A hacker group called AntiSec said it has compromised 12 million Apple iOS Unique Device IDs (UDIDs) and personal information from Apple product owners — and there’s a good chance your iPhone, iPad or iPod Touch devices could be at risk.
Apple Unique Device Identifiers (UDID) — which is a sequence of 40 letters and numbers specific to an Apple device — don’t contain too much information by themselves, but when coupled with other information such as iTunes passwords, billing addresses and payment data, it could pose some risks for users.
AntiSec allegedly posted one million of the hacked IDs on the site Pastebin, along with a detailed description of how the hackers allegedly obtained the IDs from the FBI. The hackers said the data was taken from the laptop of a FBI staffer.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc,” claims Antisec.
It’s uncertain at this time what, if true, the FBI and the DOJ were doing with 12 million UDIDs. Note: The FBI has since denied that it was hacked and said it never obtained any files with Apple UDIDs.
According to a spokesperson for password security firm LastPass, identity theft could result from the situation.
“The biggest concern is that the Pastebin indicates that UDID, user name, name of the device, push tokens, zipcodes, cell phone numbers, address were part of the original leak. That’s not what was publicly posted, but it’s clear that user data is floating out there,” LastPass said. “Knowing this personal information, what Apple devices you have and their IDs, the most immediate concern is identity theft.”
Another possible threat is social engineering: “If someone knows you have an iPhone and has your cell phone number, address, the UDID of your device, a phone call from a person purporting to be from Apple with information only Apple should have asking for even more information could be an issue,” LastPass said.
As of May 2012 — and originally announced in September 2011 — Apple started rejecting apps that keep track of devices via its unique UDID due to security concerns. This means that the risk has been significantly trickled off in the past few months.
“Since AntiSec removed all the personal data from the data they released, this hack doesn’t present much risk to end users,” said Andrew Storms, director of security operations for nCircle, a compliance auditing firm that works with companies such as Facebook and Mastercard. “UDIDs in isolation aren’t a big deal. In fact, Apple used to permit apps to spew UDIDs all over the place, so there’s a lot of UDID data already in the public domain. For awhile, there were a lot of apps using UDID and personal data to track users activity and selling it to advertisers.”
The good news is that it’s easy to check if your Apple product is among those compromised. First, you will need to learn your Apple device’s UDID. To do so, plug your device into your computer and launch iTunes. On the left side of the screen, the device should pop up — click to open it. Specs such as iPhone name, capacity and a serial number should appear. Clicking on the serial number should make the UDID appear. The website WhatsMyUDID.com has a graphical tutorial for those that are confused. Users can also download various apps in the App Store to find and email their UDID.
Want to see if you’re affected? LastPass has set up a secure tool that allows you to check to see if your iPhone UDID information was among the one million leaked.
To check, click here. However, if your device’s UDID doesn’t pop up, it could still be among the other millions compromised and not posted online. Users can also search for their device using the first five digits of the UDID using this site.
But according to Storms, you may be out of luck if your device’s UDID has been leaked: “If your UDID has been leaked in this hack, there’s not much you can do unless you want to spring for a new phone,” Storms told Mashable. “It’s pretty likely that your UDID is already in the public domain.”
Meanwhile, LastPass advises that if your Apple device ID was on the list, “you should strongly consider signing up for a credit monitoring service.”
UPDATE: This story has been updated to include a tool from LastPass.com, a secure password protection firm, as well as quotes from a spokesperson.