September 10, 2012

Apple UDID Hackers Lied (Apparently)

Michael Harper for — Your Universe Online

Last week, an arm of hacking collective Anonymous claimed they used a Java exploit and hacked into an FBI agent's Dell computer, thereby lifting around 12 million Apple UDIDs, or unique device identifiers. In an apparent attempt to publicly shame the FBI, AntiSec released 1 million of these UDIDs, which were stripped of all personal information, to the Internet for perusal by other hackers.

The next day, both Apple and the FBI denied having any knowledge or participation in the alleged leak of these UDIDs, calling the credibility of the hackers´ story into question.

Today, an app publishing company has stepped forward and accepted the blame for the leak, creating even more confusion and questions about AntiSec´s story which is becoming increasingly riddled with holes.

Speaking exclusively with NBC News, Paul DeHart, CEO of BlueToad Publishing has said his company suffered an attack two weeks ago wherein these 12 million UDIDs were compromised. To confirm the leak had originated with the publishing company, technicians had downloaded the leaked data which was made freely available and compared it to the UDIDs which had been stolen from their database. This analysis found a 98% match between the two sets of UDIDs.

"That's 100 percent confidence level, it's our data," said DeHart, speaking with NBC´s Kerry Sanders.

"As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

DeHart became aware that the leak may have originated with his company last week when an outside researcher had confronted him, saying he suspected these UDIDs may have originated at BluToad. After performing the forensic analysis, it was discovered the data had been stolen in the past two weeks.

“I had no idea the impact this would ultimately cause,” DeHart continued. “We're pretty apologetic to the people who relied on us to keep this information secure."

Though DeHart said they don´t yet know who took the data, he isn´t ruling out the possibility that the UDIDs could have landed on an FBI laptop at some point.

Of course, this creates even more questions about this alleged attack and AntiSec´s motives. Though it shouldn´t be surprising to anyone that hackers who have stolen private and personal information would lie about the data´s origins, many have been questioning why the FBI has this information and how they got it in the first place.

In their original diatribe, an AntiSec spokesperson (presumably someone who carried out the attack) said the information was stolen from a specific FBI Agent´s Dell laptop in March. According to DeHart´s admission, the timeline seems a bit askew.

The hackers had originally claimed they stole this information to shed light on the FBI´s own security flaws, saying: “We decided we´d help out Internet security by auditing FBI first. We all know by now they make Internet insecure on purpose to help their bottom line.”

On Friday, AntiSec posted another poorly spelled missive riddled with errors in which they rejected the FBI´s calls for proof that they had, in fact, stolen the UDIDs from an agency laptop.

“Also, omg men. ofc we targeted the agents cause we knew them and they were after us and we wanted revenge,” writes a spokesperson for the hacking group.

“What kind of stupid argument is that against the hack??”

When this story was first released, many had questioned if the FBI was storing these UDIDs to track iPhone users.

App developers once used these UDIDs to track individual devices for analytics and other purposes. Later, some developers began using these UDIDs to sell targeted ads to iPhone users, causing Apple to restrict UDID access to developers. Now, in iOS 6 (which could be available next week) Apple is moving even further away from the use of UDIDs, asking developers to come up with their own, unique ways to keep track of devices.