Update: Apple responds to AntiSec’s UDID leak

Macworld Australia Staff
6 September, 2012
View more articles fromthe author

Apple has issued a statement declaring it did not provide the FBI with the UDID information released by AntiSec hackers on Tuesday.

“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organisation. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple told AllThingsD.

The FBI’s response to claims of tracking millions of Apple UDIDs and personal data, after hackers from Antisec released a million Apple UDIDs online in a move to draw attention to the allegations was issued yesterday.

The statement, issued to All Things D, reads:

“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

A tweet from the FBI’s press office followed, drawing a response from AnonymousIRC’s Twitter account:

Antisec claims the data is sourced from FBI agent Christopher Stangl, whose Dell Vostro notebook was breached via an AtomicReferenceArray vulnerability on Java in March and contains 12 million UDIDs, along with personal information such as user names, device names, notification tokens, mobile phone numbers and addresses.

Accompanying the data was a post from the hackers, it reads as follows:

“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”

Personal data, such as full names, addresses and phone numbers have been “trimmed out” according to the post, leaving enough data “to help a significant amount of users to look if their devices are listed there or not.”

The impact on users whose UDIDs have been released is unknown at this stage, however iOS platform advertising or iAds may be able to utilise the data to construct targeted ads.

In the long post the hackers went on to show their support for Russian anti-Putin group Pussy Riot, Syrian rebels, Julian Assange and Bradely Manning, and condemn the past actions of American Government administrations.

UDID breach: How to find out if your data’s been compromised.



4 people were compelled to have their say. We encourage you to do the same..

  1. Wrylilt says:

    What does that actually mean though? We all just change our passwords? What countries were the logins sourced from?

  2. phil says:

    ^ That means the UDID (Unique Device Identifier) of over 12 million people has been posted online. Although not passwords, these identifiers being posted online reveals a potential threat to the security of personal device privacy by the US Government.

    The hackers have said they did not reveal personal information attached to the UDID’s, which they could’ve. Mobile advertisers can potentially take advantage of this information in some form or other.

    As you’ve said, which countries are the UDID’s sourced from? Knowing the US Government, I’d say international. I could be overstating, yet, the fact they possess this information suggests they could easily have gained the information of anyone across the globe.

  3. Rubik says:

    This means that an app publisher has provided the FBI with a dump of its user information.

  4. Morgs says:

    It means you are going to get phished to death. When hackers have a known good e-mail address they will send you stuff. Having a zero-day exploit like the Java one we are experiencing now might create some havoc.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us