in embarrassing the FBI's team than endangering innocent users.
'No evidence'
A full statement released by the FBI later said: “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
While the veracity of the data and the involvement of the FBI remain to be proven, Apple has recently been attempting to phase out developer access to UDID as a result of privacy concerns. Developers have since begun using UDID alternatives, but Apple's enforcement of the change has been notably slow. According to TechCrunch, until May this year Apple still approved apps that tracked user devices.
The Anonymous Twitter handle, AnonymousIRC, tweeted: “People whose UDID was on the list released by AntiSec might want to compare their installed apps. A common culprit might be found.”
The same Twitter handle also tweeted in response to the FBI: “You know you're doing something right if @FBIPressOffice throws caps at you on twitter to deny an #Anonymous statement.”
“Also, before you deny too much: Remember we're sitting on 3TB additional data. We have not even started. #funtimes #fff”
Another tweet from AnonymousIRC said the FBI statement on the hack was “wishy-washy” and that it basically says: “We don't know of anything.”
Anonymous also made some strange demands in the statement that accompanied the leak of the UDIDs. The hackers stated they would not grant interviews to any member of the media until an un-Photoshopped picture of journalist Adrian Chen of Gawker, wearing a tutu, with a shoe on his head, was displayed on the front page of the news site for a full day. Chen obliged, saying: “As a journalist, I am sworn to bring facts to light by any means necessary.”
Share
