Names of Irish iPad and iPhone users found on leaked UDID list

7 Sep 2012

A security software firm has pointed to the large presence of Irish-spelled names on the list of 1m iPhone and iPad users’ UDID numbers leaked by hacker group AntiSec. It has been claimed the data was taken from an FBI computer.

The hacker group AntiSec claims it has 12m Apple device IDs (UDIDs), push notification IDs and names of iPhone and iPad users worldwide.

It has also been claimed that this data came from an FBI computer, although this has been denied by the FBI.

AntiSec made 1m of the names on the list available to decrypt and upon decrypting the data ESET says it has discovered a large number of very Irish names on the list, including such names as Daithi, Ciaran, Cira, Padraig, and Padraic, along with recognisable family names like Haggerty, Doyle, O’Byrne, Murphy, Lafferty, etc.

“The information itself could theoretically be used to access iPhone and iPad apps from locations other than the owner’s device, so it depends on the sort of apps someone uses to determine what sort of damage that can cause to them,” ESET’s Urban Schrott explained.

“With some skill, attackers could retrieve the users’ geolocation, access their contact lists, log into their Facebook or Twitter, read their chats, etc.

“But even more concerning than the potential abuse of leaked UDIDs is the fact that someone, whether that was FBI or anyone else, is collecting and storing lists of IDs that should not be public knowledge. If AntiSec got it from the FBI or from other hackers, the fact remains, your name could be on the list, and your Apple device could be compromised without you knowing about it. And if that is the case, then there is definitely reason to be worried.

“Since the leak, users worldwide have been scrambling to ascertain whether or not their devices have been compromised. In light of this, a number of sites have since popped up offering the user the ability to check their UDID against the leaked information. We strongly advise against this, as verifying just who is behind any such site and what they do with your UDID once you willingly give it to them is next to impossible,” Schrott warned.

UPDATE: It has since come to light that the leaked data came from BlueToad, a digital publishing company.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years