Site icon The Mac Security Blog

FBI Denies It’s the Source of Leaked UDIDs

Yesterday, the hacking group AntiSec published a list of 1 million UDIDs from Apple devices, which are akin to a serial number for each individual iDevice. AntiSec said that it had stolen this information by using a zero-day Java vulnerability to gain entry to the laptop of an FBI agent who recruits white-hat hackers. The complete database that they allegedly stole is supposed to include over 12 million UDIDs in total, including a bunch of other personally identifying information. What followed over the next few hours could generally be described as people freaking the heck out. The idea that a government agency was keeping tabs on 12 million people was admittedly terrifying. However, this story was setting off the troll-detectors of more than a few people. And, in fact, the FBI has since issued a statement declaring AntiSec’s assertion “TOTALLY FALSE.”

The story sounded just a little too scary, and a little too implausible, based on the details given. What proof did anyone have that what they said was true? AntiSec offered none, and would only talk with the press if one particular Gawker journalist posted a picture of himself in a tutu with a shoe on his head. It seemed a more likely scenario that this was simply data gathered by any one of a number of app developers. Initial speculation was that the data was given to the FBI by an app developer, in cooperation with cybercrime investigation. People started asking for lists of apps used by those people whose UDIDs were on the list, to see what they had in common. As of this writing, nothing has been definitively identified as a common denominator.

So, what should you do, as the owner of an iDevice? In short, breathe. As the situation stands right now, this is no reason to panic.

UDIDs are not, by themselves, all that useful for nefarious purposes. No more so than an email address by itself. Or an IP address. If combined with other information, it can allow some scary privacy implications. But then, that’s the nature of data aggregation. Get enough information, no matter how generic and vague it may seem, and we can all be identified. Certainly, if such a list as AntiSec claims to have goes public in its entirety, that could be an upsetting privacy debacle regardless of who created the list. There is currently no way to change your UDID (though if you wish to use this as an excuse to buy the new iPhone, we can’t really blame you!) and app developers are not allowed to track this info anymore.

Go about your day, enjoy those last few moments of summer, and don’t let some Internet trolls cause you undue stress.

Share this: