The Great UDID Hacker Cache: What's the Big Deal?

Friday, September 07, 2012

Rafal Los


I'm sitting here in London tonight reading through as much as I can about this issue with the supposed hacking of a Federal Agent's (FBI)  computer to copy off a file which supposedly contains 12 million UDIDs for Apple iDevices, including supposedly tons of personal information that hasn't yet been posted.

Notice the word supposedly 3 times... 

If you want to read the original post from the supposed hacker group Anti-Sec you can do so on pastebin here, while it's still up:  I'm breaking my own rule of disseminating hacked information because this specific case is an interesting case study in psychological aspect of information security... and there doesn't appear to be anything 'sensitive' in that post.

I don't know what the truth here is... and I suspect we may never actually get real confirmation if this was pulled from a Federal Agent's laptop, or from some server somewhere... but the possibilities are tantalizing.  

This story is interesting on a few fronts, most importantly, I think, is the psychological impact this has on the already tenuous between people and government, and what it does to the normal user...

For giggles I looked through the Apple support forums and people are genuinely concerned - now in "massive numbers" granted, but it's still interesting:

One person on the Apple support forums (a user) even goes on to suggest a drastic response: "Change your email and all account information as soon as possible, including your AppleID, and banking and financial institution logins, and any social networking accounts as soon as possible."  

Whoa!  How did he make that stretch?  or does he know something the rest of us don't know about the UDID cache released?

I asked on Twitter (since I'm not an Apple expert) what could be done with the UDID of a device, and two colleagues - @hrbrmstr [b] and @darthnull quickly chimed in with some very helpful information... @Marknca also contributed a post that I think is worth reading from @Cortesi... more interesting data.

OK, so somewhere there is supposedly 11 million more UDIDs with this (from the pastebin site):

"There you have. 1,000,001 Apple Devices UDIDs linking to their users and their APNS tokens. the original file contained around 12,000,000 devices. we decided a million would be enough to release. we trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc. not all devices have the same amount of personal data linked. some devices contained lot of info. others no more than zipcodes or almost anything. we left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not. the DevTokens are included for those mobile hackers who could figure out some use from the dataset."

How nice of the hackers to not release this information to the general public, maybe they have a conscience?  Or maybe it's not there to show... I guess we have to assume the worst?

So why am I calling this a psychological operation?  As far as I can tell from digging and talking to people who would know - the UDID is just a tracking mechanism... to link a device to a person.  The fact that this has stirred such a sentiment against an agency of the federal government at a time when distrust of government is already high... that's suspect.  

Whether this data was actually hacked from an FBI agent's laptop is almost immaterial at this point, the public paranoia is running rampant... and the general public (people who wouldn't know better) are misinformed and running based on false assumptions and misunderstanding - this is always dangerous.

So whether the information on 12 million iDevice users exists in some file out there in the hands of hackers, and whether it was hacked off of an FBI agent's laptop or gathered in some other way - for example from an exploit of OpenFeint or Angry Birds servers - the fact is that the public has been fed a tantalizing piece of information and the pot has been stirred.  

Where will this go?  Only time will tell...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Apple Passwords FBI Hacktivist breach Tracking psyops UDID
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.