FBI denies it was responsible for Apple ID leak

FBI denies it was responsible for Apple ID leak

Summary: The FBI is claiming that it has nothing to do with the leaked list of over a million Apple device IDs, because it never had the information to begin with.

TOPICS: Security, Apple

The FBI is disputing a hacker group's claim that it stole personal identification data of more than a million Apple device owners from an FBI agent's laptop.

Apple has not yet responded to repeated requests for comment, but the FBI has said that it never asked for and never possessed the list that the group, which is affiliated with the AntiSec movement, has posted on a website.

The group released a link to a text file containing more than a million Apple device identification numbers.

The identification data includes Apple devices' Unique Device IDs (UDIDs), which New Zealand coder and security consultant Aldo Cortesi has repeatedly warned is a ticking privacy time-bomb. According to Cortesi, many iOS applications regularly send the UDIDs to servers on the internet and often over insecure communication channels.

Cortesi's own experiments found that many companies, especially those in the social gaming ecosystem, are abusing the use of UDIDs in a manner that could result in serious privacy breaches. At the time of one of his experiments, he found that certain social gaming sites would allow attackers to log in with the knowledge of a stolen UDID alone.

"Some of the companies mentioned in my posts still have unfixed problems (they were all notified well in advance of any publication)," Cortesi wrote on his site yesterday.

"When speaking to people about this, I've often been asked 'What's the worst that can happen?' My response was always that the worst case scenario would be if a large database of UDIDs leaked ... and here we are."

Topics: Security, Apple

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's not denial

    It's non non-denial... Look at wikipedia for that...
  • Peering into the fractal

    If we bother to read about the security consultant's work, what we find is that Apple had an API, now deprecated, that would return an ID unique to the machine. By itself this is nothing more than a long hex string; there is no data coded into it. It's no more -- and no less -- scary than a browser cookie.

    The security comes when application developers -- the consultant especially points the finger at social gaming outfits -- and analytics firms tie this ID to actual personal identity data. One outfit, for example, had an API that would return a link to your Facebook page if presented with your UDID. They shouldn't do that, Apple told them not to do that, but this is the real world where people are lazy so they used the UDID API to grab a handy user handle. In hindsight Apple should have seen that coming. Apparently they didn't.

    This is also the real world where we have seen that the ad trackers and the analytics guys, if deprived of cookies, will find all sorts of ingenious new ways to track and analyze us. And so it will be here. The UDID API is going away, it won't be in iOS 6, but anybody who thinks that the trackers and the analysts are just going to say, "Oh, OK, we'll just go out of business" is smoking rope.

    The security issue isn't 32-character hex strings. It's databases. Take away a convenient way to populate a key field, and they'll find a slightly less convenient key.
    Robert Hahn
  • Some careful wording there

    "The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed," said an FBI spokesperson. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."


    There is a curious anecdote involving the FBI and how they feel about these "hactivists," especially Anonymous, in an Australian TV investigative report titled "Sex, Lies and Julian Assange." See: http://www.abc.net.au/4corners/stories/2012/07/19/3549280.htm

    Fast forward to the 36:00 mark to get to the curious bit in question.
  • Would you believe Eric Holder?

    Fast & Furious denial, huh...
    Cylon Centurion
    • Please....

      Find a way to "chock yourself out" and make no effort to revive yourself. Seppuku is an honorable way to go for the likes of you.
      • I wouldn't dream of doing that, Cabal

        After all, what would you do around here without me, hmm?

        Cylon Centurion
    • No i wouldn't, I think he's a racist

      and a liar. And I think his virtually ignoring if not covering up the security leaks in the Whitehouse is probably even worse than fast and furious. That said the DOJ isn't the FBI.
      Johnny Vegas
    • Not exactly comparable

      Fast & Furious was part of a complicated overall operation to track and control gun running that ended up being parsed out and then grossly politicized and lied about by Congressional Republicans like Darrell Issa and Charles Grassley. Whatever you may have heard or read about it bears virtually no resemblance to reality.

      This Anonymous thing seems more like an embarrassing hack. As far as tracking smartphone users, that's being done by both companies and governments, and has been for a while. If you use a smartphone, you will be tracked in some way, whether for just marketing purposes or for big brother surveillance.
      • JustCallYouBS

        That's a good name for you.
        Cylon Centurion
        • Someone needs Google training

          As well as a spanking. Pray tell -- how am I incorrect? Be aware, though, that I won't be kind when you fail to come up with a coherent, reality-based answer.
          • Because your partisanship shows, JustCallYouBS

            Don't you know it's bad form to do that?

            Cylon Centurion
          • Typical internet pinhead and d-bag

            When asked to put up or shut up, you useless fools either dummy up or dummy out with some random BS. The bottom line is that you have nothing to offer because you don't know anything due to being hopelessly clueless or being just too willfully ignorant to look things up (if you knew how to look things up, that is.)
          • And your petulant response

            Was just what I was hoping for.

            Cylon Centurion
          • And your chickensh*t response

            Is what everyone expected.
      • F&F

        The two whisleblower ATF agents that broke the story weren't lying.