12 million iOS unique device identifiers (UDID) reportedly hacked from FBI laptop

Over 12 million unique device identifiers (UDID), and related, personally-identifiable information, for iPhones, iPod touches, and iPads have reportedly been hacked from an FBI laptop using a Java vulnerability. AntiSec has released 1 million of the UDIDs as proof of the hack, along with a statement that includes the following:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

UDIDs are used by developers to register devices with Apple's iTunes Connect so they can run beta versions of iOS and test ad-hoc versions of their apps prior to release. While some developers also used to use them to identify users and their devices, Apple has now disallowed that practice.

No accounts or passwords appear to have been compromised, so for users this is more of a privacy issue than a security issue. Any single piece of identifying information, be it a UDID number or a cell phone number, when combined with a sufficiently large pool of data and the right kind of analytics, can be used to create profiles and assess patterns.

AntiSec says they released the information to draw attention to what they claim is the FBI's collection of it.

You can read more of AntiSec's statement, and find the list of disclosed UDIDs, via the link below.

Source: AntiSec

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Why the hell does the FBI have the UDID's????????
    Who else has them?
  • THE ENEMY has them. And now all your data are belong to us. LOL!!!!
  • My big concern is HOW did the "nonprofit organization" which gave them to the FBI get them? In my view that's the single most important question.
  • No secret there - any iOS app can harvest this information. In ios 6, Apple will disallow that, but it has been a public, documented part of the iOS SDK since Day 1.
  • @mrod79 Indeed why should the FBI need these UDID's? What could you possibly do with those UDID's? Do i have to change my password? www.iDevizes.com
  • What does this mean for me right now? Should I be changing passwords?
  • No, this is identifying information. For us, it's a privacy issue, not a security issue, at least right now.
  • Think of the UDID as a super-cookie, one that your iPhone sends on every request and that you cannot change, mask, or expire. If somebody knows your UDID, they have no extra ability to get into your account, but they can look at a stream of data and tell which specific requests are coming from *you* individually (or, at least, from your iPhone).
  • I am getting tired of these vigilantly hackers. Something needs to be done to stop them.
  • Wouldn't you be more concerned about a) why the FBI has 12 million UDIDs to begin with and b) why they are not being secured properly if they do have them? Does that not even raise a red flag in your mind?
  • No it doesn't because he as an american citizen truly believes that government protects us and everything it does is for the better. So let them (the Gov) have our info and know our every step so we can sleep tight at night.
  • No, something needs to be done to stop the warrant-less collection of data on American citizens!!
  • That's right... Let the FBI, CIA and hell knows who else have your personal info and you wouldn't even know about that. After all these agencies are here to protect us aren't they? what you don't know wont hurt you
  • As much as I'm p.o.'d at them for posting all those UDID's, they did at least expose some very questionable FBI activities and in the process have raised a lot of questions. 1: Exactly who is this "nonprofit irganization" from whom the FBI got this data?
    2: HOW did this nonprofit get the info in the first place?
    3: Who else have they given it to?
    4: Exactly why does the FBI Have this data?
    5: Why is such a high level FBI agents laptop so easy to hack?
    6: Who else's UUID's do they have?
  • What is changing your passwords goin to do??
  • To paraphrase another article on a related subject, many apps use UDIDs to anonymously identify unique users across apps and browsing sessions and associate them with location, user settings, and ads. UDIDs are also used when registering devices for iOS betas. The use of UDID also sparked controversy over fear that individuals could potentially be identified should enough anonymous data be amassed. Apparently that's been the case here and I found that one of my devices (iPad 3 on Verizon) was leaked.
  • I'm not sure that their point of hacking was to use the iOS user info they got in a malicious way. It sounds like it is more or less a way to show the public what kind of info people have. Why the FBI has this stuff doesn't make much sense. Changing passwords won't do anything.
  • Let this be a succinct wake up call to iPhone users. Just like Android, iOS is vulnerable. Just because you may not have been aware until now doesn't disprove the evidence. I'm not making a Android vs iOS comparison about security. I'm simply pointing out that all computing platforms have inherent vulnerabilities. The only thing you can do against these vigilante hackers is continuously determine how much information you are comfortable having stored on your phone & what developer/apps do with that data. I personally have a ridiculous amount of personal information out there in the wild thx to Google & Apple. Yes Apple data mines their users too. The same rules apply regardless of your chosen platform. Your privacy & personal information is only as valuable as you make it.
