Forgot your password?
typodupeerror
Crime Privacy Government Java Security Your Rights Online Apple IT

Anonymous Leaks 1M Apple Device UDIDs 282

Posted by timothy
from the don't-forget-the-one dept.
Orome1 writes "A file containing a million and one record sets containing Apple Unique Device Identifiers (UDIDs) and some other general information about the devices has been made available online by Anonymous hackers following an alleged breach of an FBI computer. 'During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,' the hackers claim." Update: 09/04 13:44 GMT by T : A piece at SlashCloud points out that if the leak is genuine, this raises some sticky questions about privacy and security; in particular: "[H]ow did the agency obtain said information, and to what purpose? Why did all that personal data reside on the laptop of one special agent?"
This discussion has been archived. No new comments can be posted.

Anonymous Leaks 1M Apple Device UDIDs

Comments Filter:
  • So is apple... (Score:5, Interesting)

    by santax (1541065) on Tuesday September 04, 2012 @07:51AM (#41221721)
    Going to explain why they gave all the UID of their devices to the FBI?
    • Re:So is apple... (Score:5, Insightful)

      by ATMAvatar (648864) on Tuesday September 04, 2012 @08:01AM (#41221793) Journal

      Yes, that seems like the larger issue here. What purpose does the FBI Cyber Action team have with 12M Apple UUIDs (from TFA: of which only 1M was leaked so far)?

      This actually seems like a care of actual well-meaning hacktivism, as the purpose here is to inform users they are being tracked. It is only a matter of time before the remaining UUIDs are released. Unfortunately, most people have little more tech savvy than a newborn, so it is unlikely many people will even know how to compare their device to the list even if they care to do so.

      The best we can hope for is that more of them wake up to the large-scale surveillance being undertaken and the abuse of power it represents. I wish I could be optimistic, but I know better by now.

      • Re:So is apple... (Score:5, Insightful)

        by Dan East (318230) on Tuesday September 04, 2012 @08:26AM (#41222001) Homepage Journal

        The problem is that although Anonymous does have a list of Apple IDs (which I doubt has been verified yet), they don't have hard evidence attributing them to an FBI source. We have to just take their word on that one, unless the FBI admits to the breach.

    • Re: (Score:3, Insightful)

      by Shavano (2541114)

      From that comment I gather that you believe an anonymous person who claims to be a hacker who claims to have gotten what he claims is Apple UDIDs from what he claims was an FBI computer.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        This is considered "insightful"? If Shavano had taken the 5 seconds required to verify that those UDID are, in fact, valid, he wouldn't be saying silly things like this.

        Sure, we have no idea of the source of this (FBI, Apple, random person with 1M+ harvested UDIDs, etc.), but it's trivial to verify that (at least a good part of the data) is valid.

        Maybe google for "Apple UDID deanonymize" and you'll get there.

    • by gandhi_2 (1108023) on Tuesday September 04, 2012 @08:25AM (#41221993) Homepage

      I'm more interested in why a high-budget outfit like the FBI is buying Vostros!

      • by AbRASiON (589899) *

        Don't quote me on this but I think the Vostro is one of the few laptops with a matte finish nowadays.
        So the remainder of the Apple (obviously) and Dell stock is pretty much defective by design. Thank the lord for the Vostro.

      • Re:So is apple... (Score:4, Insightful)

        by ISoldat53 (977164) on Tuesday September 04, 2012 @10:16AM (#41223107)
        From the article I read the laptop was owned by the agent not the FBI which raises a whole pant load of other questions.
        • by BlueStrat (756137) on Tuesday September 04, 2012 @11:29AM (#41223965)

          From the article I read the laptop was owned by the agent not the FBI which raises a whole pant load of other questions.

          No, it's actually quite simple.

          The agent was in the process of collecting data, etc for the purpose of starting his own FBI.

          With blackjack.

          And hookers.

          But the Secret Service got mad because blackjack & hookers were their gig, and so they hacked this FBI agent's computer and released the data to Anonymous.

          The SS doesn't want to have their agents blow into town only to find all the blackjack and hookers are already booked solid by these new-FBI agents.

