Apple UDIDs leaked by Anonymous came from Florida firm, not FBI

Apple UDIDs leaked by Anonymous came from Florida firm, not FBI

Summary: Apple didn't cough up its users' device unique identifier codes to the FBI, nor did the FBI's poor security lead to the codes leaking to the Web. Apparently -- get this -- the hackers lied.

SHARE:

A small Florida-based publishing firm told NBC News in an exclusive interview that it was in fact the source of the million-record database of unique Apple device identification numbers that were leaked by hackers associated with Anonymous last week.

screen-shot-2012-08-13-at-17-46-20
The Apple UDID leak affected more than 1 million iPhone and iPad users. Image credit: CNET.

The admission by the publishing company's chief executive, BlueToad's Paul DeHart, contradicts claims made by the hacktivist collective that it stole the codes from the U.S. Federal Bureau of Investigation, and exonerating Apple from claims it gave the device codes to the federal law enforcement unit.

DeHart said there was a "98 percent correlation" between its own database of device codes to the ones leaked by the hackers on September 3.

"That's 100 percent confidence level, it's our data," DeHart told the news agency. 

To recap:

AntiSec hackers, a loose-knit group associated with the wider Anonymous collective, claimed last week that it had pilfered more than 12 million Apple iPhone and iPad device identifiers from a FBI laptop. The group then posted 1 million and one device codes to Pastebin, often used by hackers to share exploits and developers to share code alike.

iPhone and iPad unique device identifier (UDID) are often used by developers for analytics, but they can also be used to identify users through surveillance and arguably risk users' privacy.

The FBI swiftly said there was "no evidence" to suggest the data had been stolen from one of the bureau's computers. Questions remained open to whether or not the FBI were telling the whole story, or if Apple had handed over the data as per a law enforcement request.

Normally-secretive Apple, often quiet in the face of controversy, broke its usual silence and said in a statement to AllThingsD that: "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization."

The Cupertino, CA.-based technology giant also said it would do away with UDIDs in the next-generation iPhone and iPad software and would "soon be banning the use of UDID" by developers.

At that point it was, "he said, she said." Nobody knew where the data had come from. Until now.

DeHart said an outside researcher alerted the publishing firm that the data may have come from BlueToad, an app-building company that provides its services to 6,000 publishers, which the company then alerted law enforcement.

He said, "we began to take steps to come forward, clear the record and take responsibility for this," adding that he was "pretty apologetic" to the people who relied on the firm to keep the data secure.

An Apple spokesperson told NBC News that while, "developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer," a company such as BlueToad, "would have access to a user's device information such as UDID, device name and type."

BlueToad said in a public statement that it has "fixed the vulnerability" and is working to ensure that another breach doesn't happen. The firm is working with "an independent and nationally-recognized security assurance company" to assist its efforts.

So there are two things we know: Apple and the FBI are back on the Christmas card lists of the general public, and hackers apparently lie. Who knew? 

Topics: Security, Apple, Hardware, iPhone, iPad, Privacy, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

70 comments
Log in or register to join the discussion
  • Intersting

    So Apple did not give this information up. Imaine that. I wonder if Toddbottom will admit to being wrong...
    athynz
    • and we should believe this?

      Sorry, I am having some serious doubts from all sides.
      Something is just too "cozy" with this.
      rhonin
      • I can't resist this - got that conspiracy theory tin foil cap on, Rhonin?

        Occam's razor conjecture comes into play here, rhonin. Which public statements from all the pertinent parties are easier to believe or put another way, who would have the least to lose if their statements to date were proved to be outright lies?
        kenosha77a
        • Oh God, not that lazy "debunking" device again!

          Like the unaccountable to the free market government is the most competent organization ever. The simplest answer IS that the government is incompetent!

          Occam's razor is a wrist-slitter!
          frankz00
        • I can't resist this - got that conspiracy theory tin foil cap on, Rhonin?

          This is the biggest problem in today's age.
          No matter what when we cast a doubt on the so called truths that are being fed to us we are called "NUTS". We are fed a daily diet of lies and deceit and when we call the kettle black we are instantly labeled a conspiracy freak.
          Lets put is this way. What has the Government or Corporations given to us to make us believe anything they say. If the Government or Corporation told us the truth all the time then we would not be waiting decades to find out who killed JFK.
          The way it is now more than half of the North American population believes that the twin towers were brought down by two aircraft. An impossibility to be sure.
          But as soon as we say it was brought down by demolition charges we are called "Conspiracy Theorists"
          Well guess what. All the gold was removed from the towers and all the people with Jewish faith were called and told not to go to work that day.
          I guess that is called "Conspiracy Theory too"
          Amiga5
          • what has Anonymous given me?

            I've gotten nothing but arrogance and hostility from Anonymous- nothing to make me believe in them.

            I'm more inclined to believe in corporations and government because it is made up of the people I relate to and I do wish to advance in their structure. I've been told more than once that I am stupid to think I can improve my position in life or that doing so is a good idea,

            Of course the twin-towers could have been done with demolition charges, but I haven't seen enough "proof" for me to question what is on the TV. If people don't believe it just might be the way evidence is displayed. If you want to do any finger-pointing then do so to the believers who apparently don't know how to communicate with the rest of us.
            Dave Keays
          • Disgrace

            "Well guess what. All the gold was removed from the towers and all the people with Jewish faith were called and told not to go to work that day.
            I guess that is called "Conspiracy Theory too""

            It never ceases to amaze me how quickly bigoted people will jump on positions that support their viewpoints. This was debunked in 2001 Amiga5. http://www.snopes.com/rumors/israel.asp
            MajorlyCool
        • It may or may not be a tin foil hat issue.

          First off, did someone actually say, or someone with the authority to do so, admit that Apple gave anything to the FBI?

          I recall quickly reading the original article, it didnt strike me, at least not in my quick read of it that there was evidence Apple willingly gave FBI a bunch of information.

          I could be wrong on that.

          The fact is, nothing has been said yet from what I can see that says with any certainty that the hackers DIDNT get the info off an FBI laptop.

          All that has been said is that the information released is 98% in line with what a small Florida-based publishing firm had in their data base which does imply that the data the hackers obtained has at least a connection to that source.

          Also, I dont recall the FBI making any statement that the data was never in their possession and therefore could not have come from them, although Apple has said they didnt give any such information to the FBI. All the situation precludes at that point is that if the information was taken from the FBI, they didnt get it by asking for it from Apple, according to Apple.

          The situation may still possibly exist that if the information was in fact taken from the FBI, that the FBI got it themselves in some surreptitious manner from this company with the 98% match.

          In any event, what is very compelling, that this BlueToad company seems to completely acknowledge they were hacked into, so unless there is some further information that gives some new indication the FBI was involved there seems to be little reason to expect it was.

          I have never heard anything about hackers that indicates they are sticklers for the truth.

          Blue Toad is a slightly unusual company, in some respects as far as web footprint goes if anyone checks.

          Information on history and operations and possible connections to the FBI may be of some interest for those who dont want to get stuck wearing the tinfoil hat.
          Cayble
      • Cozy as in common sense?

        What seems more likely... The FBI's security failed, A mega tech corp was hacked, OR a small developer was hacked?

        Additionally the king is dead, we did land on the moon, and people smelling stangely like a bar drip tray did not actually meet little grey men... Except at AA.

        Seriously though I am surprised by the outcome; I'd just assumed that they got the UDID's from those using the in-appstore theft method, as this would require precious little hacking. This does explain why they didn't have any personal info.

        For me the biggest problem was "we spent months" on some FBI guys laptop.... Hackers don't get months of access... Forget the films, they're drive by theives that exploit open doors. For most the only code work they have to do is in making bots and scripts to search for weaknesses.

