Last Updated on Tuesday, 04 September 2012 18:53 Published on Tuesday, 04 September 2012 18:53
A hacker group called AntiSec said it has compromised 12 million Apple iOS Unique Device IDs (UDIDs) and personal information from Apple product owners — and there’s a good chance your iPhone, iPad or iPod Touch devices could be at risk.
Apple Unique Device Identifiers (UDID) — which is a sequence of 40 letters and numbers specific to an Apple device — don’t contain too much information by themselves, but when coupled with other information such as iTunes passwords, billing addresses and payment data, it could pose some risks for users.
AntiSec allegedly posted one million of the hacked IDs on the site Pastebin, along with a detailed description of how the hackers allegedly obtained the IDs from the FBI.
“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc,” claims Antisec.
It’s uncertain at this time what the FBI and the DOJ were doing with 12 million UDIDs. The FBI declined to comment on the matter.
As of May 2012 — and originally announced in September 2011 — Apple started rejecting apps that keep track of devices via its unique UDID due to security concerns. This means that the risk has been significantly trickled off in the past few months.
“Since AntiSec removed all the personal data from the data they released, this hack doesn’t present much risk to end users,” said Andrew Storms, director of security operations for nCircle, a compliance auditing firm that works with companies such as Facebook and Mastercard. “UDIDs in isolation aren’t a big deal. In fact, Apple used to permit apps to spew UDIDs all over the place, so there’s a lot of UDID data already in the public domain. For a while, there were a lot of apps using UDID and personal data to track users activity and selling it to advertisers.”
The good news is that it’s easy to check if your Apple product is among those compromised. First, you will need to learn your Apple device’s UDID. To do so, plug your device into your computer and launch iTunes. On the left side of the screen, the device should pop up — click to open it. Specs such as iPhone name, capacity and a serial number should appear. Clicking on the serial number should make the UDID appear. The website WhatsMyUDID.com has a graphical tutorial for those that are confused. Users can also download various apps in the App Store to find and email their UDID.
Want to see if you’re affected? Password security site LastPass has set up a secure tool that allows you to check to see if your iPhone UDID information was among the one million leaked.
To check, click here. However, if your device’s UDID doesn’t pop up, it could still be among the other millions compromised and not posted online. Users can also search for their device using the first five digits of the UDID using this site.
But according to Storms, you may be out of luck if your device’s UDID has been leaked: “If your UDID has been leaked in this hack, there’s not much you can do unless you want to spring for a new phone,” Storms told Mashable. “It’s pretty likely that your UDID is already in the public domain.” [mashable]