Apple ID code leak 'sourced to US firm BlueToad'

  • Published
BlueToad
Image caption,
BlueToad said it discovered the breach shortly after Antisec published the ID codes

A digital publishing firm has said it believed it was the source of Apple device ID codes posted to the internet.

Hackers who identified themselves as being part of the Antisec movement published more than one million unique device identifiers (UDID) last week.

They claimed the material had come from a laptop belonging to an FBI officer - something the agency denied.

Florida-based firm BlueToad apologised for the leak adding that it thought the risk to iOS users was "very low".

"When we discovered that we were the likely source of the information in question, we immediately reached out to law enforcement to inform them and to co-operate with their ongoing criminal investigation of the parties responsible for the criminal attack and the posting of the information," the firm's chief executive, Paul DeHart, wrote on his company's blog.

The FBI confirmed to Reuters that "it certainly does appear that BlueToad was where the information was actually compromised".

Privacy threat

UDIDs are a unique 40-character string given to iPhones and iPads to help Apple distinguish the machines.

Although it is against Apple's guidelines, some app developers use the codes to identify devices to avoid resorting to usernames and passwords.

If attackers exploited a list of UDIDs and knew which apps used them inappropriately, they could, in theory, compromise users' privacy.

Apple plans to introduce an alternative system and no longer accepts apps in its store that collect the codes.

"With iOS 6 we introduced a new set of APIs [application program interfaces] meant to replace the use of the UDID and will soon be banning the use of UDID," a spokesman told the BBC.

"As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type. Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer."

Named agent

The Antisec post had suggested a list of 12.4 million UDIDs had been extracted from an FBI agent's laptop along with matching usernames, mobile numbers and other personal details. The group released a file containing one million codes as proof.

Image caption,
Antisec are an offshoot of Anonymous dedicated to highlighting computer security issues

The implication was that the FBI might have been using them to spy on Apple device owners.

The news had the potential to be particularly damaging as the agent named - Christopher Stangl, from the agency's Regional Cyber Action Team - had represented it in public at security conferences.

However, the FBI strongly denied the allegation shortly after it was made, publishing a tweet that read: "We never had the info in question. Bottom Line: TOTALLY FALSE."

Antisec attacked

BlueToad has subsequently added that less than two million Apple device name and UDID codes had been stolen, rather than the claim of 12 million codes and other personal information.

One security expert suggested the news would undermine future claims by Antisec.

"Whatever credibility they had has certainly been damaged by making a claim that appears to be entirely false and having totally misrepresented their abilities," said Rik Ferguson, director of security research at Trend Micro.

"They must have known this would be exposed at some point.

"They had probably hoped that it would only be after the FBI had carried out a longer internal audit to confirm it had not been compromised, resulting in confusion and expense in the meantime."

Related Internet Links

The BBC is not responsible for the content of external sites.