Apple Unique Device Identifiers posted online after FBI laptop was hacked – but why did it have them in the first place?
Hackers claimed to have posted one million Apple Unique Device Identifiers (UDIDs) that were stolen from a laptop belonging to the FBI.
AntiSec – part of the Anonymous hacking group – says it accessed over 12 millions UDIDs, the unique identifier of each Apple device. They are used by app developers and advertisers to track user behaviour.
According to a lengthy post on Pastebin the group said it hacked into a Dell laptop belonging to Supervisor Special Agent Christopher K. Stangl, part of the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team. The hackers used a Java vulnerability to access the laptop.
AntiSec claims to have pilfered around 12 millions records in total, but decided that releasing one million "was enough". Its post on Pastebin says it trimmed, "other personal data as, full names, cell numbers, addresses [and] zipcodes" before publication, suggesting that if true, it has a wealth of information on Apple’s users.
It claims it hacked the data in response to the way the FBI tracks and monitors users, and said that most people would not care if they were told about what the FBI was doing.
"We have learnt it seems quite clear nobody pays attention if you just come and say ‘hey, FBI is using your device details and info and who the f**k knows [why] the hell are they experimenting with that’, well sorry, but nobody will care," the statement said.
"We never liked the concept of UDIDs since the beginning. Really bad decision from Apple. Fishy thingie [sic]," the statement added.
It is unknown at this time exactly what the FBI was doing holding the Apple UDIDs and what it intended to do with them. The FBI will have to answer some rather uncomfortable questions about its role in this.
It seems AntiSec is already prepared for that, however. "We will probably see their damage control teams going hard lobbying media with bullshits to discredit this," the statement said. "But well, whatever, at least we tried and eventually, looking at the massive number of devices concerned, someone should care about it."
Aldo Cortesi, a security consultant from New Zealand, called the release of the UDIDs a "catastrophe."
"The UDID issue has been a bit of a white whale of mine – I’ve written many blog posts about it and spent more hours than I care to think negotiating responsible disclosure with companies misusing UDIDs," he wrote.
"When speaking to people about this, I’ve often been asked "What’s the worst that can happen?". My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are," he said.