Operation AntiSec has made a return, this time leaking a file containing 1,000,001 unique device identifier numbers, or UDIDs, for Apple devices. The hackers are claiming that the data was stolen from a laptop belonging to the FBI, and that in total, it contained more than 12 million UDID numbers.
The file containing the data was accompanied by a longer than usual Pastebin post, which claims that in March, a Dell laptop belonging to “Supervisor Special Agent Christopher K. Stangl,” who works for the FBI’s Regional Cyber Action Team, was compromised using a Java vulnerability and a variety of files downloaded from it.
One was the above list of 12,367,232 UDID numbers, along with other personal data such as user names, Push Notification tokens, telephone numbers, address and the originating device.
According to the post, the personal data has been removed prior to uploading, but the UDID, notification token, device name and device type apparently remains. Forbes.com’s Andy Greenberg downloaded and decrypted the file, and found it contains a massive collection of 40-character strings, all of which could pass for Apple UDID codes.
Real UDID codes?
As you’d expect, the leak raises more questions than it answers. To whom do the UDID’s belong too, and why — presuming the information on the source is accurate — would the FBI have a single file listing 12 million of them.
While labeling its existence as proof of a conspiracy will be popular, there is an equally good chance the file is part of an investigation, or was supplied to the FBI quite innocently. There’s also the chance it didn’t come from the FBI at all, but from a developer. It’s also not the first time AntiSec has targeted Apple.
In its Pastebin text, Anonymous says that the “FBI is using your device info for a tracking people project or some sh*t,” and calls for UDID codes and similar device-identifying numbers to be “erradicated (sic) from any device on the market in the future.”
Apple’s use of UDID numbers has caused controversy in the past, with even Apple telling developers to stop tracking users using the codes. UDIDs themselves don’t carry personal data, but can be combined with other information to aid device tracking and monitoring.
Over at Hacker News, at least two contributors claim to have found UDID codes relating to their personal iOS devices. One lives in the USA and the other in the UK, but no common link between them or the apps they have installed has been established.
Interestingly, Cydia developer Jay Freeman (AKA Saurik) adds to the conversation, saying that 16.7-percent of the UDID’s in the file come from jailbroken iOS devices, according to his research.
As for Special Agent Christopher Stangl, it appears he exists, which potentially adds some weight to Anonymous’ claims. There is a LinkedIn profile for someone under that name, who works for the FBI and has that job title; plus in 2009, FBI Agent Chris Stangl made a video for Cyber Security Awareness Week at NYU.
His name also appears on an FBI email list published on the Internet earlier this year, which led to hackers listening into a conference call discussing the activities of LulzSec and Anonymous. It’s speculated that these addresses were phished and led to a compromised website, where a Java vulnerability was exploited.
Anonymous has said it won’t be providing any further details, but hopes that due to the large amount of leaked information, “someone should care about it.” While we’re not expecting much from the FBI, it’ll be interesting to see if Apple provides a response.
If you’re wondering whether your iPhone, iPad or iPod Touch’s UDID appears on the leaked list, then this website offers a quick and easy way to check; but first, you’ll need to know your UDID number.
Luckily it’s not that difficult to locate. Simply open iTunes, plug your device into your computer, then select it from the Devices list. Click where it says Serial Number, and the UDID will magically appear. Copy it to the clipboard, then paste it into the box on the site above. If you need clarification on how to find your UDID, whatsmyudid.com provides easy to follow instructions with images too.