Last week, hacker group Anonymous released 1,000,001 iDevice UDIDs that they claimed came from a hacked FBI laptop. The FBI was quick to deny the hack, and Apple also denied giving the UDIDs to the FBI.
A company has come forward and apologized in the matter; it seems that Anonymous lied about where they obtained the UDIDs. Instead of an FBI laptop, they acquired the UDIDs from BlueToad, a small mobile publishing company.
BlueToad determined it was the “victim” by comparing its database of UDIDs with the set released by Anonymous. The company found a 98 percent colleration between the two sets.
Paul DeHart, CEO of BlueToad said that gave the company a “100 percent confidence level [that] it’s our data.” DeHart added,
“As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.
“I had no idea the impact this would ultimately cause. We’re pretty apologetic to the people who relied on us to keep this information secure.”
According to DeHart, the first suspicions of the BlueToad hacking didn’t internally, but from an outside researcher named David Schuetz, who suggested the data might have been stolen from BlueToad. A forensic analysis has shown the break-in occurred “in the past two weeks.” Saying that an investigation is still ongoing, DeHart declined to provide further details.
Schuetz, who works for the Intrepidus Group, a New York-based mobile device security consulting firm, said that he found numerous devices within the UDID list which had names that included the phrase BlueToad or variations of that, such as “BlueToad support” or a department within BlueToad.
“What I was seeing was that there were– of the million devices that were in there — there were a few devices that showed up multiple times with themes that were related to BlueToad. By the time I was done, late Tuesday night, I think I had 19 devices that … all belonged to BlueToad.”
Schuetz contacted BlueToad shortly thereafter.
Last year, Apple said that it would begin deprecating the ability for developers to access UDIDs, which are a unique number that can be used to ID a specific device. Recently, it was reported that the company had begun rejecting submissions to the App Store that accessed UDIDs.
BlueToad no longer uses UDIDs in its software, DeHart said, and current versions of its software don’t collect it.
Why would Anonymous lie about the source of its UDID database? The reason seems clear: since Anonymous and partner LulzSec are participating in the AntiSec anti-corrupt government / anti-big business campaign, it makes perfect sense that the hacker group would attempt to attribute secret UDID access with the FBI.