The hacker group AntiSec has released an enormous log of UDIDs from Apple devices, allegedly gathered from an FBI laptop. There are 1,000,001 devices in the log, and while some information has been removed, there’s an awful lot of personal details. Apparently, this comes from a much larger pool of data:
During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
“NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.
We have no idea at this point why the FBI (allegedly) has this information, or if they have similar files on users of other types of devices — but I have a gut feeling that if it’s true for iOS, then it’s also true for Android.
If you’re worried that your information is up on this list, there are a couple of ways of checking. TNW has put together a site to see if your UDID is on the list, and here’s another one. This last one is nice because it allows you to just enter a section of your UDID, and not the entire thing.
What’s going to be interesting from this point is to see how this plays out — if the FBI will offer an official response, and if they bump up their own security following the leak.
UPDATE: It looks like the information may be traced back to the All Clear ID app.
UPDATEx2: The FBI denies everything:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
UPDATEx3: Apple says they didn’t give the info out:
“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID.”