The one million Apple Universal Device IDs (UDIDs) hacker group AntiSec released last week to the public was not hacked from an F.B.I-owned laptop.
Instead it has been revealed that the data information came from publishing company Blue Toad.
The company, contacted by outside researcher David Schuetz, was alerted that the data could have come from their devices. Further investigation found there was a 98% correlation between the released data and their own.
Blue Toad CEO Paul DeHart then contacted NBC, stating that the company had a “100 percent confidence level” the released data was theirs, after carrying out comparisons of the released data and the records on its own servers.
“As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this,” Mr. DeHart continued.
A forensic analysis then showed the data had been stolen in the past two weeks.
AntiSec’s statement given with the release of the one million UDIDs said the data was one part of over 12 million they had accessed after hacking the notebook of Christopher K. Stangl, a member of the F.B.I’s Regional Cyber Action Team and New York FBI Office Evidence Response Team, using a Java vulnerability six months earlier.
The total data was reported to also contain names, addresses, mobile phone numbers, and other information about the device owners.
According to AntiSec, the files were obtained from a folder on the notebook entitled “NCFTA_iOS_devices_intel.csv”, with “NCFTA” referring to the National Cyber-Forensics and Training Alliance, an intelligence-gathering liaison between the American federal government and businesses.
If AntiSec’s statement were true it would have suggested Apple, or other wireless carriers or app makers, were supplying information to the NCFTA, arousing suspicions that the F.B.I was using this data to track citizens.
Apple denied supplying the F.B.I with data information, and is banning the use of UDIDs in iOS 6. The F.B.I was also quick to deny the allegations made by AntiSec, reporting in the New York Times:
“The F.B.I. is aware of published reports alleging that an F.B.I. laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data.”
Alongside this, an article by Forbes’ Kashmir Hill from last April reported that NCFTA doesn’t collect personally identifiable information.
Blue Toad offers various channels that allow publishers to digitally distribute books and magazines to different platforms, which includes apps on the iTunes App Store.
App developers use UDIDs to track user behaviour, for the purpose of ad targeting or usage monitoring.
Trudy Muller issued a statement for Apple to NBC about the false F.B.I hacking:
“As an app developer, BlueToad would have access to a user’s device information such as UDID, device name and type. Developers do not have access to users’ account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer.”
AntiSec has said that the group will not answer questions about the Blue Toad revelation until online magazine Gawker.com posts a picture of writer Adrian Chen wearing a tutu on its homepage.
The UDID is a set of numbers and letters that identify an Apple device, but no personal information about the user of the device. Online technology and business blog thenextweb.com has posted that “you can do very little with a UDID alone, and even with some bits of user information, it’s not likely to cause a lot of distress.”
The blog site has also posted a UDID checker for Apple users to check if their UDID was a part of the data released by AntiSec.
UDIDs currently cannot be changed, and are permanently attached to the device.
BY: Tom Randall