In the world of security professionals, we’re all abuzz about the fact that 1 million Apple devices had their UDIDs leaked by a group called AntiSec. It’s barely news anymore when a hacker makes off with a list of customer information from a poorly protected enterprise, but it’s *definitely* news when an FBI agent’s laptop gets compromised, and we learn it contains (allegedly) more than 12 million device IDs, along with associated personal information. Antisec leaked 1 million of the 12 million after claiming it had removed some identifiable information from the list, but leaking enough for users to see if they were on the list. (Editor’s note: see below for updated information on the alleged source of the leaked data.)
According to AntiSec’s pastebin post:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Were you on the list?
My i-devices were not on the available list, but that’s no guarantee the FBI doesn’t have my device ID, because less than 10% of the alleged 12 million device IDs have been leaked so far.
You can easily check if you were on the list of tracked devices, thanks to NextWeb.
First, get your UDID:
Step 1: Connect your i-device to your computer.
Step 2: Select your device in i-Tunes.
Step 3: Click on your serial number – it will turn into your DiD
(or follow the screenshot tutorial here.)
Then, enter most of your UDID (not all) into the Next Web free tool:
That’s it! Are you on the list?
If you’re wondering what this has to do with cloud security, my main focus, that’s a good question. Mobile devices are the main access point to the cloud, and smart phones aren’t very smart without the cloud. The line between the two is becoming more and more blurry. I consider my phone to be just another node in the cloud.
Update: A statement by the FBI claims that they were not the source of leaked UDIDs as alleged by AntiSec. While the source of the data is in question, the steps above can still help you pinpoint if your device was compromised.