Why the Apple, FBI and AntiSec UDID debacle won't go away
The publishing of 1 million anonymized Apple UDIDs allegedly found on an FBI agent's computer brought AntiSec's actions front and center. With denials from Apple and the FBI, you might think it's over. Not so fast.
Hacktivist collective AntiSec kicked off the week by(Unique Device Identifiers) including device types and associated usernames, saying it was part of a 12 million large database that they'd snagged off an FBI agent's computer.
Online, techies scrambled to, and look for clues as to where the alleged larger collection might have come from.
The FBI waited until the end of the day to issue an uncharacteristic, slightly sophomoric Tweet calling AntiSec's allegation TOTALLY FALSE and an oddly worded statement saying, "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
Despite online calls for a statement and headlines virtually everywhere you looked, Apple waited until the next day to acknowledge the event people were characterizing as the "privacy catastrophe" linked to Apple. When Apple did finally speak up it told All Things D, "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.
The FBI says there's no proof they were hacked or that they got their hands on the data. Apple says the FBI never asked for it, nor has Apple voluntarily provided it to anyone.
Case closed, right?
Wrong. The data is legit. We're still seeing news outlets question the veracity of the data but if you're paying attention to tech forums, there's no doubt that this is a real database full of real people's current device information. A number of people have found their devices within the one million, as we.
On Hacker News community member Monotoko wrote, "I have found my own UDID - I can confirm these are real UDID's" and mehrshad said, "Sure - me. Both my iOS devices are on this list - confirmed both by name and UDID match."
Interestingly, people claiming UDID matches are from the UK, the United States, Poland, Germany - not just devices located in America, as some may expect.
The app theory
If AntiSec's 12 million claim is true, and the claim of accompanying personal information - twelve million UDIDs with personal data attached to them would likely come from a popular iOS developer.
Mid-afternoon on the day of the leak, AntiSec hinted that the leaked database might be linked to an app.
But hours before, commenters on Hacker News (and other forums) had already suggested that the community there should identify people who are on the list and compare all their installed apps to search for a common denominator.
To this end, Frederic Jacobs created Identifying the Traitor - a short survey where those whose UDIDs were in the AntiSec dump could begin to compare common apps.
Many are wondering if Apple might be able to access data that could assist in revealing where the leaked UDIDs actually came from, and thus help find a path to justice for the millions of its customers now potentially at risk.
Hacker News community member Arasmussen commented:
Apple could probably figure out if this data came from an app developer because I'd bet there's only exactly one app which every single one of those 1,000,001 devices downloaded.
Even if they threw in a few fake rows to mess up the data, they could find the app that has the highest percentage of downloads from that entire data set.
Keep calm and get pwn3d
Another troubling aspect of what can be done with a massive pile of Apple UDIDs came from the security researchers at Crowdstrike - known for their recent breakthrough analysis of commercial surveillance software FinSpy (found in malware).
What Crowdstrike suggests is that (potentially) someone in a possession of large amounts of UDIDs would be able to compile malicious targeted code more easily.
The day of the UDID leak, Alex Radocea, senior engineer of Crowdstrike, made a stunning revelation:
(...) with the release of the alleged UDIDs today, if those do prove to be legitimate devices, there are now over one million targets which can be targeted using the FinSpy Ad-Hoc distribution mechanism coupled with an existing or new exploit/jailbreak.
Apple's privacy disaster?
A release of identifying information via Apple's UDID has been a privacy nightmare scenario that many have talked about and have hoped would never come to pass.
When speaking to people about this, I've often been asked "What's the worst that can happen?" My response was always that the worst case scenario would be if a large database of UDIDs leaked... and here we are.
Apple has depreciated use of UDID and announced that is discontinuing use of UDID altogether moving forward.
Yet the problems with Apple's UDID have been known for a while. Apple has had not one but two lawsuits accusing Apple of knowingly transmitting UDID information to third parties without user consent in violation of privacy laws. Cortesi wrote:
In May 2011, just before its sale to Gree was announced, I showed that OpenFeint was misusing UDIDs in a way that allowed you to link a UDID to a user's identity, geolocation and Facebook and Twitter accounts. I didn't discuss it openly at the time, you could also completely take over an OpenFeint account, and access chat, forums, friends lists, and more using just a UDID.
Many people are asking what exactly they can do now that their Apple UDID information is in the hands of, well, no one knows who's hands the data is in.
Apple has a responsibility to their customers -- and the millions of customers' very real concerns -- that they have not addressed, or even acknowledged.
Apple hasn't said anything to -- or even about -- its customers affected by the UDID catastrophe. If things turn out badly, this may go down as an epic privacy disaster that lies squarely at Apple's feet.
The unanswered questions and potential risk for all involved means that the UDID debacle is far from over.