Leaked UDID List Stolen From App Developer, Not FBI

UDID Hacker List from App Developer

The one million unique device identifiers (UDIDs), unique codes that correspond to individual iOS devices, released by hacker group Antisec last week were likely stolen from the servers of a mobile app publishing company and not from an FBI laptop, as the group claimed, according to NBC News. An analysis of the data released by Antiec thus far shows that it is likely that the information was stolen from Florida app publisher Blue Toad “in the past two weeks.”

David Schuetz, an outside security researcher, first noticed the connection between Blue Toad and the UDID data by identifying many Blue Toad internal UDIDs in the list. He then contacted the company, which performed its own analysis shortly after. That analysis found a 98 percent correlation between the leaked UDIDs and Blue Toad’s own UDID database. A separate security audit revealed that the company’s servers had been breached in the past two weeks.

Blue Toad App Publisher

"That's 100 percent confidence level, it's our data," Paul DeHart, CEO of Blue Toad told NBC News. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

Hacker group Antisec released the million UDIDs on September 3, with a statement that the group possessed an additional 11 million UDIDs and corresponding personal information. It claimed that the data had been obtained from an FBI laptop in March 2012 using a Java vulnerability.

The FBI denied Antisec’s claims the following day. The law enforcement agency stated that it did not possess, nor sought to possess, iOS UDIDs. It also claimed that there was no evidence that one of its laptops had been compromised during the time frame described by Antisec.

With Mr. DeHart’s admission to NBC News, however, it appears that the information at least originated at Blue Toad, although Mr. DeHart said he could not rule out the possibility that the data, after it was stolen from his company’s servers, was eventually obtained by the FBI.

A UDID is linked to every iOS device and, while relatively harmless on its own, can raise serious privacy and security concerns if it is paired with other user information. As a result, Apple began to force iOS developers to phase out UDID usage and storage in their apps earlier this year.

Despite these efforts, many millions of iDevices and Apps, especially those that are not running current software, still use and store UDIDs, risking user privacy. That is how Blue Toad, which helps thousands of app developers create and publish their apps, came to be in possession of so many UDIDs.

Users should not be too concerned, Mr. DeHart said, as the data released by Antisec did not contain significant personal information:

I would hate to suggest that [iOS users] need to go out and begin clearing off their device or removing or deleting apps... Check one of these sites to see if your UDID was part of the database dump.  And if it is, use your own personal discretion on what you think is appropriate.  …One of the best things you could do at the moment is go in and upgrade that app if there's an upgrade available for it.

Aldo Cortesi, a security researcher, disagreed with Mr. DeHart’s analysis of the situation’s severity. Mr. Cortesi has long argued against the use of UDIDs, and has previously used UDIDs to hack into iOS user’s game accounts, contact lists, and social media accounts to prove his position. As Mr. Cortesi explained to NBC News:

The concern is that there may be a UDID-related problem out there of the kind I've described, which could now be exploited at a massive scale, by someone armed with a million UDIDs. The type of information I was able to access would have been very valuable to scammers and identity thieves, for instance. With mischievous entities like Antisec and Anonymous about, you can even envision a massive public dump of users' private information, just for the hell of it. We just don't know what the full impact might be.

Users concerned about their iDevice UDID can check it against the leaked database by using a web tool created by The Next Web. Should you find your UDID on the list, however, there is relatively little one can do to address the situation. A UDID is permanently linked to a device and cannot be changed.

All users, however, should ensure that their devices have the latest Apple firmware and software updates and that all Apps are updated to the latest version. Doing so will limit the chance that future UDID breaches will contain any personally identifiable information.

As for Blue Toad, Mr. DeHart said that he could not provide further details due to the criminal investigation, but that his firm was sorry for the situation: “I had no idea the impact this would ultimately cause. We're pretty apologetic to the people who relied on us to keep this information secure."

Teaser graphic via Shutterstock.