One million Apple UDIDs leaked by hacker group

The loose collective of hacktivists operating under the name AntiSec has released a file of over one million Apple UDIDs. It claims that this is part of a haul of 12 million records of both UDIDs and personal information taken from an FBI agent's laptop. The group announced the release on its @anonymousirc Twitter account.

The list is said to have come from an FBI employee's laptop which was compromised in March using a Java "AtomicReferenceArray" vulnerability; this allowed the hackers to place a shell on the device allowing them to explore its contents. They discovered a file on the Desktop "NCFTA_iOS_devices_intel.csv" which contained a list of 12.3 million Apple iOS devices. There did not appear to be any other references on the laptop to the list or any information which would explain its presence.

Details of the information dump were placed on Pastebin where AntiSec says a number of the records in the original data contained zip codes, full names, addresses and cell numbers, while others contained none. However, they decided to trim the information down to the Apple Device's unique device identifier (UDID), APNS (Apple Push Notification Service) tokens for accessing the notification service, the device's name (e.g. "John Doe's iPhone") and device type (e.g. "iPad").

App developers and ad networks had previously used UDIDs to identify individual users in order to customise their app experience. Games networks also used the identifiers to simplify connecting users. But in September 2011, a security researcher succeeded in using the UDID to log into a variety of those networks and obtain information such as user name, friends, Facebook/Twitter IDs, location or email address.

Apple warned developers a year ago to not use the UDID as a personal identifier and to find alternative ways of uniquely identifying users. Since March 2012, Apple has been rejecting submissions of Apps to the iTunes App Store that make use of UDIDs and will be rolling out a new user tracking scheme based around two types of identifiers – one for app developers and one specifically for advertisers. In contrast with the UDID, both can be regenerated as needed by the user.

Fixed device IDs have always been considered "a really bad idea", said AntiSec, who suspect that the FBI uses such a list for monitoring. How the FBI came into possession of this UDID list is currently unclear though. The "NCFTA" part of the file name could indicate that the file came from the National Cyber Forensics & Training Alliance, but again, how that organisation would have obtained it is not known. Apple has sold some 400 million iOS devices since 2007 and has yet to make a statement on the publication of the dataset.

(djwm)