        The one for your conspiracy theory is that the FBI didn't say they don't monitor this kind of data, just that it didn't come from them.
        MarknWill
      • I said from the begining that we only had the hacker's word

        he stole them from the FBI.

        Pretty convienient way of making people think that the FBI is really investing all this time and effort to spy/track everyone.
        It also throws Apple in a bad light, as now that hacker has people believing that Apple's in with the FBI.
        It also gets people thinking this guy is that good that he can easily hack the FBI.

        Why would you trust the hacker, anyhow? He's a criminal, so how far can he be trusted?
        William Farrel
        • All good points, Will

          I never commented on the original post about this matter. But I was surprised how many pundits thought the FBI and Apple were cooperating with one another over this issue. Especially since Apple has disavowed UDID tech for their next iOS version due out shortly (as this article pointed out but has been known about long before this incident came to light.)
          kenosha77a
          • Apple Sales Pitch

            If somebody wants to actually use the sufficiency principle they need to add cui bono-- who benefits?
            The only party who benefits in all this is the Apple sales force, which now can say "why" 5 million i-sheep need to buy new devices.
            gabriel bear
        • Will Farrel??

          Wait, Will Farrel reads ZDNet? Awesome! I'm such a big fan!
          csniff
        • Deception

          Perhaps the hacker was trying to bring attention to the electronic invasion of our privacy. Perhaps he was working with the FBI to provide a distraction from privacy encroachment. Perhaps he sold the data to several people with a promise of exclusivity and made it public to have an excuse for the lack thereof.

          Or perhaps it doesn't matter why it happened. What matters is that the data is available when it most certainly shouldn't be. While we're here discussing what didn't happen, businesses and governments are busy stripping individual privacy, even though they have the right to construct supranational laws behind closed doors. Yet somehow the people dubbed "criminals" generally aren't the rich businessmen and/or politicians. Something seems very wrong with this pattern.
          Zatronium
        • Not all criminals are criminals...

          Just made to seem as a criminal. Keep an open mind and take this stuff with a grain of salt for some flavor. Everyone lies (tell part truths) and the US government along with other governments and its agencies do as well.

          To that watch the last 5min of this ( http://tv.yahoo.com/blogs/fall-tv/exclusive-watch-abc-fall-drama-last-resort-full-061122041.html;_ylt=At0esNfw2i75fJ3mpbG.gEuAo9EF;_ylu=X3oDMTNyb3Fra2VhBG1pdANIb21lIFBhZ2UgTWVnYXRyb24EcGtnA2RlZTk4Zjg0LTNhMTQtM2I5My1hNWM3LWU1OWIzZjJjZmVjNQRwb3MDMQRzZWMDbWVnYXRyb24EdmVyAzk2MWQ5ZDcxLWZiMGYtMTFlMS1iZjc1LWY1MDExNjE0ZmIyMg--;_ylg=X3oDMTFpNzk0NjhtBGludGwDdXMEbGFuZwNlbi11cwRwc3RhaWQDBHBzdGNhdANob21lBHB0A3NlY3Rpb25z;_ylv=3 ).

          98% of groups in the world have hidden agendas. Couldn't it be a possibility that the FBI and Apple has some form of open communication (think about that thing google, att, facebook and apple signed up for that allows certain US government agencies to sift through the data looking for "terrorist")

          Open your eyes.
          Free Webapps
          • Last Resort....

            Looks like one hell of a series! :O
            JCitizen
          • hidden agendas

            I would say the number is closer to 100% and that Anonymous is included.
            Dave Keays
    • What was I wrong about?

      I wonder if athynz will admit to being wrong...
      toddbottom3
    • What? Dishonest hackers?

      I don't believe it. Kudos to BlueToad for stepping up and saying "We got robbed, but we are trying to fix it."
      LarsDennert
  • Maybe

    Equally possible is that BlueToad gave the db to the FBI who prompted lost it. BlueToad admits "losing" the data, it gets a little publicity, the FBI looks good, and we move on.

    Unless Anonymous comes back with damning details contradicting this version of events...
    a_kassabian