If I sound confused it’s because I just saw my wife’s iPhone and iPad in a very strange place: a million line spreadsheet of iOS device data that includes the unique identifiers of her devices and the names she had given them, published by a group of hackers who call themselves AntiSec. This group claims it got this data, and a whole lot more, from the laptop of an FBI agent. Confused? Allow me to explain as best I can in these very strange circumstances, starting with a heavily redacted screenshot of my wife’s iPhone record (fans of Inspector Clouseau may appreciate her spelling of iPhone):
[Update: A spokesperson for Apple has stated that the company did not provide this information to the FBI and the FBI has never requested this data from Apple. See news as reported by AllThingsD. Apple also pointed out that "with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID."]
First let me be clear that I have seen no evidence that Apple’s corporate security or iOS device security has been breached in this incident, or that Apple has done anything wrong. Indeed, Apple might be one of the victims here, finding its name linked to hacking and exposed records.
Second, I see no immediate danger from the publication of these million records by this particular group of hackers. I don’t see how you could use the data that has been published to commit fraud or identity theft. The worrying thing is that the hackers say there is a lot more data where this came from, namely a file containing not one million but 12,367,232 device records, some of which include not just the UDID but also personally identifiable information like device owner name, address, and phone number.
Where did this data come from? Speculation is rampant but independently confirmed facts are few. Yesterday the FBI denied that it was the source of the file. About the only thing I know for sure is that details of my wife’s devices are “out there” along with other information about her, and I’m not feeling good about that.
What do I mean by “out there”? The hackers have published 1,000,001 records which anyone can download (the instructions, and the statement that accompanied the publishing of the records, are on PasteBin). I downloaded the million records and found my wife’s devices were among them. The hackers did not publish any of her personally identifiable information, such as name, address, phone number, and postal code; but they claim the large file that they have “obtained” does contain such information for at least some of the more than 12 million devices that it lists.
(If you own an iPod, iPad, or iPhone you might be wondering if your device is among the million. The good folks at LastPass have provided a web page that shows you how to check.)
Right now I am not too concerned that this particular group of hackers has the data. They seem determined to use it to make a point, not a profit. But I am very concerned that before they found it, this data was apparently sitting around in a file that was not well protected. And I am very curious as to where it came from. So far, we don’t have many clues, although the size of the database might be one. Based on what AntiSec claims, the file probably takes up more than a gigabyte of disk space. We’re talking 12 million devices, one out of every 30 or 40 iOS devices in use today (as far as I know, over 400 million iOS devices have been sold).
Of course, the interwebs are abuzz with speculation about government surveillance, but the file could also be from an ad agency or data broker (until Apple stopped them about a year ago, some apps transmitted UDIDs and other data for commercial purposes). We will refrain from speculation and let you know when some actual facts come to light. Thankfully, there’s no need to panic, as far as I can see the security of our iOS devices is not threatened by this turn of events.
Author Stephen Cobb, We Live Security