  • Even if you have a cheap ass dumbphone that makes only phone calls the Gov still knows your whereabouts, all your info and tracks your every call and your every conversation, looking for specific words and phrases. Hell they can even poinpoint your exact location with just that dumbphone if they need to. Thats just the way it is, you can do nothing about it as long as you live in this country And I'm sure other countires out there have the same system of tracking their citizens.
  • You're right. I was merely attempting to point out that next time you read stories about privacy or hacking of Windows or Android, take a look at what your holding. It's just as vulnerable. I often tell people as an experiment to go into the phones settings & disable GPS, background data, & notifications/email. Turn off WiFi & cell radios too. After doing this I tell them to dial 911. They are stunned when the call connects & the operator on the other end can approximate their location to around 150 ft give or take. And by federal law that connectivity cannot be disabled nor does it have to be disclosed. That same system makes tracking your every move & phone call just as easy. The only way it doesn't work is if you pull the battery or it fully discharges. Otherwise you have no privacy on a mobile phone, smart or dumb alike.
  • Absolutely correct. Besides, I'm not even concerned about them having my info. I cannot do anything at this point to protect myself from this type of surveillance (well except for getting rid of all my computers and handhelds for good and never ever usem them again) And I'm OK with that. But news like that do raise high concerns as to why these sloppy agents casually carrying my personal information on their laptops (???) It's almost the same like losing your ss card. I definetely wouldn't want that. I'm just surprised there haven't been any lawsuits against these so called "government agencies"
  • Rene,
    Thanks for the information. As always you guys keep me informed on who is doing what and why I need to be concerned.
  • Now these hackers are going too far.
  • You meant to say the US governement right?
  • Why would they do that!???? I hate it!
  • I think some folks may be missing the point by blaming "the hackers" in this particular case. I don't condone what they did (minimum of breaking into an FBI computer) or how they did it, and they most certainly broke the law, but they are not attacking you. The data they released publicly had the names and some other personal data trimmed out. Their stated purpose was to show everyone what data the FBI has on each and every one of us, regardless of motive. I've worked in IT and Security for about 20 years, and the fact that the FBI has this data at their fingertips doesn't surprise me in the least. That the data is treated so casually by the FBI (an unencrypted csv dump on a laptop is the security equivalent of a password on a sticky note) scares me more than anything. I'm not big on scare tactics, but to illustrate Rene's point on this being a privacy issue, I will share: About 15 years ago, I worked for a data analytics company that specialized in pharmaceutical data and targeted sales. Given gender, age, and general location info, our engine could predictively spit out what prescription drugs you used (and therefore what medical problems you had) and what doctor prescribed them, stack ranked by % correlation. The use case was for Pharma companies to target specific doctors for marketing new drugs based on prescription history, but also to target advertisements in certain areas where those doctors worked, so that their patients would ask about the new drug. That's pretty basic, and that was 15 years ago.
  • It is somewhat of a tangent, but this New York Times article on behavior and data analytics is a good introduction for the non-statistician. [ http://nyti.ms/OLeptN ]. The headline is an eye-catching example; via seemingly unrelated shopping data, e.g. spikes in purchasing unscented products, Target could tell a teenager was pregnant before she told her father.
  • well i searched the file for my name (since that is my device's name) and nothing came up, woohoo but I don't have access to itunes right now to get my udid to search based on that. But from the looks of it, i'm not in it.
  • The Next Web has a tool for checking your UDID against what was released (safer than clicking on that AntiSec link): http://thenextweb.com/apple/2012/09/04/heres-check-apple-device-udid-com...
  • How do you know that tool isn't phishing your data when you use it?
  • TSA checkpoints, FBI tracking, & Indefinite Detention? Yep, Welcome to America.
  • If not for the hackers either (white hat or black hat) releasing what the gov't is hiding and doing then we would never know about it would we? I don't appreciate having my UDID or other identifiable information kept on me let along released by hacker groups. Would you rather not know about the level and extent of the US Government's spying on US citizen's in the name of security? While we all have nothing to hide we also have an expectation of privacy, or do we . . .
  • The 9/11 scare gave police all the power they could possibly want... the Patriot Act and the rising police state being the two easiest examples.
  • Another Fine example of the lack of a java fix. They need to address this, and stop acting like they do not have problems.
  • Ahhhh what the hell, not like it's a secret anymore.....414-46-5285