Open Navigation

Antisec Leaks 1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop

John Biggs 12 years

Hacker group Antisec has released 1,000,001 pieces of data related to Apple’s UDID identification scheme. This data, if cross-referenced with Apple’s developer resources, could potentially identify a unique user’s geographic location and other specific information. In fact, the database does contain device names (for example, one UDID points to a device name “hobamain” and appeared in a search for the name “Obama”).

This leak is purported to come from a trove of 12 million UDIDs allegedly hacked from the Dell laptop of Supervisor Special Agent Christopher K. Stangl who appears in this video calling for more people to consider a career in cyber-security.

You can read details on the hack and how to find the data here.

Antisec wrote:

during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.

You can check to see if your UDID is in the list using this tool or you can download the file from one of Antisec’s mirrors. The organization stripped out any identifying information they had, claiming that “we trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc.” As it stands, the data is fairly clean, supplying only the UDID, the Push Notification service ID, and a device name. I’ve been able to identify individuals based on this data using a quick social media search but they are still not a direct 1-to-1 identifier.

This data is interesting in that it didn’t necessarily have to come from Apple and the implications of its existence on an FBI machine (or anywhere) are not clear. In short, all of this data appears regularly in iOS app developer databases and is used to deliver push notifications. Therefore, it seems most likely that this is a database dump of an app’s albeit huge user base. Any app with more than 12 million users, then, would be suspect.

Also not clear are the security implications of this data. It is a customer list and as such could contain potentially damaging information. That it was sitting, unencrypted, on any hard drive is a travesty. That it was stolen from an FBI hard drive, even allegedly, is an outrage.

How bad could this be? Programmer and security guru Aldo Cortesi writes: “I looked at all the gaming social networks on IOS – basically OpenFeint and its competitors – and found catastrophic mismanagement by nearly everyone. The vulnerabilities ranged from de-anonymization, to takeover of the user’s gaming social network account, to the ability to completely take over the user’s Facebook and Twitter accounts using just a UDID.”

How bad is is really? We’re still not clear. We have emails in to Apple and other experts but look for updates as the story progresses.