Earlier this year, Apple started rejecting applications that called on unique device identifiers (or UDIDs). The move came amidst privacy and security concerns, as several apps were found to be misusing the information.
Tonight, those concerns multiplied as the hacking group known as AntiSec announced that it had acquired more than 12 million device IDs from a recent FBI hack. And they’ve just released a million of them…
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”
Of the 12.3 million Apple device IDs discovered, AntiSec only published a million or so to call attention to the issue. They say they’ve deleted most of the personal data from the file, but left enough so users could look to see if their devices were listed or not. MacRumors says that it has confirmed that the UDIDs are legitimate.
So, should we be worried? Not necessarily. Outside the main question of “what in the world is the FBI doing with a list of more than 12 million UDIDs,” there’s not much at risk here. Generally, UDIDs are harmless by themselves. But if the conditions are right, they can be linked to things like Facebook and Twitter accounts.
The hackers finish their rant by saying “We never liked the concept of UDIDs since the beginning indeed. Really bad decision from Apple. fishy thingie” — echoing the thoughts of several other security experts in the Apple community. It’ll be interesting to see what comes of this leak, and if Apple or the FBI will have anything to say.
Ok conspiracy theorists, why do you think the FBI had a list of UDIDs?