Source of AntiSec’s UDID leak revealed – and it’s not the FBI

11 Sep 2012

Last week, hacker group AntiSec published 1,000,001 Apple user device identifiers (UDIDs) claiming that the data came from an FBI laptop the organisation had breached in March. However, a digital publishing company has come forward to say the data actually came from its files and was obtained just over a week ago.

The real source of the leak was discovered by security consultant David Schuetz who searched the data for the most frequently repeated device IDs and turned up 19 devices tied to BlueToad, who create digital editions of publications for mobile apps.

Schuetz contacted BlueToad with this information and the company’s own analysis found a 98pc correlation between the leaked UDIDs and its own data. “That’s 100pc confidence level, it’s our data,” BlueToad CEO Paul DeHart told NBC News. Further investigation from BlueToad revealed that the data had been stolen just over a week ago, not in March, as AntiSec claimed.

Sorting the facts from the fiction

BlueToad works with more than 5,000 publishers on more than 10,000 titles, which would explain why data allegedly taken from the FBI’s files would contain information on users outside of the US, as ESET discovered some suspiciously Irish names among those on the list.

When the list was first published, AntiSec claimed it had obtained 12m UDIDs from the breach, but BlueToad refutes this, saying that less than 2m were compromised in the attack.

However, BlueToad’s revelation does in fact comply with AntiSec’s hints that a common app was responsible for the leak. Writing on its Twitter account, the hackers said, “People whose UDID was on the list released by AntiSec might want to compare their installed apps. A common culprit might be found.”

This news has also shed more light on the type of information obtained by AntiSec. “BlueToad does not collect, nor have we ever collected, highly sensitive personal information like credit cards, social security numbers or medical information,” reads the company’s official statement. “The illegally obtained information primarily consisted of Apple device names and UDIDs – information that was reported and stored pursuant to commercial industry development practices.”

The end of UDIDs

Because of privacy concerns regarding the misuse of UDIDs, the practice of tracking them has been discouraged by Apple for several months now, and BlueToad followed this recommendation in recent updates to its apps. “We have now also discontinued storing any UDID information sent to our servers by apps that have not yet been updated to the new code base,” the company said.

Following the data leak Apple has decided to ban the use of UDIDs altogether. This will be rolled out with iOS 6. As well as fixing vulnerabilities, BlueToad has contacted the proper authorities regarding the breach and a criminal investigation is ongoing.

In the end, it seems this was all just an elaborate ploy from AntiSec to see Gawker writer Adrian Chen in a tutu with a shoe on his head. Well played.

Elaine Burke is the editor of Silicon Republic