          Strat

    • Let's ignore... (Score:2, Insightful)

      by craznar (710808)

      ... the possibility that the FBI was doing its job.

      The only possibilities here are that the FBI or Apple are in the wrong, there is NO possibility that criminals did something wrong.

      Remember that simple rule... the FBI and Apple sometimes make mistakes, therefore they are ALWAYS responsible for things. /groan

      • Re: (Score:3, Interesting)

        by RMingin (985478)

        Ok, yes yes, the crazy mugger (cracker) was clearly in the wrong. That does leave the question of why an unconnected, shady character (the FBI) was walking around with everyone's paychecks (Apple info for which the FBI has no clearly demonstrated need).

        Nobody is declaring Anonymous innocent, but why the HELL does the FBI need a list of UDIDs? Are they tracking TERRISTS via their iPhones now, or is it more likely that the FBI just likes reading your mail, watching you in the shower, and knowing all your pass

      • by h4rr4r (612664)

        There are 1 million terrorist or criminal iPhone users?

        Does that not seem high?

    • by Anonymous Coward

      Was the leak only for USA ID numbers, or are we talking major criminal action in foreign countries here?

      It's always tempting to think the USA is the world police, but Apple do not have immunity from foreign courts if they've been handing over data like that.

    • Going to explain why they gave all the UID of their devices to the FBI?

      Considering that we were talking about UDIDs here, and UDIDs are something totally different than UUIDs or GUIDs, any post referring to UIDs should never be marked as "interesting", but "imbecile".

  • udid (Score:5, Interesting)

    by watice (1347709) on Tuesday September 04, 2012 @08:05AM (#41221829)
    UDID's aren't allowed to be used by apple anymore. Well maybe not disallowed but strongly discouraged, & depreciated in ios5, as far as I can tell.
    • So is there anything you need to do just in case your device is on the list? Upgrade to iOS6 if you can, I'd assume.
      For older devices that can't upgrade (thinking of my original AppleTV here), is there any risk? Is it likely someone would use your UDID to simulate being you so they can jailbreak their devices?

    • by afidel (530433)

      Yes, they're likely just to be only used internally as the seed to the encryption algorithm. That's the most plausible reason for the FBI to have the list, so that they can plug the UDID into a key generator that will decrypt the phone. How else do you think those LEO phone crackers work in minutes.

  • I am now looking for my device IDs in that list...a drag. But how oblivious is the typical iPhone customer to just how naked they are? I salute the hackers for giving the fascist bureau of iDevices and their lackies a big black eye.
  • 1984 is now but we pretend it's not the case!
  • by Anonymous Coward on Tuesday September 04, 2012 @08:14AM (#41221907)

    > Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team

    This guy must have business cards 2 feet wide.

  • FS (Score:5, Funny)

    by Altanar (56809) on Tuesday September 04, 2012 @08:16AM (#41221939)
    Eh, if the FBI wants to know where I am at all times, they can follow me on Foursquare like everyone else.
  • Seriously, does anyone really think this is not commonplace? If the government is doing this behind the scenes just imagine what Facebook does with the data you willingly sign over to it. This is just the tip of the iceberg. Sure it's not suppose to happen, sure it's wrong, sure no one agreed to it and it needs to be corrected...but if something can be abused, it will be.
    • This is why facebook only knows that I like to cook random food stuff. Seriously that is type of data I would trust facebook with or any random company or government agency. By the way some of my more recent postings are of:
      Soda bread
      Pork schnitzel in the style of Vienna
      Sweet Potato Pie
      German chocolate cake
      Home made ravioli (stuffed with bison, venison, beef, 3 cheeses, and spinach) in creme sauce
      Beef and Guinness stew
      Bacon wrapped venison roast slow cooked and smoked in my barbeque
      Spicy chili
      7 bea
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Those health insurance premiums... increased lately?

        • Given the crap in the prepackaged processed food most Americans eat even eating what I cook would still be orders of magnitude better for you so my health insurance premiums should be going down. Besides the only things that would be considered bad for you would be the German chocolate cake or sweet potato pie again both of which don't contain any heavily processed ingredients. Even the schnitzel isn't that bad for you unless you are eating it all the time, and the bacon wrapped venison roast probably still
      • I'll go for the home made bison and cheese stuffed ravioli, thank you.

