AntiSec, the anti-government and big business section to Anonymous has recently released 1,000,001 iDevice Unique Device Identifiers (UDIDs) to the public with the claim that there are a lot more where they came from. That number alone is staggering from a privacy perspective but the claims that AntiSec are making on where they got them from and how many more are available there are what brings up even more of an issue.
According to the group’s claims, the UDIDs came from an FBI device and they are following that up with the claim that the FBI has a list of over 12 million ID numbers which can be used for various forms of tracking. Even if the claims prove false the million UDIDs released are an issue within itself.
A Unique Device Identifiers or UDID is the number assigned to each specific Apple device (iPhones, iPods, iPads.) UDIDs have many beneficial uses such as distributing trial versions of applications, storing application preferences and marketing. The problem though is that it can also be used by tracking agents that monitor data that passes through the device such as e-mail, passwords, credit cards, stored information and GPS information. While UDIDs are valid sources for tracking some forms of data they aren’t setup in a way to make them secure and can be used for nefarious purposes.
How was the data hacked into and acquired? Well according to the hackers they released this statement:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
So that brings us to why, if this is true, does the FBI have over 12 million UDIDs and information tied to them? I mean if it was just a UDID that would be one thing but when you also tie in: “user names, name of device, type of device, Apple Push Notification Service tokens, zip codes, cell phone numbers, addresses, etc” you need to ask why they have all of this information and what they are doing with it. Currently there have been no announcements by the FBI on why this may have been being tracked by the National Cyber-Forensics & Training Alliance (which is what the acronym that is a prefix to the filename would appear to point to where it came from.) If there was an ongoing investigation that may require a handful of UDIDs that could be explainable but to have 12 million of the rumor is true can raise nothing but questions. Even if the rumor does not prove true if this did come from an FBI laptop why did they have even 1 million UDIDs on file with so much other information? This is clearly a potential serious privacy catastrophe.
If you want to see if one of your UDIDs are listed on the document whose data was leaked you can check it out on The Next Web. While there isn’t anything you can currently do if your device is on the list at some point one of the companies involved may offer privacy monitoring for you or it may be a service you would be interested in looking into.