Apple has denied giving any sort of iOS Unique Device Identifiers (UDIDs) to the FBI. The company issued a statement yesterday stating that the FBI had not requested any information from Apple, and it had not provided any such information to the FBI or any other organisation. The statement comes after Anonymous offshoot AnitSec leaked about one million Apple UDIDs reportedly obtained via a breach from an FBI agent’s laptop.
“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokeswoman Natalie Kerris told AllThingsD.
The FBI has also stated that it never held the information and that there was “no evidence” to support the hacktivist group’s claims. "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," an FBI spokesman said in a statement.
UDIDs are a sequence of letters and numbers assigned to Apple products, such as iPhones or iPads. Many web-based mobile applications and gaming networks use UDIDs to identify users.
If it's not either Apple or the FBI at fault, who is??
In a post explaining the data dump, AntiSec said it removed personal data associated with the UDIDs, such as consumers' names and telephone numbers. "We trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc. not all devices have the same amount of personal data linked. some devices contained lot of info. others no more than zipcodes or almost anything. we left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not. the DevTokens are included for those mobile hackers who could figure out some use from the dataset," the post on a Pastebin dump reads.
In the second week of March this year, AntiSec broke into a Dell Vostro notebook that was being used by Supervisor Special Agent Christopher K. Stangl from the FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team, using the AtomicReferenceArray Java vulnerability. During a shell session, they downloaded some files from one of the folders on Stangl’s desktop called NCFTA_iOS_devices_intel.csv. This file contained data about 12,367,232 Apple iOS devices, including Unique Device Identifiers (UDID), user names, names of the devices, types of the devices, Apple Push Notification Service tokens, zipcodes, cellphone numbers, and addresses.
"If AntiSec and related folks were doing that kind of attack, this would be an upping of the game," said Marc Maiffret, Chief Technology Officer of security firm BeyondTrust. That said, the data dump itself, while serious, would not prove to be very damaging to consumer privacy, he added. "It is not something that is going to allow hackers to break into peoples' iPhones," Maiffret said, adding that the UDIDs appeared to be genuine.