        As to the garlic soup, don't bother.
        Relations between humans tend to be difficult enough even w/o garlic. ;-)

  • by nweaver (113078) on Tuesday September 04, 2012 @08:59AM (#41222367) Homepage

    It sounds like this is a dump of data from an application vendor to the FBI: Apps have (in the past) used UUID for identification, and the push-notification tokens also suggest application, not apple, as the source.

    So which application is responsible?

    • If one finds a phone which is in the list, is there a way to find out which application is associated with the push notification token? If so, this would help identify the application vendor responsible for dumping this data onto the FBI.

    • by Anubis IV (1279820) on Tuesday September 04, 2012 @10:53AM (#41223565)

      The current theory (as mentioned by Marco Arment [marco.org]) is that it may be from AllClear ID's iOS app, given that AllClear officially joined the NCFTA [greensheet.com] in the second week of March. Since the leaked file's name had NCFTA in it, it's pretty clear that it came from the NCFTA, and it would make sense that AllClear would have started providing some data prior to when they actually announced they had joined, so that may explain (but certainly not justify) why someone had something like that on their desktop on the week of the attack.

      If AllClear is indeed the source, that would be some rather delightful irony, given that they would be directly responsible for causing more damage to their customers than they will ever likely prevent.

      Also, if AllClear sounds familiar, it may be because they were the the company providing a year of free identity theft protection to Sony customers after the hacks last year that compromised millions of PSN accounts.

  • by walter_f (889353) on Tuesday September 04, 2012 @09:27AM (#41222621)

    "Why did all that personal data reside on the laptop of one special agent?"

    Probably it didn't and doesn't.
    Reside on the laptop of *just one* special agent, that is.

    Whenever one of these special agents gets something particular from the boss, all the others want that, too.

  • Calm down, everyone with an Apple device, there's more than one Dark Knight with a laptop. You don't see your UDID, you're on another laptop darkly. Each device has GPS, a mic, front-facing camera and wireless connection for your safety.

  • Solved question (Score:4, Interesting)

    by gmuslera (3436) on Tuesday September 04, 2012 @10:19AM (#41223139) Homepage Journal
    I suppose that anonymous getting access to FBI computers (and making it public) answers the old question of who watches the watchers.
  • That a mainstream news outlet (like CNN) would discover that leak suddenly and act all surprised would be ridiculous, given that the general public ought to know, 11 years after 9/11, how privacy has been dismantled by intelligence agencies.

    But slashdot? How is anyone surprised? Haven't we seen the news about the official spyware installed on all iPhone (yes and a lot of Android phones too)? Aren't we ranting all day long about the circulation of privacy data without overseeing?

    There is one thing that ou
  • Just completed an entirely unscientific look at the data - I checked the UDID's of the iPads we have registered here (at a large financial company in the UK) and none are in the list. Given that this is 1m of 12m records, what ratio is 12m of the total population size for iphones and ipads?

    i.e. if I checked 20 UDIDs, none of the came up, can we say that (allbeit with a low degree of confidence) the sample does not include UK registered devices? is it just USA registered devices? has anyone outside of the

    • by scorp1us (235526)

      I'm still trying to decode the file, and my iphone is in my desk at home, off. So I'll have to look later.
      But it makes no sense for the FBI to have UK UUIDs. FBI only operates in a domestic capacity. The CIA would be the ones to have UK UUIDs.

    • by u38cg (607297)
      Making some sweeping assumptions about the dataset, you have X~Bin(1/12,20); fire up R:

      > dbinom(0,20,1/12)
      [1] 0.1754805

      So no, you're not in the clear with any confidence, though you are more likely than not.

  • by sootman (158191) on Tuesday September 04, 2012 @10:41AM (#41223399) Homepage Journal

    "A piece at SlashCloud points out...."

    Jeez. You mean "Us, standing over there." Why pretend it's an unrelated entity?

  • It looks base64 but not quite. But I did only try a portion of the file.

    Help?

We warn the reader in advance that the proof presented here depends on a clever but highly unmotivated trick. -- Howard Anton, "Elementary Linear Algebra"

Working...