Inside The UDID Hack: How A Lone Programmer Cracked The Case

Although Antisec claimed that they Jason Bourne-d a laptop last week in order to leak 1 million UDIDs and device names, the truth is far more mundane and yet far more interesting.

As we learned yesterday, the hacked data came from an app publisher called BlueToad. The company had recently suffered a digital break-in that exposed their customer list.

How BlueToad was implicated is the real story here, however. On the day of the leak, a programmer, David Schuetz, was checking out the data and began to sort it for duplicates. After a bit of futzing, he found some interesting entries. Some device IDs appeared multiple times.

11 4daa64abd
10 d1f575954
10 aa5c7aedb
8 12e6ec97e
7 f661c1396
7 4225e2a59
6 91a83b0e3
6 480074431

Correlating those the device names, he found some interesting data. Assuming this was a corporate leak, most of the devices would be related to the source. They were:

‘Bluetoad iPad’
‘Bluetoad iPad’
‘Client iPad BT’
‘Client iPad BT’
‘CSR/Marketing iPad’
‘CSR/Marketing iPad’
‘Jessica Aslanian’s iPad’

This meant that one device was in the database multiple times for multiple apps, suggesting that these were corporate devices for testing. As he dug further, he decided that BlueToad was the source and he quietly contacted the company.

Luckily, the CEO was more than willing to discuss the leak and reacted quickly:

Shortly after 8:00 that evening, I heard from Hutch Hicken, their CIO. He thanked me for what I’ve done, and for my discretion in contacting them first rather than simply going public. He told me that they’re assessing the situation, but don’t yet know anything for certain. He didn’t think the March leak (which they’d already been aware of) was related, but that the rest of my findings were concerning. He told me they plan to “do this right,” he promised to keep me in the loop (as much as is feasible for a non-employee).

What did we learn from this? First, if it sounds too cool to be true, (an FBI agent’s laptop leaked 12 million Apple UDIDs supplied by Apple itself in an effort to track us all!) it probably is, and that all it takes is a dedicated programmer with a command line to get to the bottom of some of the biggest hacks ever perpetrated by bored high school students.